Data Protection Guidance Disclosure of students` data 1

advertisement
Data Protection Guidance
Disclosure of students’ data
1. Introduction
Deciding whether to disclose information to a third party can be difficult. The general principle should be that
information about students is confidential to the University and to the individual student unless a legitimate
reason to disclose exists. The information below should help you to consider each request on its individual
merits.
2. General Principles for all Enquiries
i.
Verify the identity of the Enquirer
In all cases take reasonable steps to confirm the identity of the enquirer. The level of checking necessary will
vary according to the sensitivity of the information being sought. Things that can be checked include the use of
headed paper, organisational email addresses (J.Bloggs@exeter.ac.uk not J.Bloggs@gmail.co.uk), or you can call
the switchboard of the third party and ask to be put through.
ii.
Disclose only what is necessary
When convinced that it is appropriate to release information disclosure should be of only such information as is
required for the specific purpose.
iii.
Overseas enquirers
Take extra care when disclosing personal information to an enquirer based outside the European Economic Area
(EEA). This is because the disclosure of information may qualify as a transfer of personal information outside of
the EEA and you are likely to require the student's consent.
iv.
Passing on messages
Where you are unable to disclose contact information directly to a third party you may wish to pass on a
message direct to a student. Where possible you should inform to enquirer that (if the individual is a student)
you will attempt to contact them directly.
In some circumstances following an enquiry from a third party it may be necessary to contact the student for
example if you obtain information indicating “identity theft,” as long as there are legitimate and valid reasons
for doing so in these circumstances you are able (and should) contact the student.
Occasionally, an enquirer may request that a message is not passed on, these request will normally be fulfilled
e.g. to ensure that a police investigation is not damaged.
3. Different types of Requesters
Version 1.0
October 2011
Certain organisations are entitled, under law, to obtain information about our students, where a request is
made on the grounds that disclosure is required by law the person making the request should be able to specify,
preferably in writing, the provisions under which the request is made, or to produce the court order.
In other cases third parties may have a legitimate need to access information, students are made aware of a
range of disclosures which may be made and for which there is no need to obtain consent. The information
below provides details of different organisations who may request information.
i.
Universities and Colleges Admissions Service (UCAS), Higher Education Funding Council for England
(HEFCE), Higher Education Statistics Agency (HESA), Regulatory bodies
Students are informed at registration that the University will disclose information to these bodies. Disclosure of
relevant information is permitted.
Other regulatory bodies such as the General Teaching Council may require information about relevant students
who have graduated, in order to enable them to be registered to practice. This is in their legitimate interests
and can be disclosed.
ii.
Police
There is no general legal requirement to disclose information to the police unless they are able to provide a
court order. Caution should therefore be exercised in assessing whether a particular enquiry by the police. The
Police should be asked to submit a request in writing (under Section 29 of the DPA) and which should specify
what information they require and provide enough information for the University to determine that the Police
require the information in order to carry out their investigation. The University does not want to disrupt
legitimate investigations and if convinced that the disclosure is necessary information can be released, records
should be kept of what information was disclosed.
iii.
National Health Service
In certain circumstances, information about students may be shared with the NHS and NHS staff working in a
teaching capacity for the University. For example, students being taught by NHS clinical teachers will expect
information to be disclosed to the appropriate person to allow for the administration of their studies and to
monitor their performance and attendance.
The NHS have their own Counter Fraud department which may request information to help with their
investigations, there is no automatic right of access but information can be released as long as the request is
specific to a named individual and we are convinced that the information requested is necessary for the
prevention and detection of crime.
iv.
Exeter Students Guild
The Students’ Guild is an independent body with its own Notification under the Data Protection Act. Obviously
it has strong links with the University and at times it will be necessary for the University to disclose information.
Version 1.0
October 2011
The University and the Guild have a formal agreement outlining what information can be shared; information
should only be shared in accordance with this agreement.
v.
Local Education Authorities (LEAs)
Local Education Authorities may contact the University requesting information regarding students’ mode of
study (part-time, full-time), length of programme (including extensions), location of study, interruptions etc.
These are legitimate requests and once the identity of the enquirer is verified the information can be disclosed.
vi.
Parents
Parents have no right of access to information held by the University. No personal data should be disclosed to
parents unless they have been nominated in writing by the student or in exceptional (life or death)
circumstances.
vii.
Nominated individual
In some circumstances a student may nominate a parent or third party to liaise with the University about certain
issues. For example, students can nominate an individual, with whom Student Fees can discuss the payment of
fees. Any request for the University to discuss issues directly with a third party must be specific – we cannot
accept requests to discuss ‘everything with my parents’ as this may result is the University disclosing
information which the student had not considered. Rather the request must outline exactly what we can discuss
and with whom.
