University of Bath

Data Protection Guidance

Guidance for staff and students on complying with the Data Protection Act

Guidance

All members of the University are responsible for ensuring compliance with the Data Protection Act.

The Information Commissioner can impose fines of up to £17 million on organisations for breaching the Act and serious breaches may also see indviduals involved being prosecuted.

Managing data in compliance with the Act

There are three broad stages of processing data that you need to be aware of to ensure compliance with the Six Principles of the Act:

  • Gathering data
  • Keeping data
  • Disclosing data.

Data Security

Keeping data secure is essential to complying with the Data Protection Act. Security is also essential when working off campus and on mobile devices.

Specific guidance

Responding to requests for information The University has to respond to Subject Access Requests within 1 month. Follow our guidance for dealing with requests to help us deal with them efficiently.

Academic research Academics who supervise students whose research uses personal data should be aware of exemptions to processing research data under the Act and the guidance they should give.

Photography and filming Ensure you comply with the Act when taking photographs or making film recordings on behalf of the University or on campus.

Academic appeals Guidance on the types of information that a student can request to help them gather evidence for an academic appeal.

Examiner comments and examination board minutes Staff and external examiners should take care to understand what information for exam papers is available under a subject access request.

Personal references Individuals may have the rights to see references which the University has written about them or received in respect of them.

Although references may be marked in such a way as to infer confidentiality, ('private & confidential' or 'for the attention of the addressee and the relevant interviewing panel only'), confidentiality can never be guaranteed.

If you are writing a reference you should assume that it may be disclosed to the Data Subject.

Gathering data

You must comply with the Data Protection Act whenever you gather or collect personal data for University-related purposes. This includes data obtained for Academic Research.

There are three general rules of compliance that you should follow when collecting data.

  • Obtain consent
  • Limit the Personal Data you collect
  • Keep data secure

Obtain consent

Data subjects should be told in clear terms, preferably in writing, exactly what information is being collected, what it will be used for and to whom it may be released. A record should be kept to show that the individuals have consented to their data being processed under the Data Protection Act.

All University of Bath students and staff provide their general consent to their personal data being processed for certain, limited, necessary purposes:

If you intend to collect data which is not covered by this general consent, or from individuals who are not students or staff, you must ensure that you obtain their permission.

If the data is going to include any sensitive personal data, specific consent in writing is needed.

For advice and sample consent wording email the Data Protection team

Limit the personal data you collect

Ensure you only collect personal data that is strictly necessary, especially sensitive personal data. Any irrelevant or excessive information should not be retained.

Keep data secure

All personal data gathered must be held securely. Use a computing services server to store data wherever possible. Don't put the data onto a mobile device unless it is secure - password protected and, where appropriate, encrypted.

Restrict access to data and maintain confidentiality by:

  • only allowing other staff to access the data if necessary
  • not transferring data to a third party unless you have consent
  • taking care not to lose data
  • ensuring data is kept securely, whether on or off campus.

Keeping data

If you have access to existing files or data you must follow the rules on keeping data to ensure that requirements of the Data Protection Act are met.

There are four general rules of compliance that you should follow when keeping data.

  • Review the content of files and records
    • Accuracy
    • Relevance
    • Fairness and access rights
  • Keep data secure
  • Maintain best practice in record keeping
    • Limit access to data
    • Only use data for the original purpose
    • Keep files in a single location
  • Only retain data for as long as necessary

Review the content of files and records

Accuracy Files and other records containing personal data must be kept up-to-date and regularly checked for accuracy. Record any changes and delete any obsolete information.

Relevance Only relevant and necessary information should be retained. Carry out regular administration of files and records to remove duplicated materials and irrelevant information.

Fairness and access rights Individuals have the right to see their personal data, including any comments about them. Opinions about individuals in documents should be justifiable and based on fact. It is permissible to give a reasoned, frank opinion about a student's work or behaviour, but not to express personal dislike or make any insulting or defamatory remarks. Do not record, however informally, comments you would not be happy for the Data Subject to see.

Keep data secure

All paper and digital records containing personal data must be held securely. You must take care to ensure that data cannot be accessed or viewed by anyone not authorised to do so.

see our detailed guidance on data security and data security off-campus.

