Guide 8 - Disclosure of student data
Disclosure of student data to third parties
guide 8 - disclosure of student data
Disclosure of personal data to any third party is considered to be a form of data processing, thus the disclosure must be made in accordance with the Data Protection Principles and with the College’s notification of its data processing activities with the Office of the Information Commissioner. The Principles set out the conditions under which standard personal data (name, address, academic course etc) can legally be disclosed and the special conditions which apply to the disclosure of sensitive personal data (health, religion, ethnicity etc.)
A student must be informed at registration of the disclosures the College is likely to make in pursuing its legitimate interests. Should further disclosures need to be made later in a student’s course, the student must be informed of this and, where appropriate in terms of the Data Protection Act 1998, the consent of the student sought to the disclosure.
2. Dealing with requests for student data
The following are examples of disclosures which may be sought from the College by third parties and the conditions under which such disclosures may legally be made:
2.1 Confirmation of Current/Previous Student Status
Requests of this nature are likely to come from a number of sources and it is necessary to determine in each case whether a disclosure can be justified as fair processing and whether the College can ensure that the recipients of such disclosures have a justifiable cause to receive that information.
Requests from potential/actual employers and potential/actual providers of additional education are justifiably within the legitimate interests of the College and those of the recipients of such data. However, the data disclosed should be limited to a student’s period of study, marks and/or degree awarded, attendance record. More detailed disclosures are likely to be irrelevant or excessive in terms of the DP Principles and/or may require the College to release sensitive data for which consent may not easily be obtained or readily given by the data subject. Where the disclosure is requested in the form of a personal reference, there are special conditions which apply concerning access to that data and protection of third party interests.
Where disclosures are relevant and fair, it is important to ensure the validity of each request and to minimise the risk of illegitimate disclosure. Disclosures should not be made over the telephone. Enquirers should be required to submit their request in writing on headed notepaper. Ideally the enquirer should first obtain consent for disclosure from the student concerned. Failing that, the enquirer can establish his/her identity and their right to the data asking them to submit a copy of the first page of the application form submitted by the student.
2.2 Disclosures to Sponsors
Many students receive ‘sponsorship’ in the form of funding towards their studies from government agencies, research councils or private corporations. Parents may also be considered to be ‘sponsors’ but, whereas disclosures can legitimately be made to an accredited organisation, they cannot be made to parents without the student’s consent. It has been agreed that, to comply with data protection law, the College can only legitimately disclose student data to a sponsor who meets the criterion as “someone who has a contractual agreement with the student to pay part, or all, of their tuition fees”. Disclosure to any other ‘sponsor’ not fitting this definition can only be made with the student’s consent unless an organisation can provide evidence of “legitimate interest” in terms of the Act.
2.3 Fraud Enquiries
In cases where the College is asked to confirm the details of an individual who is thought to have lied about the qualifications they hold and, where the individual has never had a relationship with the College, it is in order to confirm that the College holds no record of the individual. As there is no personal data held no Data Protection Principle would be breached by such a disclosure. If, however, the individual has attended a course here and perhaps failed, any disclosure must be covered by one or more of the Principles e.g. whether there has been previous consent given, such as to a professional organisation, or there has been statutory obligation such as to HESA, or by the requirements of a contract such as to a sponsor. Otherwise, unless it could be held to be in the legitimate interests of the College to make the disclosure or the disclosure can be made to the police “for the prevention or detection of a crime”, the consent of the individual will have to be sought. Should the information be vital to a criminal case then, in response to a Court Order, the disclosure can be made without consent being given.
Except in cases where there is a statutory obligation upon the College to comply with a request for disclosure of a student’s data, there is no compulsion to make a disclosure, even in cases where the Act permits it. If there is any doubt as to the legitimacy of a disclosure request, then no disclosure should be made.
2.4 Other Enquirers
The College may receive requests for student data from other enquirers such as Government departments, representatives of the governments of foreign countries and the providers of services to students e.g. landlords, suppliers etc. Where there is no statutory, or other, legal obligation to disclose personal data a disclosure must not be made without the consent of the individual concerned. It should be noted that disclosure includes confirmation or otherwise of a student’s presence at the College.
3. Disclosure logs
Where exceptional disclosures of personal data are made to third parties, such disclosures should be noted in a log held centrally in College Registry. Each entry should show the name of the staff authorising the disclosure, the data subject’s name, details of what was disclosed, the recipient’s name, the time and date and reason for the disclosure. This will provide evidence of acting in good faith if, at some time in the future, the data subject complains about the disclosure. The table below gives an idea of some of the bodies to which a disclosure might be made by the College and the basis upon which that disclosure may be made.
Disclosure of data
|Third Party||Basis for Disclosure||Notes|
|Professional Bodies||Contract or Statutory Requirement Consent||Professional recognition or accreditation
Relatives or Guardians
|Consent||Students in HE are private individuals|
|No statutory right to request|
|Environment Agency||Possible non-disclosure exemption||Notifiable disease contact|
|Health & Safety Executive||Statutory reporting of injuries||Disclose only basic personal details of those injured|
|Department of Environmental Health||
Protection of vital interests
|No statutory obligation but per missible without consent under the Act|
|Council Tax Registration Officers||Permissible without consent||Legitimate interests|
|UK Funding Councils and their Agents e.g. HESA||Further & Higher Education Act 1992||Required for exercise of statutory function|
|UCAS||Consent||UCAS informs applicants of exchange of data between them and HEIs|
|Survey/Research Organisations||Consent||Informed consent in response to each request|
|The Police||DP Act Section 29 - Disclosures to the police are not compulsory unless the College is served with a Court Order requiring information. However, Section 29 allows data to be disclosed in relation to “the prevention and detection of crime” and the “apprehension or prosecution of offenders” in response to a written request signed by a senior officer specifying a named person about a named criminal investigation regardless of whether that person is a suspect or a witness|