Data Protection FAQs
Summary of issues raised at Data Protection training – December, 2007
Q.
Is there a legal requirement to disclose names and addresses to
Electoral Registration Officers? Should students be informed of this?
A.
Electoral Registration Officers do have powers under the Representation of
the People Regulations 2001 (section 23(1)) to require the University to
provide the names of addresses of students in University accommodation.
However, if you receive this kind of request it is important that the request is
made in writing and that it confirms 1) that the person is the designated
Electoral Registration Officer and 2) which powers they are using to request
the information.
Students are already informed in the Data Protection Statement that we may
disclose information where there is a legal obligation to do so.
Q.
Is a list of business names and addresses personal data? We have just
purchased a list of businesses (with business names only) – do we need
to write to everyone on the list?
A.
Names of businesses where the business name is the same as the name of
the owner (e.g. Fred Bloggs Ltd) do constitute personal data. For these
businesses, we must write to them setting out how we will use their data. We
must also ask for their consent to use their data for marketing purposes. For
other businesses no action is needed.
Q.
If we put a notice on a lecture room door to say that the lecturer is off
sick today, is this a disclosure of sensitive personal data?
A.
Guidance from the Information Commissioner has made clear that simply
stating that someone is off sick is not sensitive personal data, but providing
details of someone’s illness is. So it is acceptable to say ‘Prof x is off sick
today’ but not ‘Prof x is off sick with flu’.
Q.
Equal Opportunities monitoring reports which are available to students
may refer to an individual ethnic minority student. Although the student
is not named, it would be easy for other students to realise who they are
– is this acceptable?
A.
This could be a disclosure of sensitive personal data. If possible, you should
try to avoid including information in the report which cannot be anonymised
(e.g. where it is obvious you are referring a particular individual). If this is not
possible, you need to let the student concerned know what information you
will be including and check they are happy with it.
Q.
Currently accommodation reports on notice boards may inadvertently
reveal personal data if they refer to issues relating to particular rooms.
Is this acceptable?
A.
It’s possible that these reports may sometimes include personal data. The Act
doesn’t prevent this, but it does require us to inform students in advance that
reports will be published on noticeboards with an explanation of the kind of
information which will be included (this could be done, for example, via an
accommodation handbook). The reports should not include students’ names
and as far as possible should avoid mentioning any personal details about the
student.
Q.
Information about students displayed on noticeboards or on Blackboard
– e.g. list of marks even if anonymised by student numbers. Is this
acceptable?
A.
It is generally preferable for student marks to be provided by post rather than
posted on a noticeboard or via Blackboard. However, if there is a real need to
publish marks in this way the Act doesn’t prevent it as long as the student’s
details are anonymised (e.g. an ID number which no-one is likely to know)
and the students have been informed in writing that this will happen. Students
also have the right to ‘opt-out’ if they are not happy with this approach.
Q.
How long should information on students be kept?
A.
Guidance is currently being developed on this and should be available within
the next few months. The recommended retention period depends on the type
of information so it is difficult to provide a straightforward answer.
Q.
Handwritten notes from meeting? Can you destroy your notes once you
have written them up?
A.
Yes, it is good practice to destroy your notes once the minutes of the meeting
have been confirmed. See the Committee Handbook for further advice on the
management of Committee records (available from the Secretariat).
Q.
If information is provide to the Police, should we inform the person that
this has happened?
A.
This depends on the circumstances and the decision would be made at a
senior level. There is an exemption under the Data Protection Act which
means we do not have to inform the individual if this could prejudice a
criminal investigation. The University is currently developing a procedure on
dealing with requests from the Police and more information on this will be
provided shortly.
Q.
What facilities do we have for checking if a request for marks was
genuine and if the student is happy with us disclosing that information?
A.
When students register with us they sign to say they agree to the University
using their personal data in line with the University’s Data Protection
Statement. This includes the disclosure of information to potential employers
and course providers (usually to confirm qualifications or grades). As long as
there is no reason to suspect that the request is not genuine and the
employer/course provider has provided a signed consent form from the
student then it is acceptable to disclose the information. It is only necessary to
make further checks if there is some reason to doubt the authenticity of the
request.