How does the Data Protection Act 1998 affect me?
Unlike the Data Protection Act 1984, the new Act covers manual as well as electronic records. This means that student files, card indexes and all other paper-based record systems which contain information about identifible living people are subject to the new Act.
What about registration/notification under the new Act?
The University of Bath has an institutional registration which covers all its main routine administrative and educational functions. There are also separate sections which cover specific areas of work within the University. If you administer a database or research project and want advice about whether this should be notified separately, please contact the Data Protection Officer.
I have been asked by a student to supply a copy of their records. What should I do?
Refer the request to the Data Protection Officer. The student will be asked to complete and return a form setting out the information they wish to see. They may also have to pay a fee which is currently £10. The University is obliged to provide the information to the student within 40 days of receiving the completed request form.
What about exam marks and results?
Exam marks and any minutes from an exam board meeting relating to a particular student should be disclosed. Exam scripts themselves are exempt from disclosure but data subjects do have right of access to any comments or notes recorded on the script. Exam markers should be aware of this and ensure that they do not record any comments on the exam script which they would not be happy for the data subject to see. There are additional rules which state that exam results need not be disclosed any earlier than they are publicly announced.
Can we still publish degree results on departmental notice boards and in degree congregation booklets?
This issue has been considered by the Information Commissioner (formerly the Data Protection Commissioner) who has concluded that provided there is nothing which would enable individual students to be contacted i.e. by the inclusion of e-mail or postal addresses or telephone numbers, then the publishing of degree results does not breach the terms of the new Act. However, if individual students were to indicate that they did not wish their names to be included on the published list, their wish should be respected.
I want to create a photoboard showing photographs of all staff and students within my department. Can I do this?
Photographs constitute personal data so you must get consent from all the individuals concerned before you display their photographs. Consent could, for example, be obtained by asking students and staff to supply photographs and informing them at the point of collection exactly how the photographs are to be used. If an individual objects to the display of their photograph then it must be removed. Since photographs may reveal details of the subject's race and ethnic origin they are classified as sensitive personal data. Generally photographs should only be used and retained where strictly necessary.
I would like to publish a list of students' e-mail addresses/home addresses on the department noticeboard. Can I do this?
Consent must be obtained from all individuals concerned before any such personal data is made public. If any individual does not give their consent then their data must not be published. If an individual initially agrees but then changes their mind, their data must be removed immediately.
I have obtained consent to display certain items of personal data on the department noticeboard/in a department handbook. Can I also publish the information on the department website?
Only if you have obtained specific consent to this from the individuals concerned. You cannot assume that consent for a particular use of data extends to any other use. If you have consent to use personal data for a particular purpose and wish to use this data for another or different purpose, additional consent must be obtained from all the relevant individuals. This is especially important in relation to the publication of personal data on websites because the World Wide Web makes information globally accessible.
I am already holding personal information on a database of contacts which I have compiled over a number of years. Can I continue to hold and use this information?
Yes, but you should think about what personal data you are collecting and holding and why. All the information should be relevant, accurate and held for no longer than necessary. If you are storing or using old or unreliable personal information you should either update or delete it. One way to do this would be to write to the individuals concerned, notifying them of the data you hold and asking them to check that it is correct. You can also inform them of the purposes for which the data is being held and seek their consent.
I have sent literature about forthcoming events, reunions etc to former students of the University. A few people have objected, saying that they do not wish to receive any further communications. What should I do?
You must ensure that these persons are not sent any further communications. If mail is generated electronically you must introduce a system which ensures that people who have objected to receiving communications from the University are removed from your mailing list.
Some of our student files contain comments of a personal or deregatory nature. Could these be viewed by the individual concerned under the terms of the Act?
Yes. Potentially all personal information can be disclosed. The general rule is that you should not record, however informally, comments which you would not be happy for the data subject to see.
What about confidential information such as references. Do these have to be disclosed?
Potentially yes. There are complicated rules relating to references but basically although the subject of the reference cannot demand a copy from the person giving the reference, they could possibly obtain it from the person (or institution) to whom the reference was sent.
I have been contacted by a third party requesting information about a student/member of staff. What should I do?
The general rule is to be very careful about who information is disclosed to. You need to find out exactly who requires the personal data and why. Ideally you should obtain the consent of the relevant student/member of staff before any data is disclosed to a third party, although this may not always be possible (e.g. in a medical emergency). If you are in any doubt as to whether information should be disclosed please contact Elizabeth Richardson.
