Data Protection

Disclosing data to third parties

Exercise caution when dealing with requests for personal information from outside the University.

Disclosure formats

Personal data should only be disclosed over the telephone in emergencies. When personal data is included in an email, the email should be password protected and where appropriate encrypted.

Requests from public and official bodies

When dealing with routine type queries from public and official bodies, such as Local Education Authorities (LEAs) or equivalent, you need to be convinced that:

  • the person is who he/she says he/she is
  • the enquiry is genuine
  • the student in question is clearly identified.

If in any doubt as to the authenticity of the enquiry, seek advice from a senior member of Student Records and Examinations Office or by emailing the Data Protection team at dataprotection-queries@lists.bath.ac.uk.

Unless you are familiar with named staff at bodies such as Local Education Authorities, it is advisable to ask for a main switchboard number to phone them back to ensure the legitimacy of a query.

Requests in writing should be on official headed paper. Keep a record of all telephone calls with any other correspondence and a copy of the outgoing letter.

Once the legitimacy of the request is established the requested information should be made available.

Requests from the police

The police do occasionally ask for personal data as part of an inquiry but they don’t have the automatic right to receive information about our staff or students. You should not be pressured into handing over personal information. There is a special process to allow the police to access personal data for certain crime-related purposes. The request should be referred to the Data Protection team.

Requests from other third parties

You should not disclose any information about an individual without written and signed permission from the individual. Do not even confirm that a student is registered at the University of Bath. You can, without implying that a student of the name given is registered, agree to attempt to pass on a letter or message to them, but do not give out addresses or contact details.

If a third party claims that it is vital to have an answer or to contact an individual immediately, take their details and seek assistance from a senior member of SREO staff or the Data Protection team.

Third party processors

If the University has to disclose personal data to a third party, either for them to process date on our behalf (for example, to conduct a questionnaire for us) or as part of an agreement we have entered into with them (for example, sending student data to another institution about exchange students), the University must have a written contract in place with the other party.

The contract will ensure that the third party processor will only process the personal data in accordance with our instructions and will comply with the Data Protection Act. The Data Protection Officer can draft data sharing agreements when needed.

Sending personal data outside the European Economic Area (EEA)

The Act states that personal data should not be sent to countries outside the EEA which do not have an adequate level of data protection, unless the individual consents, or there is other good reason as set out under the Act, for example, for the performance of a contract between the individual and the University.

Consent from the individual should always be obtained before their personal data is sent outside the EEA.

Consent should be obtained before placing personal data on a website, as this involves its transfer outside of the EEA.

Examples of third party requests

Former students

If you receive an enquiry from an individual claiming to be a former student of the University of Bath asking for a letter to confirm his or her status as a student, or details of an award, you should not proceed until you are convinced that the enquirer is who they say there are. Once this is established, then the letter can be produced as requested. You may include relevant dates of attendance if they are required. It is important to keep a record of any telephone calls of this kind with any other correspondence and a copy of the outgoing letter.

Requests from former students wishing to contact other students or former students should be treated as any other request from an unknown third party. You can volunteer to try to forward a message to anyone who matches the details provided, which generally needs to be more than just a full name.

Landlords

When receiving requests from landlords wishing to get in touch with a former tenant who may be, or have been, a student, you should not confirm that a particular individual is a registered student. You can volunteer to try to forward a message to anyone who matches the details provided, which generally needs to be more than just a full name.

Other universities

In response to forms sent directly by another university without any signed authorisation from the relevant student, staff may confirm on request the details of an award (degree type, subject, classification and date), but not more (dates of attendance) without the written authorisation of the former student.

If the form asks for more information than you are able to give, the appropriate sections should either be left blank or you can write a letter confirming the position in your own terms. If in doubt seek advice from a senior member of SREO staff or the Data Protection team.

Recruitment agencies and employers

Do not release information about students without a statement signed by the student authorising the release of data about them for a reference.

In response to a telephone enquiry or a letter, which does not enclose a signed authorisation from the student in question, staff members may confirm on request the details of an individual award (degree type, subject, classification and date) but no more ( dates of attendance).

In response to a letter which does enclose a signed authorisation from the student in question, staff members may confirm on request the details of an award (degree type, subject, classification and date), and any further details covered by the written authorisation. If in doubt seek advice from a senior member of SREO staff.

Schools

If contacted by a school wishing to ascertain the outcome of a former pupil's University study you may confirm on request the details of the award (degree type, subject, classification and date) but not more (dates of attendance) without the written authorisation of the student.

If the individual in question has left the University prematurely you should not even confirm that he/she was a registered student.