Guide 9 - Disclosure of staff data
Disclosure of staff personal data to third parties
The General Data Protection Regulation (GDPR) provides data subjects with a greater degree of control over the parties to whom their personal data is released. Disclosures are permitted where data subjects have given their consent, although in certain specified circumstances the GDPR permits disclosure without such consent. Disclosure of personal data to persons or organisations outside the European Economic Area are subject to additional rules unless the data subject has given their consent.
Personal data must not be disclosed to unauthorised third parties, including family members, friends, local authorities, government bodies, foreign Embassies and High Commissions and the police, unless the data subject has consented to the disclosure or consent is exempted by the GDPR, or by other legislation. There is no general legal requirement to disclose personal data to the police (see Section 6 later).
Consequently, staff should be cautious when a third party enquirer requests disclosure of personal data. It is important, in the interests of the data subject that care is taken to ascertain that a third party has a genuine requirement for the information requested. Where disclosures are relevant and fair, it is important to ensure the validity of each request and to minimise the risk of illegitimate disclosure. In most cases a disclosure in response to a telephone call is not good practice in view of the difficulty of verifying the identity of the caller, even where the request is simply to establish that the data subject is associated with the College. Enquirers should be required to submit their request in writing, and responses should also be made in writing (and not provided over the telephone). Ideally, the request for the disclosure of personal data to a third party should come either from the data subject directly, or the request from the third party should be accompanied by a statement from the data subject consenting to the disclosure. Where you are uncertain as to whether an individual has consented to the release of their data, you should first contact the individual to seek consent for disclosure prior to releasing any information to the enquirer.
Except in cases where there is a statutory obligation upon the College to comply with a request for disclosure of an individual’s data, there is no compulsion to make a disclosure, even in cases where the GDPR permits it. If there is any doubt as to the legitimacy of a disclosure request, then no disclosure should be made.
Staff should always consult the College’s Data Protection Officer if they are uncertain whether information about an individual can be released to a third party.
Departments should have in place a system for dealing with requests for personal data pertaining to their staff from third parties. This should involve identifying one or more persons who are responsible for handling such requests and to whom enquirers should be directed. These nominated persons should determine whether they are able to deal with the request directly, as indicated below, or whether the request should be referred to the College’s Data Protection Officer.
Disclosure of personal data to employees of the College
Where an employee of the College requests personal data about another data subject within the College, such information should be released only if, and only to the extent that, the member of staff requires the information in order to perform his or her official duties. Permission for such disclosures must be granted by a senior member of staff as determined by the Head of the Department concerned. He/she may wish to determine each request singly on a one-off basis, or may set out in local rules those members of staff who have the authority to consent to such a disclosure e.g. only the Head of Department or Deputy can disclose financial data on individuals, only line managers can respond to queries on references, only tutors can authorise the disclosure of student personal data, etc.
Disclosure of personal data to employment agencies, prospective employers, banks and building Societies
It is important, in the interests of the data subject, that care is taken to ascertain that a third party has a genuine requirement for the information requested and that the data subject has consented to the disclosure. As noted above, in most cases a disclosure in response to a telephone call is not good practice in view of the difficulty of verifying the identity of the caller, even where the request is simply to establish that the data subject is employed by the College. Ideally, the request for the disclosure of personal data to a third party should come either from the data subject directly or the request from the third party should be accompanied by a statement from the data subject consenting to the disclosure.
Disclosure of personal data to casual enquirers
Disclosure of personal data to supposed family and friends or seemingly official bodies, in response to telephone calls, can be damaging to a data subject unless they have given their consent. Do not confirm or deny that the person is a member of the College. Instead, the data subject should be informed of the enquiry and leave them to make subsequent contact, should it be desired. Alternately, if the enquirer already knows that the person is a member of the College, instead of providing a postal or e-mail address or telephone number to a third party, the person receiving the request should offer to forward any message that needs to be communicated.
Disclosure of personal data to the police
In response to a casual enquiry from the police, College staff are no more obliged to disclose personal data about one of its staff or students than to any other casual enquirer. The police are entitled to have personal data disclosed to them without the consent of the data subject, where they can establish that the disclosure is made in order to prevent or detect crime, or to apprehend or prosecute offenders in accordance with the provisions of the applicable legislation. However, it is not sufficient for them to state this justification over the telephone or when making the request in person. They must provide a formal written submission. Should a Department receive such a submission, the College’s Data Protection Officer should be contacted for further assistance. Even where responding to a request is justified by legislation, the College has to ensure that, in the interests of the data subject, it does not disclose personal data that is not covered by that legislation.
Disclosure without consent
Personal data about an individual may be disclosed to third parties without consent in specific situations, usually for regulatory or legal reasons. In addition, where the individual's consent is required but they cannot be contacted, or where the circumstances are such that it would be inappropriate to seek their consent, Heads of Department or their nominated representative should consult with the College Data Protection Officer before responding to any such request for disclosure.