Maintain best practice in record keeping

Limit access to data Access to personal data should be restricted to those staff who require access for legitimate business or operational reasons, and used for the purpose(s) for which it was granted.

Exercise caution if you are asked by a third party to disclose personal data. It should not normally be disclosed without the consent of the individual.

Only use data for the original purpose Personal data collected for one purpose may not subsequently be used for another without the individual's consent. For example, contact details collected on a course feedback form may not be used for a mailshot.

Keep files in a single location All documents which may need to be referred to in order to carry out normal departmental business should be kept centrally in a single file.

Members of staff holding their own separate files can only be justified if it is in the interests of the student or other individual, for example where the information is particularly sensitive.

Private files should not be routinely kept so as to avoid duplication or fragmentation. Personal data should only be reproduced for specific purposes. Once the purpose is fulfilled the record should be securely disposed of.

Subject Access provisions apply to 'private' files in the same way as to any other records. Any additional or separate files maintained by personal tutors relating to students for the duration of a programme of study should be weeded after graduation.

Any material which might be needed for the completion of student references should be combined with the relevant central departmental student file. Storing selected work-related or staff records a home does not exempt them from the Subject's right of access.

Only retain data for as long as necessary

Personal data should not be kept for any longer than is necessary.

When a student graduates or leaves the university the departmental student file is closed. At some time during the next three years, student files must be thoroughly weeded and all records of no further use should be destroyed. Weeded student files must be retained permanently within the department or in the University Records Centre.

When personal data is to be deleted or disposed of, ensure that confidentiality is maintained. Paper files should be shredded or put into confidential waste sacks.

Disclosing data

Individuals are entitled to see all information held about themselves, but personal data should only be disclosed to third parties under specific conditions.

If you are concerned about a request for data, email the Data Protection team for advice.

Be open with individuals

Wherever possible, be open with indivduals in relation to information held about them. If an individual wants to make a formal Subject Access Request under the Data Protection Act, they should be referred to the Data Protection team or to our guidance on making a Subject Access Request.

Take care with requests from third parties

Exercise caution if you are asked to disclose information about an individual to someone else, either within or outside the University.

You can pass on information to other members of staff if they legitimately require the information for their duties, but in most other cases you must not disclose personal data without the individual's consent. Even parents, spouses, friends, partners or sponsors are not entitled to information without the Data Subject's consent.

There are times when you can pass personal information about an individual to a third party. Staff in the Student Records and Examinations Office may legitimately disclose relevant data to appropriate third parties for purposes connected with a Student's studies or to meet statutory requirements. The member of staff dealing with the request will need to be satisfied as to the legitimacy of the enquirer's identity and request.

The University also receives request for information from bodies such as the police and the Inland Revenue. If you routinely disclose such data as part of your job, you should first take steps to ensure that requests are genuine and legitimate. The Police have a standard form which they should use in connection with any requests for personal information.

All non-routine requests should be referrred to the Data Protection team.

Disclosing information in an emergency

Personal information can be dislcosed in an emergency. In such a situation, if necessary, personal information can be disclosed without consent. for example, if a member of staff or a student collapses and is unconscious, it would be permissible to inform medical staff that the individual suffers from diabetes.

You must not disclose information about an individual to any other enquirers, without written and signed permission from the individual to release their personal data.

Disclosing data to third parties

Exercise caution when dealing with requests for personal information from outside the University.

Disclosure formats

Personal data should only be disclosed over the telephone in emergencies. When personal data is included in an email, the email should be password protected and where appropriate encrypted.

Requests from public and official bodies

When dealing with routine type queries from public and official bodies, such as Local Education Authorities (LEAs) or equivalent, you need to be convinced that:

  • the person is who he/she says he/she is
  • the enquiry is genuine
  • the student in question is clearly identified.

If in doubt as to the authenticity of the enquiry, seek advice from a senior member of Student Records and Examinations office or by emailing the Data Protection team.

Unless you are familiar with named staff at bodies such as Local Education Authorities, it is advisable to ask for a main switchboard number to phone them back to ensure the legitimacy of a query.

Requests in writing should be on official headed paper. Keep a record of all telephone calls with any other correspondence and a copy of the outgoing letter.

Once the legitimacy of the request is established the requested information should be made available.

