Data Protection Guidance Disclosure of students’ data 1. Introduction Deciding whether to disclose information to a third party can be difficult. The general principle should be that information about students is confidential to the University and to the individual student unless a legitimate reason to disclose exists. The information below should help you to consider each request on its individual merits. 2. General Principles for all Enquiries i. Verify the identity of the Enquirer In all cases take reasonable steps to confirm the identity of the enquirer. The level of checking necessary will vary according to the sensitivity of the information being sought. Things that can be checked include the use of headed paper, organisational email addresses (J.Bloggs@exeter.ac.uk not J.Bloggs@gmail.co.uk), or you can call the switchboard of the third party and ask to be put through. ii. Disclose only what is necessary When convinced that it is appropriate to release information disclosure should be of only such information as is required for the specific purpose. iii. Overseas enquirers Take extra care when disclosing personal information to an enquirer based outside the European Economic Area (EEA). This is because the disclosure of information may qualify as a transfer of personal information outside of the EEA and you are likely to require the student's consent. iv. Passing on messages Where you are unable to disclose contact information directly to a third party you may wish to pass on a message direct to a student. Where possible you should inform to enquirer that (if the individual is a student) you will attempt to contact them directly. In some circumstances following an enquiry from a third party it may be necessary to contact the student for example if you obtain information indicating “identity theft,” as long as there are legitimate and valid reasons for doing so in these circumstances you are able (and should) contact the student. Occasionally, an enquirer may request that a message is not passed on, these request will normally be fulfilled e.g. to ensure that a police investigation is not damaged. 3. Different types of Requesters Version 1.0 October 2011 Certain organisations are entitled, under law, to obtain information about our students, where a request is made on the grounds that disclosure is required by law the person making the request should be able to specify, preferably in writing, the provisions under which the request is made, or to produce the court order. In other cases third parties may have a legitimate need to access information, students are made aware of a range of disclosures which may be made and for which there is no need to obtain consent. The information below provides details of different organisations who may request information. i. Universities and Colleges Admissions Service (UCAS), Higher Education Funding Council for England (HEFCE), Higher Education Statistics Agency (HESA), Regulatory bodies Students are informed at registration that the University will disclose information to these bodies. Disclosure of relevant information is permitted. Other regulatory bodies such as the General Teaching Council may require information about relevant students who have graduated, in order to enable them to be registered to practice. This is in their legitimate interests and can be disclosed. ii. Police There is no general legal requirement to disclose information to the police unless they are able to provide a court order. Caution should therefore be exercised in assessing whether a particular enquiry by the police. The Police should be asked to submit a request in writing (under Section 29 of the DPA) and which should specify what information they require and provide enough information for the University to determine that the Police require the information in order to carry out their investigation. The University does not want to disrupt legitimate investigations and if convinced that the disclosure is necessary information can be released, records should be kept of what information was disclosed. iii. National Health Service In certain circumstances, information about students may be shared with the NHS and NHS staff working in a teaching capacity for the University. For example, students being taught by NHS clinical teachers will expect information to be disclosed to the appropriate person to allow for the administration of their studies and to monitor their performance and attendance. The NHS have their own Counter Fraud department which may request information to help with their investigations, there is no automatic right of access but information can be released as long as the request is specific to a named individual and we are convinced that the information requested is necessary for the prevention and detection of crime. iv. Exeter Students Guild The Students’ Guild is an independent body with its own Notification under the Data Protection Act. Obviously it has strong links with the University and at times it will be necessary for the University to disclose information. Version 1.0 October 2011 The University and the Guild have a formal agreement outlining what information can be shared; information should only be shared in accordance with this agreement. v. Local Education Authorities (LEAs) Local Education Authorities may contact the University requesting information regarding students’ mode of study (part-time, full-time), length of programme (including extensions), location of study, interruptions etc. These are legitimate requests and once the identity of the enquirer is verified the information can be disclosed. vi. Parents Parents have no right of access to information held by the University. No personal data should be disclosed to parents unless they have been nominated in writing by the student or in exceptional (life or death) circumstances. vii. Nominated individual In some circumstances a student may nominate a parent or third party to liaise with the University about certain issues. For example, students can nominate an individual, with whom Student Fees can discuss the payment of fees. Any request for the University to discuss issues directly with a third party must be specific – we cannot accept requests to discuss ‘everything with my parents’ as this may result is the University disclosing information which the student had not considered. Rather the request must outline exactly what we can discuss