Guidelines for staff in academic departments
These guidance notes are mainly aimed at staff working in academic departments although they also apply to all staff whether academics, administrators or secretarial/support staff who handle personal information relating to students on a regular basis. The Data Protection Act 1998 covers all such personal data so it is important that such staff are aware of the requirements of the Act and the obligations placed on them by it.
It is likely that all departments will hold standard information such as students' names and contact details, information about class attendance and marks and grades achieved. It is also likely that sensitive information such as sick notes, information relating to medical conditions or disabilities and details of race or ethnic origin will be held. All this information constitutes personal data and must be stored and used in accordance with the Data Protection Act at all times. This means, briefly, that the information must be accurate, must be kept up-to-date and must be held securely.
All information held in student files is potentially disclosable to the student concerned. This includes comments about the standard of the student's work or behaviour. When writing and filing notes, reports or comments be aware of this and do not write or record any comments that cannot be justified or which are potentially insulting or defamatory.
Files must be kept up-to-date. Changes to addresses or other contact details should be noted both on paper files and also on any database held.
Only relevant and necessary information should be retained on student files. Files should be weeded of duplicated materials and irrelevant documents.
4. Retention Periods
The University has a policy (approved by the Registrar) on the retention of departmental student files. When a student graduates (or leaves the University) the departmental student file is closed. At this point, or at some time during the next three years, student files must be thoroughly and systematically weeded: all records of no further use should be removed and destroyed. Weeded student files must be retained permanently within the department or in the University Records Centre. More details of University policy on the retention of student records are published in the University Records Retention Schedule.
Student files must be held securely, for example, in a locked office or filing cabinet or in an office that is continuously manned. Files should not be left open on desks or in areas where visitors or other students can view them. Information held on computer should ideally be password-protected and screens should not be sited so that they can be seen by passers-by.
Handling Enquiries for personal information
Wherever possible, be open with students in relation to information held about them. If a student wishes to make a formal subject access request under the Data Protection Act, they should be referred to Elizabeth Richardson, the Data Protection Officer (Ext. 3291) or her assistant (Ext. 6966).
If you are asked to disclose information about a student to someone else, either within or outside the University, you must not do so without the student's consent, except in a few situations. Even parents, spouses, friends, partners or sponsors are not entitled to information without the student's consent.
However, information can be legitimately disclosed to third parties for purposes connected with a student's studies and to meet statutory requirements (e.g. to HEFCE, LEAs, Council Tax Offices and Research Councils) provided the University is satisfied as to the enquirer's identity and the legitimacy of the request. In case of doubt it is advisable to check with the Data Protection Officer or your line manager.
From time to time the University also receives requests for information from bodies such as the Police and the Inland Revenue. The University endeavours to co-operate with such requests but steps should first be taken to ensure that requests are genuine and legitimate. The police have a standard form which they should use in connection with any requests for personal information. The Data Protection Officer can provide advice and should be contacted before any personal information is disclosed in response to such a request.
There may also be occasions where personal information needs to be disclosed in an emergency, e.g. where a student or staff member has been injured or taken ill. In such a situation, if necessary, personal information can be disclosed without consent. For example if a student collapses and is unconscious it would be permissible to inform medical staff that the student suffers from diabetes.
There is no difficulty in supplying personal information about students to other staff members of the University who legitimately require the information to carry out their normal duties.
Project and Research Supervisors
Any academic involved in supervising students whose work uses personal information should ensure that the students concerned are made aware of the requirements of the Data Protection Act. In particular, the consent of the subjects of the research should be obtained and all personal information received should be held confidentially and securely. Results should be anonymised and should not identify individual participants in the research.
Staff (and, where relevant, students) undertaking research using personal information collected from third parties will be covered by the University's Data Protection Notification. However, the data protection principles still need to be complied with. This means that in carrying out research it is important that the subjects of the research are made fully aware of the proposed use of their personal information. Wherever possible, research data should be anonymised before use. Results should also be anonymised and no information should be published which would allow the participants to be identified. Researchers are also required to keep all personal information secure and ensure that access is restricted only to those staff or students directly involved in the research. For further information see Academic Research and the Data Protection Act.
Students are not entitled to see their examination scripts or assessed coursework after submission. If they were to make such a request then under the Data Protection Act they are entitled to see details of any comments made by the examiner including any Exam Board minute relating to them and all examiners should be made aware of this. Examination marks may of course be seen but the Data Protection Act cannot be used to obtain access to marks any earlier than their publication date.
It is the University's standard practice to publicise exam results on notice boards and at degree ceremonies. Students are notified of the publication of results in the Data Protection statement for student registration.
The Data Protection Act includes specific rules about references. The writer of a reference may stipulate that it is confidential and he/she need not show it to the individual about whom it is written. However, once the reference is received, the subject of the reference may apply to the recipient for a copy. The recipient will have to balance any issues of confidentiality and any refusal of consent by the referee against the rights of the subject of the reference and in many cases the reference will be made available. Therefore anyone preparing a reference should bear in mind that it may be seen by the person who is the subject of it. Writers of references should ensure that their references are accurate and that any opinions expressed are based on factual evidence. These principles also apply to internal references, reports and assessments for promotion and regrading.
When working away from the University either at home or at another location it is important that security of personal information is maintained. Special care should be taken when transporting personal information, for example, paper files and floppy disks should be carried in a locked briefcase wherever possible and should not be left unattended in any public place. Personal information should not be transferred to home computers unless appropriate security, such as password protection, is in place. BUCS can provide advice on computer security issues and can be contacted at email@example.com.
File Keeping and Personal or Private Files
Generally, all documents which may need to be referred to in order to carry out normal departmental business should be kept centrally on a single file. (See Departmental Student Files) The case for a member of staff such as a personal tutor holding his/her own separate files can only be justified if it is in the interests of the student (e.g. where the information is particularly sensitive). Private files should not be kept routinely as it is important for efficient record keeping that files are kept in the appropriate place in the department or administrative section to ensure proper practice and avoid duplication or fragmentation.
The subject access provisions apply to "private" files in the same way as to any other records and if a student or member of staff requests access to information held about them this will cover all records held and not just the main departmental file. If it has been necessary for a personal tutor to maintain an additional or separate file of material relating to an individual student (or group of students) for the duration of a programme of study, it is important that such files are thoroughly weeded after the student/students graduate. Any material which might be needed for the completion of student references should be combined with the relevant central departmental student file. It should also be noted that storing selected work-related student records containing personal data at home does not exempt them from the subject's right of access to those records.