Requests from the police The police do occasionally ask for personal data as part of an inquiry but they don't have the automatic right to receive information about our staff or students. You should not be pressured into handing over personal information. There is a special process to allow the police to access personal data for certain crime-related purposes. The request should be referred to the Data Protection team.

Requests from other third parties

You should not disclose any information about an individual without written and signed permission from the individual. Do not even confirm that a student is registered at the University. You can, without implying that a student of the name given is registered, agree to attempt to pass on a letter or message to them, but do not give out addresses or contact details.

If a third party claims that is is vital to have an answer or to contact an individual immediately, take their details and seek assistance from a senior member of SREO staff or the Data Protection team.

Third party processor

If the University has to disclose personal data to a third party, either for them to process data on our behalf (for example, to conduct a questionnaire for us) or as part of an agreement we have entered into with them (for example, sending student data to another institution about exchange students), the university must have a written contract in place with the other party.

The contract will ensure that the third party processor will only process the personal data in accordance with our instructions and will comply with the Data Protection Act. The Data Protection Officer can draft data sharing agreeements when needed.

Sending personal data outside the European Economic Area (EEA)

The Act states that personal data should not be sent to countries outside the EEA which do not have an adequate level of data protection, unless the individual consents, or there is other good reason as set out under the Act, for example, for the performance of a contract between the individual and the University.

Consent from the individual should always be obtained before their personal data is sent outside the EEA.

Consent should be obtained before placing personal data on a website, as this may involve its transfer outside the EEA.

Examples of third party requests

Former students If you receive an enquiry from an individual claiming to be a former student of the University asking for a letter to confirm his or her status as a student, or details of an award, you should not proceed until you are convinced that the enquirer is who they say they are. Once this is established, then the letter can be produced as requested. You may include relevant dates of attendance if they are required. It is important to keep a record of any telephone calls of this kind with any other correspondence and copy of the outgoing letter.

Requesst from former students wishing to contact other students should be treated as any other request from an unknown third party. You can volunteer to try to forward a message to anyone who matches the details provided, which generally need to be more than just a full name.

Landlords When receiving requests from landlords wishing to get in touch with a former tenant who may be, or have been, a student, you should not confirm that a particular individual is a registered student. You can volunteer to try and foward a message to anyone who matches the details provided, which generally needs to be more than just a full name.

Other universities In response to forms sent directly by another university without any signed authorisation from the relevant student, staff may confirm on request the details of an award (degree type, subject, classification and date), but not more (dates of attendance) without the written authorisation of the former student.

If the form asks for more information than you are able to give, the appropriate sections should either be left blank or you can write a letter confirming the position in your own terms. If in doubt seek advice from a senior member of SREO staff or the Data Protection team.

Recruitment agencies and employers Do not release information about students without a statement signed by the student authorising the release of data about them for a reference.

In response to a telephone enquiry or a letter, which does not enclose a signed authorisation from the student in question, staff members may confirm on request the details of an individual award (degree type, subject, classification and date) but no more (dates of attendance).

In response to a letter which does enclose a signed authorisation from the student in question, staff members may confirm on request the details of an award (degree type, subject, classification and date), and any further details covered by the written authorisation. If in doubt seek advice from a senior member of SREO staff.

Schools If contacted by a school wishing to ascertain the outcome of a former pupil's University study you may confirm on request the details of the award (degree type, subject, classification and date) but not more (dates of attendance) without the written authorisation of the student.

If the individual in question has left the University prematurely you should not even confirm that he/she was a registered student.

Data security

Any information you access when conducting University business that pertains to living individuals is covered by the Data Protection Act. More stringent rules apply to sensitive personal data containing information such as a person's race or ethnic origin, religious beliefs or health.

The Act applies to personal data processed on campus and remotely on mobile devices, even if the device is your personal property. If you use a mobile device or home computer to access or save your University emails, there is likely to be personal data within those emails that falls under the Act.

Keeping data secure

The most common causes of data loss or leakage and breaches of the Act can be avoided by following our guidance.

