Guidelines for the disclosure of student personal data.
Guidelines for the disclosure of student personal data
According to data protection legislation, the circumstances under which personal information can be disclosed without the authorisation of the individual are fairly limited in practice.
UCL must balance the sometimes competing interests of other third parties (including families, police, local authorities, other educational establishments etc), and the right to privacy of individual students as protected by the legislation.
More information and examples of who might request student information are provided below.
Disclosure and sharing
Disclosures of personal data require a legal basis and compliance with the eight data protection principles, in particular the first principle. This requires that the disclosure is fair and lawful and usually requires that individuals are informed first and possibly consent to the disclosure.
Data sharing agreements are sometimes used to formally document a disclosure of personal data between one or more data controllers. This usually sets out the legal basis for the disclosure as well as other governance arrangements such as the way the data will be shared. From time to time UCL may wish to share personal data with another organisation (another data controller). The circumstances and purpose of sharing the personal data will determine if this is a disclosure from one data controller to another or a whether instead it amounts to a the use of a data processor.
There may be occasions where UCL decides to engage the services of a third party (for example an external supplier, or contractor), that involves the processing of personal data on behalf of the university. This could be the outsourcing of a particular service to a third party supplier such as off-site storage or the use cloud based services. Data Processors are used across UCL from researchers utilising transcription services to ISD entering into agreements with cloud suppliers.
In order to satisfy the minimum requirements for any processing of personal data under the data protection legislation, both parties must agree to enter into a data processing agreement. The data processing terms may be part of an overarching agreement or form part of the standard terms of service such as in the case of cloud services.
In other cases a separate data processing agreement may be used. The Data Controller (in this case UCL), can set out the requirements for what can be included in the agreement, although such conditions should not include terms which could bring it into conflict with the DPA.
The data processor (in this case the third party) can only then process the personal data in accordance with such an agreement imposed by the Data Controller (for example the purpose, how the data can be processed and appropriate security safeguards).
We have created a data processing agreement template which is available below:
“This Data Processing Agreement is designed for use when UCL, acting a data controller, engages a third party to process personal data on its behalf, and that third party processes the data only: (a) within the European Economic Area; or (b) within one of the territories deemed by the European Commission to provide an adequate level of protection (see the section on Disclosing Personal Data Overseas” for further information on this topic).”
Under the terms of data protection legislation, UCL is required to process personal data in accordance with the data protection principles set out in the DPA. These include various safeguards for the individuals concerned and prohibit unauthorised disclosure of personal data to third parties unless such a disclosure is permitted by one of the exemptions under section 29 of the DPA.
These exemptions relate to matters such as the prevention or detection of crime, or the assessment or collection of tax, or where disclosure is required by law or is necessary in connection with legal proceedings. Under this exemption, where an organisation has received a request from a third party for information constituting personal data, they may be able to release the data to the third party without the knowledge or consent of the data subject if the organisation which processes the data is satisfied that the exemption applies.
- You should not disclose information about a student to an outside organisation over the telephone.
- Individual requests received from organisations/bodies must be verifiable.
- They must be made in writing on official headed paper and should ideally cite the relevant data protection legislation exemption or other legislation which authorises UCL to release the information.
Data protection legislation states that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The EEA comprises the 27 member states of the European Union, as well as Norway, Iceland and Liechtenstein. Personal data may not be transferred outside the EEA unless the country has an adequate level of protection. However, the European Commission deems Argentina, Guernsey, Isle of Man, Jersey and Switzerland to have an adequate level of protection, so that personal data may be transferred to these territories.
In practice, this means the personal data of the student, must receive the same level of protection and security as within the United Kingdom.
Any transfer of personal data may not be transferred overseas unless you have the explicit consent of the student, or there is a requirement for the performance of a contract, or legal proceedings.
The guide below provides examples of who might request student information from UCL either as a regular or ad hoc occurrence. However this list is by no means exhaustive.
Give due consideration before sharing personal information about a student to a work colleague. Disclosure should only be made to individuals who have a legitimate interest in receiving the information and require it in order to perform their duties.
If you decide to share information with a work colleague, consider the level of detail needed for them to be able to perform the task in question. For example, if you are aware that a student is going to be absent from the university for some time, you will need to notify their department. However, it might not be necessary to inform all colleagues as the specific nature for this leave.
UCL has no obligation to disclose information about a students to family members without consent. Staff should not feel pressurised to disclose such information without the written consent of the student involved.
There is no general requirement to disclose information to the Police. However, section 29 - Crime and Taxation, of the DPA, allows limited exemption from the 1st Principle: Personal data shall be processed fairly and lawfully. This allows UCL to release information to the Police without consent of staff or students in some circumstances. However, before any such disclosure is made, the Police will be required to provide the request in writing on their own request form and signed by the investigating officer.
If you receive a request from a local authority about a student, you should ensure that the request is made in writing and on headed paper. Staff should not disclose any personal information over the telephone. Information provided should be to limited facts, such as name and attendance. Requests for sensitive personal data will require the consent of the student involved.
The information released should be the minimum relevant to the request – usually attendance and award details although classification and module marks may also be relevant in certain circumstances.
- Response should only be made to requests received in writing.
- Requests for information from institutions formerly attended by the student should not normally be met, unless either the student has authorised the disclosure or the other institution can provide verifiable justification under data protection legislation.