I have a form/questionnaire which students/members of staff/third parties complete and return. Do I need to modify this form to comply with the new Act?
Yes. Please contact the Data Protection Officer who will be able to advise you on amending any forms to include a statement informing recipients what their personal data will be used for, where it will be held and to whom it may be disclosed.
I use an outside company for sending bulk mailings/administering a database. Are there any special rules for this?
Yes. Under the terms of the Data Protection Act 1998 there must be a written contract containing certain specified terms to ensure that the third party complies with the Act. Please contact Elizabeth Richardson who can supply you with a draft contract.
What about records. How long should I retain them?
The new Act states that personal data should be held for no longer than is necessary. In general it is good practice not to collect or retain more personal information than is strictly necessary. All irrelevant or out of date personal information should be destroyed. For advice on the management of your records please contact the University Records Management Service. University policy on the retention of student records is published in the University Records Retention Schedule. All obsolete personal data should be destroyed according to University procedures for the disposal of confidential paper waste.
This all seems quite complicated. Is there a basic rule I should remember?
Be very careful about the personal information you hold and in particular who you pass it on to. Think about what you are using personal data for and whether this is what the individual concerned would expect you to be using it for. Wherever possible obtain specific consent.
Academic Reviews, Special Considerations:-
(1) Is the information submitted by the student when requesting an Academic Review available to all those involved in the formal academic review process?
When students provide written evidence or other documentation as part of the review process, in doing so they consent to the evidence or information being disclosed to all those involved in the academic review procedure, for purposes strictly limited to the fair and proper implementation of the procedure itself. For example, if the review centres on complaints about the quality of the academic supervision provided by an individual Supervisor and the student submits written evidence to substantiate the complaint, this evidence will need to be put before the Supervisor concerned, in order that they may be given an opportunity to properly rebut any specific points raised.
(2) What type of information is commonly accessible by students who request an Academic Review?
In many cases students will ask to see copies of examiners' reports, comments written by examiners on reports or other documents and the Minutes of meetings of the relevant examination board, which relate to them. Such documents will normally be provided to any student who submits a formal Data Protection Subject Access request (see below for more information on this process). The documents can also be disclosed following an informal request so long as disclosure of the document would not involve divulging personal data relating to any third party. In many cases it may be necessary to take steps to anonymise some documents, such as a mark list which includes the names of other students.
(3) Academic Review cases sometimes generate a lot of e-mails between academic and administrative staff. Would the student concerned be entitled to see copies of such e-mails?
If members of staff store their e-mails then they would have to be disclosed to the student in the event that the student requests to see them. The general rule of e-mail use applies to this type of case as to all other situations in that staff should ensure that what they write is truthful and balanced. Care should always be taken to print out important and relevant e-mails which should be held on the relevant student file.
(4) Are students allowed to see Minutes of the Review Sub-Committee including Minutes of any discussion made by the Committee after the student had been asked to leave the room?
If a student requests to see any such Minutes they will normally be entitled to have a full copy provided to them. This is, however, subject to any duty of confidentiality owed to any third parties whose details are included in the Minutes. Consequently, if the Minutes contained personal data of a confidential nature relating to a third party, it may be necessary to provide the student with an amended version of the Minutes to ensure that content was provided to them, but in an anonymous form.
(5) Should the student have access to the personal notes made by those on the Review Sub-Committee?
It is University procedure for all such notes to be destroyed as soon as the meeting has finished and/or the formal Minutes are approved. Consequently such notes will not normally be available and students will instead have to rely on copies of the formal Minutes.
(6) How should a student make a request to see the information they are entitled to see (eg - the types of information referred to in points 2 to 4 above)?
A student should normally be given the information about them that they are entitled to see within a reasonable time of making a request to the relevant person which in this context would include the Departmental Administrator, Director of Studies, Personal Tutor or Head of Department. A request can be made verbally, by e-mail or in writing. A record should be kept on the student's file of the request and the response to it.
If, however, the person receiving the request is unsure whether the information should be released or if the information contains references to other persons, the student should be asked to contact the Data Protection Officer (currently Elizabeth Richardson - see Data Protection HomePage) to make a formal request for the information.