Keep personal data secure

  • Paper files should be kept in locked cabinets or locked offices when not being used and stored securely at the end of the day - not left on desks.
  • Offices should locked when left unattended (during meetings and lunch breaks).
  • Always ensure that you log off from your computer when away from it.
  • Password protection should be used for any electronic files/documents containing sensitive personal data.
  • Take particular care when transferring personal data onto a memory stick, laptop or any other mobile device - use password protection and encryption where appropriate.
  • If you ever need to include sensitive personal data in an email use password protection or encryption where appropriate.
  • Change your password frequently and adhere to the University's IT Security Policy.
  • Don't copy any personal data unless it is strictly necessary.

Restrict access to personal data

  • Ensure the access to data is only granted to University staff who require it for legitimate purposes.
  • Don't disclose personal data to other third parties.
  • Avoid third parties seeing digital screens displaying personal data.
  • If you need to share data with a third party for business purposes contact the Data Protection team so that a data sharing agreement can be entered into with them.

Storing personal data

  • Where possible, store/save personal data on a computing services server.
  • Never store personal data, especially sensitive personal data, on a mobile or home computer unless it is strictly necessary and the device has been encrypted where appropriate.
  • Don't store or transfer personal data where it could be lost or exposed (on unencrypted USB drives, mobile devices and laptops).

Dispose of personal data carefully

  • Shred paper files or dispose of them securely using the University's confidential waste sacks.
  • If you store personal data on your own device you must securely erase all personal data on it before disposing of it.

Report data breaches*

You must immediately report breaches or potential breaches as soon as you become aware of them. This includes lost or stolen laptops, memory sticks or other mobile devices, and accidental disclosures of information, for example sending an email to the wrong recipient.

Data security off campus

The Act applies to all personal data that you use for University business, wherever that data is held. It includes personal data kept on mobile devices (laptop, tablet, phone) whether the device is your own or the University's.

When working off-campus, follow the points below. Don't take any personal data off-campus without authority and having first considered security. You must adhere to the University's IT security policy.

Email security

Only use your computing services email account for University business.

Working off-campus

Don't store data on mobile devices. Use remote access facilities (UniDesk), to access and store personal data, as it ensures that the data remains on a secure University server.

Taking data off campus

Reduce risks of a breach of the Act through data loss by:

  • limiting the amount of personal data taken off-campus - only take the data you really need
  • making and using a copy of your data rather than taking the original
  • anonymising data wherever possible to remove Sensitive Personal Data.

Use encryption and passwords

If you store or transfer personal data onto a mobile device or pc outside of the University's IT systems, ensure that password protection and encryption where appropriate are used.

Contact computing services for advice and assistance on keeping your data secure.

Take security measures

If you store personal data on a PC or device outside the University's IT systems, it should be as a short term measure only. Keep a copy of the data on the University's IT system too, so that if a device is lost or stolen, you do not lose the only copy.

Store it on the University's IT system at the same time or transfer it there as soon as possible. In any event the data should be deleted from the device/PC outside the University's IT system as soon as possible.

Make sure that any mobile device you use is adequately protected against viruses.

Take special care when transporting personal data to and from your home and when using public transport.

Avoid keeping sensitive data on mobile devices.

Responding to a request for information

Any staff member who receives a request for information, which they believe to be a request for data under the Data Protection Act, should immediatley forward the request to the Data Protection team.

You should pass on all such requests where any person is essentially asking for information about themselves, even if they do not mention the Data Protection Act. The exception is where the request is for information that would normally be released as a matter of course, such as a request by a student for a copy of their academic transcript.

Photography and filming

Images of individuals, whether in still photographs or moving film images, will often be caught by the definition of personal data in the Data Protection Act. In many cases consent from the individuals will need to be obtained in order to process (capture and use) the images fairly and lawfully.

If you are unsure as to whether the Act applies to the photos or film that you plan to take, get advice from the Data Protection team.

Consent and location forms

Taking and using photographs or film footage of people without their consent could constitute a breach of the Act. If an individual objects to the display of their photograph then it must be removed.

Before taking photographs or filming for University purposes, please follow our guidance and use these forms where appropriate.

Special arrangements may be made for students with specific learning needs to allow them to record lectures for their own use. Please contact Student Services for more information.

Withdrawing consent

An individual captured in an image can withdraw their consent even after having signed the consent form. Any such withdrawal should be in writing.

Once consent is withdrawn, the University cannot use the relevant images again, but it will not normally be possible to recall documents in which the image has already appeared.

