disclosure of student data

Disclosure of student data to third parties

guide 8 - disclosure of student data

1. Introduction

Disclosure of personal data to any third party is considered to be a form of data processing, thus the disclosure must be made in accordance with the Data Protection Principles and with the College’s notification of its data processing activities with the Office of the Information Commissioner. The Principles set out the conditions under which standard personal data (name, address, academic course etc) can legally be disclosed and the special conditions which apply to the disclosure of sensitive personal data (health, religion, ethnicity etc.)

A student must be informed at registration of the disclosures the College is likely to make in pursuing its legitimate interests. Should further disclosures need to be made later in a student’s course, the student must be informed of this and, where appropriate in terms of the Data Protection Act 1998, the consent of the student sought to the disclosure.

2. Dealing with requests for student data

The following are examples of disclosures which may be sought from the College by third parties and the conditions under which such disclosures may legally be made:

2.1 Confirmation of Current/Previous Student Status

Requests of this nature are likely to come from a number of sources and it is necessary to determine in each case whether a disclosure can be justified as fair processing and whether the College can ensure that the recipients of such disclosures have a justifiable cause to receive that information.

Requests from potential/actual employers and potential/actual providers of additional education are justifiably within the legitimate interests of the College and those of the recipients of such data. However, the data disclosed should be limited to a student’s period of study, marks and/or degree awarded, attendance record. More detailed disclosures are likely to be irrelevant or excessive in terms of the DP Principles and/or may require the College to release sensitive data for which consent may not easily be obtained or readily given by the data subject. Where the disclosure is requested in the form of a personal reference, there are special conditions which apply concerning access to that data and protection of third party interests.

Where disclosures are relevant and fair, it is important to ensure the validity of each request and to minimise the risk of illegitimate disclosure. Disclosures should not be made over the telephone. Enquirers should be required to submit their request in writing on headed notepaper. Ideally the enquirer should first obtain consent for disclosure from the student concerned. Failing that, the enquirer can establish his/her identity and their right to the data asking them to submit a copy of the first page of the application form submitted by the student.

2.2 Disclosures to Sponsors

Many students receive ‘sponsorship’ in the form of funding towards their studies from government agencies, research councils or private corporations. Parents may also be considered to be ‘sponsors’ but, whereas disclosures can legitimately be made to an accredited organisation, they cannot be made to parents without the student’s consent. It has been agreed that, to comply with data protection law, the College can only legitimately disclose student data to a sponsor who meets the criterion as “someone who has a contractual agreement with the student to pay part, or all, of their tuition fees”. Disclosure to any other ‘sponsor’ not fitting this definition can only be made with the student’s consent unless an organisation can provide evidence of “legitimate interest” in terms of the Act.

2.3 Fraud Enquiries

In cases where the College is asked to confirm the details of an individual who is thought to have lied about the qualifications they hold and, where the individual has never had a relationship with the College, it is in order to confirm that the College holds no record of the individual. As there is no personal data held no Data Protection Principle would be breached by such a disclosure. If, however, the individual has attended a course here and perhaps failed, any disclosure must be covered by one or more of the Principles e.g. whether there has been previous consent given, such as to a professional organisation, or there has been statutory obligation such as to HESA, or by the requirements of a contract such as to a sponsor. Otherwise, unless it could be held to be in the legitimate interests of the College to make the disclosure or the disclosure can be made to the police “for the prevention or detection of a crime”, the consent of the individual will have to be sought. Should the information be vital to a criminal case then, in response to a Court Order, the disclosure can be made without consent being given.

Except in cases where there is a statutory obligation upon the College to comply with a request for disclosure of a student’s data, there is no compulsion to make a disclosure, even in cases where the Act permits it. If there is any doubt as to the legitimacy of a disclosure request, then no disclosure should be made.

2.4 Other Enquirers

The College may receive requests for student data from other enquirers such as Government departments, representatives of the governments of foreign countries and the providers of services to students e.g. landlords, suppliers etc. Where there is no statutory, or other, legal obligation to disclose personal data a disclosure must not be made without the consent of the individual concerned. It should be noted that disclosure includes confirmation or otherwise of a student’s presence at the College.

3. Disclosure logs

Where exceptional disclosures of personal data are made to third parties, such disclosures should be noted in a log held centrally in College Registry. Each entry should show the name of the staff authorising the disclosure, the data subject’s name, details of what was disclosed, the recipient’s name, the time and date and reason for the disclosure. This will provide evidence of acting in good faith if, at some time in the future, the data subject complains about the disclosure. The table below gives an idea of some of the bodies to which a disclosure might be made by the College and the basis upon which that disclosure may be made.

 

Disclosure of data

Third PartyBasis for DisclosureNotes
Professional Bodies Contract or Statutory Requirement Consent Professional recognition or accreditation

Casual enquiries

Relatives or Guardians

Consent Students in HE are private individuals
Census Officers

Consent

No statutory right to request
Environment Agency  Possible non-disclosure exemption Notifiable disease contact
Health & Safety Executive Statutory reporting of injuries Disclose only basic personal details of those injured
Department of Environmental Health

Protection of vital interests

No statutory obligation but per missible without consent under the Act
Council Tax Registration Officers Permissible without consent Legitimate interests
UK Funding Councils and their Agents e.g. HESA Further & Higher Education Act 1992 Required for exercise of statutory function
UCAS Consent UCAS informs applicants of exchange of data between them and HEIs
Survey/Research Organisations Consent Informed consent in response to each request
The Police DP Act Section 29 - Disclosures to the police are not compulsory unless the College is served with a Court Order requiring information. However, Section 29 allows data to be disclosed in relation to “the prevention and detection of crime” and the “apprehension or prosecution of offenders” in response to a written request signed by a senior officer specifying a named person about a named criminal investigation regardless of whether that person is a suspect or a witness