Guide 6 - Student use of data
Student use of personal data
Students are likely to process personal data on College systems in one or more of a number of capacities, e.g.:
(a) for research or study purposes as a registered student of the College;
(b) as an Officer Trustee of Imperial College Union in connection with the administration of that body or as an officer of one of ICU's clubs or societies;
(c) for approved research or study purposes on behalf of another organisation or as an independent project not associated with their registration with the College;
Processing by students where the College is the data controller
In the first two of these cases of student processing, the College is the Data Controller and is liable for the processing carried out by the student. This includes, but is not limited to, liability for compliance with all of the data protection principles set out in Article 5 of the General Data Protection Regulation (GDPR) and liability for provision of data in response to a legitimate subject access request.
In essence, the data protection principles require personal data to be obtained and processed fairly and only for a specific legal purpose; the data held should be only that which is sufficient to achieve that purpose; it should be kept up to date and held only as long as is necessary to achieve that purpose; it should be adequately protected and only transferred to a country outside the European Economic Area if that country is designated as having an adequate level of protection for personal data or the organisation receiving the personal data can provide equivalent levels of protection or there is an exemption or derogation that permits the transfer such as where the data subject consents to the transfer.
Supervisors of students carrying out research or study as part of their registration with the College where the student will have access to personal data controlled by the College must ensure that students are familiar with the College’s and their obligations under the GDPR. Where relevant, students may also be asked to sign an appropriate confidentiality agreement and/or data sharing agreement with the College in respect of the personal data they will be processing.
Students carrying out research or study as part of their registration with the College must ensure that their processing of personal data has been authorised by their supervisor or course tutor. Where necessary, the supervisor should consult with the departmental Data Protection Co-ordinator, or the College’s Data Protection Officer to ensure that any processing of personal data will be within full compliance of the GDPR. The authorising staff member should ensure that the student is aware of her or his responsibilities under the GDPR and the College’s Data Protection Policy and associated Codes of Practice. Where relevant, students may also be asked to sign an appropriate confidentiality agreement and/or data sharing agreement with the College in respect of the personal data they will be processing.
The processing of personal data by staff employed by and students working on behalf of IC Union, including the operation of its clubs and societies where this is done using College systems, is also subject to the data protection principles summarised above.
Processing by students where the College is not the data controller
3.1 Students processing patient management data under direction are required to comply with the data protection principles summarised above when processing such data and should also be aware of the Code of Practice on Handling Patient Data which forms part of College Policy.
3.2 Where processing of personal data is carried out in College for approved research or study purposes on behalf of another organisation or employer, such processing, is still subject to the College's Data Protection Policy.
3.3 Where personal data is used by an individual on a private computer, laptop or mobile device only for the purpose of that individual's personal, family or household affairs, including recreational purposes, that data is exempt from the data protection principles and the subject access provisions of the GDPR.
Student access to, and use of, personal data
4.1 Students who have their Supervisor's authorisation to access personal data held within the College network, or obtained via the internet through such systems, whether from within the College or remotely, must be made aware of the conditions under which they may obtain, process and disclose such personal data. These are set out in the College’s Data Protection Policy and underlying Codes of Practice.
4.2 Supervisors or course tutors should make their students aware that the processing of personal data and the compliance with the data protection principles apply, not just to data being stored on electronic media, but also to any data held in manual files where these are structured in such a way that specific data relating to any individual may be accessed readily.
4.3 Students should also be made aware that data subjects have a number of rights with respect to their personal data as set out in paragraph 9 of the College’s Data Protection Policy. Students should advise data subjects that any request for access to their personal data has to be made via the College’s Data Protection Officer who will determine whether or not the request should be granted.
4.4 Students should also be made aware of the restrictions involved in sending personal data via the internet because of its innate lack of security. In all such activities the ‘integrity and confidentiality’ data protection principle set out in Article 5 of the GDPR must be complied with. Additional guidance on security issues relating to personal data may be found on the ICT “Be Secure” webpages.
4.5 Any processing of personal data carried out by a student which is not in compliance with the College's policy, including unauthorised browsing or disclosure of personal data, will result in disciplinary action being taken by the College or, in more serious breaches of the law, in prosecution by the Information Commissioner or civil litigation by, or on behalf of, data subjects.