Skip to main content

Disclosing data in compliance with the Data Protection Act

How to respond to requests from individuals and third parties about personal data held by the University.

Individuals are entitled to see all information held about themselves, but personal data should only be disclosed to third parties under specific conditions.

If you are concerned about a request for data, email the Data Protection Officer for advice at dataprotection@bath.ac.uk

Responding to a request for information

Any staff member who receives a request for information, which they believe to be a request for data under the Data Protection Act, should immediately forward the request to the Data Protection Officer at dataprotection@bath.ac.uk

You should pass on all such requests where any person is essentially asking for information about themselves, even if they do not mention the Data Protection Act. The exception is where the request is for information that would normally be released as a matter of course, such as a request by a student for a copy of their academic transcript.

Be open with individuals

Wherever possible, be open with individuals in relation to information held about them. If an individual wants to make a formal Subject Access Request under the Data Protection Act, they should be referred to the Data Protection Officer or to our guidance on making a Subject Access Request.

Take care with requests from third parties

Exercise caution if you are asked to disclose information about an individual to someone else, either within or outside the University.

You can pass on information to other members of staff if they legitimately require the information for their duties, but in most other cases you must not disclose personal data without the individual's consent. Even parents, spouses, friends, partners or sponsors are not entitled to information without the Data Subject's consent.

There are times when you can pass personal information about an individual to a third party. Staff in the Academic Registry may legitimately disclose relevant data to appropriate third parties for purposes connected with a Student's studies or to meet statutory requirements. The member of staff dealing with the request will need to be satisfied as to the legitimacy of the enquirer's identity and request.

The University also receives requests for information from bodies such as the police and HMRC. If you routinely disclose such data as part of your job, you should first take steps to ensure that requests are genuine and legitimate. The Police have a standard form which they should use in connection with any requests for personal information  and requests from them should be forwarded to the Data Protection Officer for them to handle.

All non-routine requests should be referred to the Data Protection Officer.

Disclosing information in an emergency

Personal information can be disclosed in an emergency. In such a situation, if necessary, personal information can be disclosed without consent. for example, if a member of staff or a student collapses and is unconscious, it would be permissible to inform medical staff that the individual suffers from diabetes.

You must not disclose information about an individual to any other enquirers, without written and signed permission from the individual to release their personal data.

Disclosing data to third parties

Exercise caution when dealing with requests for personal information from outside the University.

Disclosure formats

Personal data should only be disclosed over the telephone in emergencies. When personal data is included in an email, the email should be password protected and where appropriate encrypted.

Requests from public and official bodies

When dealing with routine type queries from public and official bodies, such as Local Education Authorities (LEAs) or equivalent, you need to be convinced that:

  • the person is who he/she says he/she is
  • the enquiry is genuine
  • the student in question is clearly identified.

If in doubt as to the authenticity of the enquiry, seek advice from a senior member of Academic Registry or by emailing the Data Protection Officer at dataprotection@bath.ac.uk

Unless you are familiar with named staff at bodies such as Local Education Authorities, it is advisable to ask for a main switchboard number to phone them back to ensure the legitimacy of a query.

Requests in writing should be on official headed paper. Keep a record of all telephone calls with any other correspondence and a copy of the outgoing letter.

Once the legitimacy of the request is established the requested information should be made available.

Requests from the police

The police do occasionally ask for personal data as part of an inquiry but they don't have the automatic right to receive information about our staff or students. You should not be pressured into handing over personal information. There is a special process to allow the police to access personal data for certain crime-related purposes. The request should be referred to the Data Protection Officer.

Requests from other third parties

You should not disclose any information about an individual without written and signed permission from the individual. Do not even confirm that a student is registered at the University. You can, without implying that a student of the name given is registered, agree to attempt to pass on a letter or message to them, but do not give out addresses or contact details.

If a third party claims that it is vital to have an answer or to contact an individual immediately, take their details and seek assistance from a senior member of Academic Registry or the Data Protection Officer.

Third party processor

If the University has to disclose personal data to a third party, either for them to process data on our behalf (for example, to conduct a questionnaire for us) or as part of an agreement we have entered into with them (for example, sending student data to another institution about exchange students), the university must have a written contract in place with the other party.

The contract will ensure that the third party processor will only process the personal data in accordance with our instructions and will comply with the Data Protection Act. The Data Protection Officer can draft data sharing agreements when needed.

Sending personal data outside the European Economic Area (EEA)

The Act states that personal data should not be sent to countries outside the EEA which do not have an adequate level of data protection unless the individual consents or there is other good reason as set out under the Act, for example, for the performance of a contract between the individual and the University.

Consent from the individual should always be obtained before their personal data is sent outside the EEA.

Consent should be obtained before placing personal data on a website, as this may involve its transfer outside the EEA.

Examples of third-party requests

Former students

If you receive an enquiry from an individual claiming to be a former student of the University asking for a letter to confirm his or her status as a student, or details of an award, you should not proceed until you are convinced that the enquirer is who they say they are. Once this is established, then the letter can be produced as requested. You may include relevant dates of attendance if they are required. It is important to keep a record of any telephone calls of this kind with any other correspondence and a copy of the outgoing letter.

Requests from former students wishing to contact other students should be treated as any other request from an unknown third party. You can volunteer to try to forward a message to anyone who matches the details provided, which generally need to be more than just a full name.

Landlords

When receiving requests from landlords wishing to get in touch with a former tenant who may be, or have been, a student, you should not confirm that a particular individual is a registered student. You can volunteer to try and forward a message to anyone who matches the details provided, which generally needs to be more than just a full name.

Other universities

In response to forms sent directly by another university without any signed authorisation from the relevant student, staff may confirm on request the details of an award (degree type, subject, classification and date), but not more (dates of attendance) without the written authorisation of the former student.

If the form asks for more information than you are able to give, the appropriate sections should either be left blank or you can write a letter confirming the position in your own terms. If in doubt seek advice from a senior member of Student Records & Examinations Office (SREO) staff or the Data Protection Officer.

Recruitment agencies and employers

Do not release information about students without a statement signed by the student authorising the release of data about them for a reference.

In response to a telephone enquiry or a letter, which does not enclose a signed authorisation from the student in question, staff members may confirm on request the details of an individual award (degree type, subject, classification and date) but no more (dates of attendance).

In response to a letter which does enclose a signed authorisation from the student in question, staff members may confirm on request the details of an award (degree type, subject, classification and date), and any further details covered by the written authorisation. If in doubt seek advice from a senior member of SREO staff.

Schools

If contacted by a school wishing to find the outcome of a former pupil's University study you may confirm on request the details of the award (degree type, subject, classification and date) but not more (dates of attendance) without the written authorisation of the student.

If the individual in question has left the University prematurely you should not even confirm that he/she was a registered student.

Contact us

If you have any questions, please contact us.

On this page