Where Solicitors are working on behalf of a student the University expects the Solicitor to provide a signed
consent form from the student before any information is disclosed. Steps should be taken to check the
authenticity of consent forms (e.g. comparing signatures with our records), if there is doubt a message can be
sent direct to the student informing them of the request that we have received.
viii.
Sponsors
Students are informed at registration that limited information relating to academic progress may be released to
sponsors, loan organisations and scholarship schemes to enable such organisations to establish eligibility for the
sponsorship etc. As long as the request is from a legitimate sponsor who has valid reasons for requiring
information limited information can be disclosed.
ix.
Other staff
Personal information can normally be shared with colleagues as long as they have a business need to know.
There is an exception for any sensitive personal data (information relating to physical/mental health, ethnicity,
religious/political opinions, sexual orientation etc) for which you will normally require explicit consent from the
student before disclosure, if it is in the vital interests of the student to pass on the information you may do so.
x.
Solicitors
Version 1.0
October 2011
In the event of actual or potential legal proceedings disclosures can be made to the University's solicitors, this is
in the legitimate interests of the University and consent is not required.
xi.
UK Border Agency (UKBA)
At registration International students are told that personal information including information about enrolment,
attendance and progress at the University may be passed to the UK Border Agency for purposes connected with
immigration. The UKBA should make a formal request for specific information (e.g. about a named student)
who they are investigating. The request should include a case or reference number and details of the
investigating officer.
xii.
Students
Individual students have the right to access their own personal data, where a formal request is received from a
student or someone acting on behalf of a student (with signed consent forms) the University will provide copies
of the information held, for a minimal fee of up to £10. Requests for individual documents can be dealt with
directly, however where the request is for all information or appears to be complex these should be forwarded
to the Records Management department.
xiii.
PCMD/INTO/Partner universities
Students regularly study at other universities and it is necessary to share information with these institutions to
allow the academic achievements of students to be validated. Students are informed at registration that this
information will be shared. Therefore information that ‘needs’ to be shared can be.
4. Different types of Information being requested
There are different issues to consider depending upon the type of information being requested.
i.
Student Status
Enquirers may ask whether a named person is a student at the University, unless the enquirer has a legitimate
right to the information as explained above (e.g. LEA), we should refuse to confirm or deny whether the
individual is a student.
ii.
Student contact details
Unless covered by a legitimate/legal right to access the information we should not release a student’s contact
details. Do not confirm or deny that a student is attending or has attended the University. If appropriate you
can offer to pass on a message if you are able to identify the student.
iii.
Award verification
Students may request transcripts detailing their degree results and examinations passed. Requests from
students are handled by Registry Services.
Version 1.0
October 2011
Lists of graduating students are published in Degree Day brochures and we inform students that:
“At the end of your programme of studies, we will disclose information about your award to third parties who have a
legitimate interest, without further recourse to you. For example, we may disclose this information to a prospective
employer or education provider, or may notify your previous school or college of your award.”
Therefore we can confirm the names, year and programme of graduation to a legitimate enquirer. Where a
legitimate enquirer has requested that we confirm details of an award classification we should carefully verify
the identity of the enquirer and their reasons for requesting the information before providing confirmation.
False Claims: Where an individual is falsely claiming to have an award from the University we are able to disclose
information in order to protect the University from misrepresentation and to ensure the integrity of our awards.
Therefore where no award has been achieved or a different classification is being claimed the University should
state that the there is no record of the students or that the information does not match our records. We should
not disclose what award was actually achieved but merely confirm if the award being questioned was achieved.
The University can write to the individual concerned telling them what information has been supplied to the
enquirer and highlighting any discrepancies and at the same time requesting that they cease making incorrect
and false claims. Concerns should be discussed with Legal Services.
iv.
Student references
Members of staff may provide references for a student to potential employers or other academic institutions as
long as steps have been taken to ensure that the request is genuine. References should not contain any
sensitive personal data.
v.
Statistical information
Statistical information can be disclosed if it has been fully anonymised. In producing statistical information, all
reasonable care must be taken to ensure that information about identifiable students is not published and that
it is not possible to deduce the identity of students through the combination of multiple published datasets.
Where data contains groups of less than 5 students careful consideration should be given before publishing, this
matches with HESAs policy to publish in multiples of 5.
vi.
Ethnicity, sexual orientation, religion or disability
As a general rule we should not provide information about students' ethnicity, sexual orientation, religion or
disability to any external enquirer unless we are required to do so by law or we have the explicit consent of the
individual concerned.
Version 1.0
October 2011
Download