Photographing and filming on campus

As the university is accessible to the public, areas such as the parade will be considered to be public areas, and you should be able to film or take pictures there which incidentally capture passers-by in the background, without the need to get their consent. However, you should still attempt to display our Location Warning Notice for filming/photography.

Photographing and filming individuals or small groups

Consent must always be obtained from people whose images are the focus of the photograph or film. For example, an academic being interviewed or photos of individuals being taken for a department noticeboard.

Where a photograph or film involves individuals other than the main subject, then in some circumstances their consent will also be needed. To ensure compliance with the Act:

  • ensure all those involved are happy to be photographed or filmed and understand how the images/film will be used and for what purpose
  • get all individuals to complete our personal consent form, (you may need to adapt if for your particular purpose)
  • obtain permission from the parent or guardian of any under 18s are involved (see Parental Consent form).

Photographing and filming large groups such as lectures

If you are filming or taking pictures of a lecture delivered to a large group of registered students as part of their course of study, it is not normally necessary to ask all those in attendance to complete a consent form.

However, if it is a public or one-off lecture or it is to be made available on the web you need to consider both copyright and consent issues.

Copyright

  • Get the presenter to sign the consent form prior to recording. They must ensure that they do not include in their presentation any material which belongs to a third party, unless they have permission or a licence to do so.
  • The consent form also permits the university to use the lecture content an any of the lecturer's performance rights.
  • If any students or members of the audience participate in the lecture, for example, if they deliver a presentation they also need to sign the consent form to licence copyright and performance rights.

Consent

  • Display a warning notice to flag up that photography and filming is going to be taking place.
  • Verbally tell all those present that you will be photographing or filming in the group, before starting to do so, so that any individual who wish to opt out may leave or move to the back, if appropriate.
  • Offer the individuals present in the audience the opportunity to set somewhere where they will not be filmed.

Copyright assets

Photographs, film, sound recordings and still images are all protected by copyright. The University is the owner of copyright in recordings it makes but our academics own copyright in their scholarly output and this includes the underlying lecture material (such as Power Point Slides) and the content of the lecture (when fixed by a recording). The University has the automatic right to use those copyright works for its legitimate purposes. You must ensure that any third party material captured in the course of filming or taking photographs does not breach copyright, by being satisfied that the University is permitted to use such material for this purpose.

The University holds a licence which permits limited use of certain copyright material, for example to distribute copies to registered students. But there is no blanket licence which would allow recording of all copyright material.

Storing photographs and film recordings

All photos or recordings which contain personal data will need to be treated in the same way as personal data held in other formats. They need to be kept securely and disposed of securely when no longer required, in accordance with our guidance on Data Security.

Since photographs may reveal details of the subject's race and ethnic orign they are classified as Sensitive Personal Data. Generally photographs should only be used and retained where strictly necessary.

Academic research

Academics involved in supervising students whose work uses personal information have a duty to ensure that their students are aware of the requirements of the Data Protection Act, specifically:

  • the need to obtain consent of the Data Subjects of the research
  • the need to ensure all personal information received is held confidentially and securely
  • the fact that results must be anonymised and not identify individual research participants.

Academics should follow our guidance to ensure compliance with the Act.

Email questions to dataprotection-queries@lists.bath.ac.uk or contact the team directly.

Obtaining consent

Participants in research projects must be told in clear terms, preferably in writing:

  • exactly what information is being collected
  • what it will be used for
  • to whom it may be released
  • whether and in what form the data will be published.

The individual must be asked to sign a statement agreeing to the use of their personal data for these purposes. Contact the Data Protection team for advice on the wording of such a statement.

If research data is being supplied by a third party source, such as a GP, it is important to check that they have secured permission to supply any personal data to the University.

Collecting data

Researchers need to ensure that they only collect personal data that is strictly necessary for the research being undertaken, in line with our guidance on gathering data. Unless necessary for the research, details such as names and addresses must not be collected at all.

Data security

It is vital that all pesonal data being used for research is held securely and that access is restricted to the staff or students engaged in the research.

If any data is to be processed by, or shared with, a third party, that third party will need to enter into a written agreement with the University to ensure compliance with the Data Protection Act. Contact the Data Protection team for assistance with wording this agreement.