and with whom. Where Solicitors are working on behalf of a student the University expects the Solicitor to provide a signed consent form from the student before any information is disclosed. Steps should be taken to check the authenticity of consent forms (e.g. comparing signatures with our records), if there is doubt a message can be sent direct to the student informing them of the request that we have received. viii. Sponsors Students are informed at registration that limited information relating to academic progress may be released to sponsors, loan organisations and scholarship schemes to enable such organisations to establish eligibility for the sponsorship etc. As long as the request is from a legitimate sponsor who has valid reasons for requiring information limited information can be disclosed. ix. Other staff Personal information can normally be shared with colleagues as long as they have a business need to know. There is an exception for any sensitive personal data (information relating to physical/mental health, ethnicity, religious/political opinions, sexual orientation etc) for which you will normally require explicit consent from the student before disclosure, if it is in the vital interests of the student to pass on the information you may do so. x. Solicitors Version 1.0 October 2011 In the event of actual or potential legal proceedings disclosures can be made to the University's solicitors, this is in the legitimate interests of the University and consent is not required. xi. UK Border Agency (UKBA) At registration International students are told that personal information including information about enrolment, attendance and progress at the University may be passed to the UK Border Agency for purposes connected with immigration. The UKBA should make a formal request for specific information (e.g. about a named student) who they are investigating. The request should include a case or reference number and details of the investigating officer. xii. Students Individual students have the right to access their own personal data, where a formal request is received from a student or someone acting on behalf of a student (with signed consent forms) the University will provide copies of the information held, for a minimal fee of up to £10. Requests for individual documents can be dealt with directly, however where the request is for all information or appears to be complex these should be forwarded to the Records Management department. xiii. PCMD/INTO/Partner universities Students regularly study at other universities and it is necessary to share information with these institutions to allow the academic achievements of students to be validated. Students are informed at registration that this information will be shared. Therefore information that ‘needs’ to be shared can be. 4. Different types of Information being requested There are different issues to consider depending upon the type of information being requested. i. Student Status Enquirers may ask whether a named person is a student at the University, unless the enquirer has a legitimate right to the information as explained above (e.g. LEA), we should refuse to confirm or deny whether the individual is a student. ii. Student contact details Unless covered by a legitimate/legal right to access the information we should not release a student’s contact details. Do not confirm or deny that a student is attending or has attended the University. If appropriate you can offer to pass on a message if you are able to identify the student. iii. Award verification Students may request transcripts detailing their degree results and examinations passed. Requests from students are handled by Registry Services. Version 1.0 October 2011 Lists of graduating students are published in Degree Day brochures and we inform students that: “At the end of your programme of studies, we will disclose information about your award to third parties who have a legitimate interest, without further recourse to you. For example, we may disclose this information to a prospective employer or education provider, or may notify your previous school or college of your award.” Therefore we can confirm the names, year and programme of graduation to a legitimate enquirer. Where a legitimate enquirer has requested that we confirm details of an award classification we should carefully verify the identity of the enquirer and their reasons for requesting the information before providing confirmation. False Claims: Where an individual is falsely claiming to have an award from the University we are able to disclose information in order to protect the University from misrepresentation and to ensure the integrity of our awards. Therefore where no award has been achieved or a different classification is being claimed the University should state that the there is no record of the students or that the information does not match our records. We should not disclose what award was actually achieved but merely confirm if the award being questioned was achieved. The University can write to the individual concerned telling them what information has been supplied to the enquirer and highlighting any discrepancies and at the same time requesting that they cease making incorrect and false claims. Concerns should be discussed with Legal Services. iv. Student references Members of staff may provide references for a student to potential employers or other academic institutions as long as steps have been taken to ensure that the request is genuine. References should not contain any sensitive personal data. v. Statistical information Statistical information can be disclosed if it has been fully anonymised. In producing statistical information, all reasonable care must be taken to ensure that information about identifiable students is not published and that it is not possible to deduce the identity of students through the combination of multiple published datasets. Where data contains groups of less than 5 students careful consideration should be given before publishing, this matches with HESAs policy to publish in multiples of 5. vi. Ethnicity, sexual orientation, religion or disability As a general rule we should not provide information about students' ethnicity, sexual orientation, religion or disability to any external enquirer unless we are required to do so by law or we have the explicit consent of the individual concerned. Version 1.0 October 2011