Higher Education Funding Council for England (HEFCE) and agents such as Higher Education Statistics Agency (HESA) and HEFCE auditors
UCL is required by law to disclose information to the Higher Education Funding Council for England on request. This includes the incidental disclosure of student data during visits by academic or other auditors appointed by the Funding Council. Disclosures may also be made to agents of the Funding Council.
The Universities and Colleges Admissions Service (UCAS)
As applicants are made aware by UCAS when they first submit their details that information will be passed between them and UCL, relevant data may be shared freely with UCAS as the need arises.
Such disclosures should be made when an official written application is received from HMRC in relation to the collection of tax or duty. The relevant DPA exemption, normally section 29, should be quoted.
In the course of normal and legitimate activity, it is possible that student information may be disclosed to the QAA
UCL may be asked for information about existing or former students by current or potential employers and recruitment agencies. Typically, this occurs when such a student applies for a job. As the student has freely supplied details of previous or ongoing study, relevant information may be provided.
In cases of accidents occurring within institutional property, UCL may need to release the details of the accident to its insurers. This may involve disclosure of student details, notably in cases where a student has suffered injury and may be in a position to claim damages.
UCL should ensure that, in cases where particular degree schemes lead to professional recognition, accreditation or exemption, students on such courses are told at point of registration that their final result, including any failures, will be communicated to the relevant professional body.
Should a professional body make an ad hoc approach for personal details of students with qualifications in a particular academic discipline, such enquiries can only be answered with the consent of the student(s) involved.
UCL has an obligation NOT to provide information to sponsors without consent. Any arrangements students have made regarding the payment of their fees does not alter the fact that this is an arrangement between the student and the body funding the student, not between UCL and the body.
Consent for such disclosure may be proven in two ways:
- Written permission from the student to provide the sponsor with any requested information about such things as attendance and results
- The verified existence of a contractual arrangement between the student and the sponsor which permits the disclosure of specified information
The SLC provides loans and, in some cases, fee payments for undergraduate students.
Students who are in receipt of such funding sign a formal agreement with the SLC regarding the financing of their studies, a contract which permits disclosure of personal information by UCL as necessary.
References provided and received by UCL, and internal references.
References provided by the university
Data protection legislation states that confidential references provided by an organisation (in this case UCL) are exempt from an individuals subject access rights if the reference relates to:
- education, training or employment
- appointing office holders
- providing any service
This exemption allows the university the discretion to refuse to release a confidential reference written by a member of university staff, as part of subject access request.
References received by the university
Data protection legislation gives individuals the right of access to their personal data. Confidential references which have been received by the university, and requested by the relevant individual who is the focus of that reference, it is normal practice for the university to write to the referee to seek their views before any disclosure takes place. This will also require the university to balance the privacy rights of the referee, against the individual’s interest in seeing what has been said about them.
The university will need to be careful that they are not unknowingly disclosing information which may relate to a third party (i.e. the referee) without consent.
Where possible you should contact the referee to see if they have any objection to the confidential reference being disclosed. If the referee gives their consent, then the confidential reference can be disclosed. If the referee refuses permission, then the data protection legislation will require the university to balance the interests of the third party and the data subject as to whether the reference should be disclosed or not. You could also consider removing the referees’ personal information from the reference so that they cannot be identified by the data subject. Although, in some cases, it may still be likely that the data subject may have a good idea who has written the reference.
If you are unable to contact the referee then the same balance of interest should be applied.
When a request is received for the supply of a confidential reference written by an individual from one department in response to an internal vacancy in another department. The same criteria should be applied as if you have received a confidential reference from an external third party.
In cases where there are formal exchange links between UCL and overseas HEIs or equivalent bodies, there will, of necessity, be a limited flow of student data between these sites. In cases where the exchange institution is based outside the EEA, such disclosure will usually require consent from students, sought before their exchange begins. Disclosure to institutions inside the EEA will not need consent.
The data protection legislation's non-disclosure provisions are waived for the purpose of “or in connection with legal proceedings…or is otherwise necessary for…establishing, exercising or defending legal rights”.
In cases where UCL is approached by solicitors or others engaged in a Court case, it is worth noting that there is no compulsion to disclose, just because the law gives dispensation to do so. In cases where the institution has no direct involvement in the case, it may be advisable not to disclose anything without the consent of the student concerned.The key point to consider when determining this is the extent to which the other entity is responsible for making decisions about the use of the personal data. If they are simply carrying out a specific task on your behalf and will return the personal data and the result of their work to you once complete they are likely to be a data processor and you will need to ensure you have a data processing agreement in place. Data processors are on the whole not liable for the tasks they carry out, the data controller remains responsible. If the other institution are responsible for making decisions about the personal data they process, such as what personal data they collect, how they use it and/or they wish to retain it for other purposes then they are likely to be a data controller, perhaps jointly with UCL. In these cases they are also liable for their actions according to data protection law and you will need to establish a data sharing agreement. Seek advice from the data protection team where you are uncertain or require copies of template agreements.
If you intend to collaborate with researchers at other institutions or commercial organisations ensure that you establish exactly what information will flow between UCL and them; if this is personal data ensure that the data controller and data processor is determined and documented prior to any data being shared.