Guide 9 - Disclosure of staff data
Disclosure of staff personal data to third parties
guide 9 - disclosure of staff data
The Data Protection Act 1998 (DPAct98) provides Data Subjects with a greater degree of control over the parties to whom their personal data is released. Disclosures are permitted where Data Subjects have given their consent, although in certain specified circumstances the DP Act 98 permits disclosure without such consent. Disclosure of personal data to persons or organisations outside the European Economic Area are subject to additional rules unless the Data Subject has given their consent.
Personal data must not be disclosed to unauthorised third parties, including family members, friends, local authorities, government bodies, foreign Embassies and High Commissions and the police, unless the Data Subject has consented to the disclosure or consent is exempted by the DP Act98, or by other legislation. There is no general legal requirement to disclose personal data to the police (see Section 6 later).
Departments should have in place a system for dealing with requests for personal data pertaining to their staff from third parties. This should involve identifying one or more persons who are responsible for handling such requests and to whom enquirers should be directed. These nominated persons should determine whether they are able to deal with the request directly, as indicated below, or whether the request should be refered to the College Data Protection Officer
2. Disclosure of personal data to employees of the College
Where an employee of the College requests personal data about another data subject within the College, such information should be released only if, and only to the extent that, the member of staff requires the information in order to perform his or her official duties. Permission for such disclosures must be granted by a senior member of staff as determined by the Head of the Department concerned. He/she may wish to determine each request singly on a one-off basis, or may set out in local rules those members of staff who have the authority to consent to such a disclosure e.g. only the Head of Department or Deputy can disclose financial data on individuals, only line managers can respond to queries on references, only tutors can authorise the disclosure of student personal data, etc.
3. Disclosure of personal data to employment agencies, prospective employers, banks and building Societies
It is important, in the interests of the Data Subject, that care is taken to ascertain that a third party has a genuine requirement for the information requested and that the Data Subject has consented to the disclosure. In most cases a disclosure in response to a telephone call is not good practice in view of the difficulty of verifying the identity of the caller, even where the request is simply to establish that the Data Subject is employed by the College. Ideally, the request for the disclosure of personal data to a third party should come either from the Data Subject directly or the request from the third party should be accompanied by a statement from the Data Subject consenting to the disclosure.
When a Department receives a request for personal information by telephone from an enquirer who appears to be a person to whom information may properly be disclosed, it is good practice to offer to telephone that person back with the information to ensure some measure of authentication. However, you should also bear in mind the restrictions set out in this document concerning disclosures to family, friends, official bodies and the police. As with disclosure within the College, it up to the Head of a Department to determine who has the authority to assess the validity of such requests and to respond to them.
4. Disclosure of personal data to casual enquirers
Disclosure of personal data to supposed family and friends or seemingly official bodies, in response to telephone calls, can be damaging to a Data Subject unless they have given their consent. Do not confirm or deny that the person is a member of the College. Instead, the Data Subject should be informed of the enquiry and leave them to make subsequent contact, should it be desired. Alternately, if the enquirer already knows that the person is a member of the College, instead of providing a postal or e-mail address or telephone number to a third party, the person receiving the request should offer to forward any message that needs to be communicated. Again, it is important to refer such requests to a senior figure who has been given the authority to assess and respond to them.
5. Disclosure of personal data to the police
In response to a casual enquiry from the police, College staff are no more obliged to disclose personal data about one of its staff or students than to any other casual enquirer. The police are entitled to have personal data disclosed to them without the consent of the Data Subject, where they can establish that the disclosure is made in order to prevent or detect crime, or to apprehend or prosecute offenders in accordance with the provisions of Section 29 of the DP Act 1998. However, it is not sufficient for them to state this justification over the telephone or when making the request in person. They must provide a formal written submission in the form of a Section 29 application. Should a Department receive one of these, the College Data Protection Officer should be contacted so that s/he can verify that the applicant has completed the form in compliance with the police's own guidelines. Even where responding to a request is justified by legislation, the College has to ensure that, in the interests of the Data Subject, it does not disclose personal data that is not covered by that legislation.
6. Disclosure without consent
Personal data about an individual may be disclosed to third parties without consent in specific situations, usually for regulatory or legal reasons. In addition, where the individual's consent is required but they cannot be contacted, or where the circumstances are such that it would be inappropriate to seek their consent, Heads of Department or their nominated representative should consult with the College Data Protection Officer before responding to any such request for disclosure.