It is important that data security is considered if any data is to be processed or taken off-site or kept on mobile devices.

Publishing results

Researchers must ensure that the results of the research are anonymised when published and that no information is published that would enable a Data Subject to be identified.

Exemptions from the Act

There are exemptions to the general rules on data protection that apply to academic research.

Further processing of personal data

Personal data which has been collected for one piece of research can be used for other research without breaching the Act.

However, this only applies to research data that is:

  • not being used to "support measures or decisions with respect to particular individuals"
  • not processed in such a way that is likely to cause substantial damage or distress to the relevant individual.

Retention of personal data

Personal data collected in connection with research can be kept indefinitely so that research can be reconsidered or the data re-analysed at a later date.

Subject access requests

Research data collected must be anonymised or the usual rights of the Data Subject to view information held about them will apply.

Individuals whose personal data is being used in research do not have the right to see their data or be supplied with details of it, provided that the results of the research or any resulting statistics do not identify the individuals concerned.

Academic appeals

Academic appeals are an opportunity for students to apply for a reconsideration of a decision made by the Board of Studies in relation to a degree classification, failure or academic progression.

When students provide written evidence or other documentation they consent to the evidence or information being disclosed to those involved in the appeal.

If the appeal centres on complaints about the quality of the academic supervision and the student submits written evidence, this will need to be put before the supervisor concerned, to give them an opportunity to properly rebut any specific points raised.

Information students can request

Students can ask to see copies of information which relates to them, including:

  • examiner's reports
  • comments written by examiners on reports or other documents
  • minutes of meetings of the relevant examination board.

Such documents will normally be provided to any student who submits a Subject Access Request. They can also be disclosed following an informal request so long as their disclosure does not involve divulging personal data relating to any third party. In many cases it may be necessary to take steps to anonymise some documents, such as a mark list which includes the names of other students.

Academic appeal request

Requests by students for information they need in order to support an Academic Appeal can be made verbally, by email or in writing to the relevant person, which will be a Departmental Administrator, Director of Studies, Personal Tutor or Head of Department. A record of the request and the response to it must be kept on the student's file.

A student should normally be given the information about them that they are entitled to see within a reasonable time of making a request to the relevant person. If, however, the person receiving the request is unsure whether the information should be released or if the information contains references to other persons, the student should be asked to contact the Data Protection team to make a formal request for the information.

Disclosure of email

If members of staff store their emails discussing Academic Appeals then they will be disclosed to the student if they request to see them. Staff should ensure that what they write in emails is truthful and balanced. Care should always be taken to print out important and relevant emails which should be held on the relevant students' file.

Disclosure of minutes

If a student requests to see any such minutes they will normally be entitled to have a full copy provided to them.

If the minutes contain personal data of a confidential nature relating to a third party, it may be necessary to provide the student with an amended, anonymised version of the minutes.

Personal notes made by the appeal sub-committee

It is University procedure for all personal notes to be destroyed as soon as the meeting has finished and/or the formal minutes are approved. Students will have to rely on copies of the formal minutes.

Data protection and exams

There is a range of information that a student can request under the Act. Staff and external examiners must take care to understand what information can be made available under a Subject Access Request.

Examination scripts

The examination scripts themselves, particularly the information recorded by candidates in exams, are exempt from disclosure under the Act. However, if examiners record any comments on the scripts themselves, they can be disclosed if the student makes a Subject Access Request to see them.

Internal examiner's comments on examination scripts and assessed work must be intelligible, appropriate and capable of being copied for a Data Subject.

Students may also ask to see examination marks, but if the request is made before the examination results are publicly announced, the timescale for responding to the request is extended, normally to 40 days from the date the results are publicly announced.

Examination board minutes

Minutes of examination boards and other boards that contain a record of discussions about students, for example IMC panel meeting, are subject to disclosure, if the student makes a Subject Access Request to see them.

It may be necessary to redact the data to prevent details pertaining to other students from being disclosed before the data is released.

Publishing results

All departments must ensure that exam and assessment results are only disclosed to the student themselves.

If you intend to publish any lists publicly, for example on a noticeboard in a department, you will need to ensure that the data is published in an anonymised form.

Never publish results where third parties can see them, such as on the internet. Never disclose examination or assessment results over the telephone unless you can properly identify the student.