Data Protection

UCL Data Protection Policy and useful forms

Data Protection and Students

Student confidentiality:

No confidential personal information shall be divulged to any external enquirer without the student's express permission. This includes parents, legal guardians or next of kin. Requests from external agencies for information about a student should be referred to Student and Registry Services (SRS).

Tutorial and Supervisory matters:

  • Staff should not discuss individual students by name in a public place.
  • Students have a right to see their student files, whether paper or electronic, by making a Data Protection Access Request. Therefore the department has a duty to ensure that these files are complete and accurate, and that they do not contain any defamatory material.
  • Students have a right to know if any notes are made during a meeting with their tutor. They should be given the opportunity to read and countersign these notes, which should then be placed on their student file.
  • Emails which have the student's name as the subject are accessible documents and the student has the right to see them.
  • Email is not a secure medium. Do not send anything by email that you would not wish the subject of the message to see.
  • As unsigned email, when printed out to hard copy, can constitute a legal contract. Please ensure that any offers made in this way contain a disclaimer.

Coursework and Examinations:

  • Coursework should be returned to the student in a sealed envelope, personally addressed, unless the student agrees otherwise.
  • Examination and degree results should be returned to the student in a sealed envelope, personally addressed. If these results are to be published on a notice board then the individual students should not be named; the results should refer to candidate numbers only.
  • A student has the right to view examiners' comments relating to their examination scripts, produced in a legible form, by making a Data Protection Access request. They also have the right by the same route to view the minutes of the examinations board, but only if these can be seen without disclosing a reference to any other person.
  • Email should not be used for disseminating examination and degree results unless with the written permission of the student.


  • Departments developing e-learning strategies should be aware that, as the student will be identified when they access the programme, the records generated are subject to the Data Protection Act.
  • Students must be advised of this aspect of e-leaning and their specific consent to the collection of data in this way must be obtained.

Student Debt:

Students who are in debt to the College, for any reason, will have their results withheld and will not be allowed to enrol at any future session. Students have a right to obtain their results but not an award. In these circumstances they may apply to receive their results by making a Data Protection Access Request to the Data Protection Officer, but will not receive them automatically from the Examinations section.


  • References received by UCL are not exempt from the Data Protection Act, and may be seen by the student. However, before they are shown to the student the written permission of the referee must be obtained.
  • References given by UCL employees, in their formal capacity, which relate to the education, training or employment of a student are exempt from the Data Protection Act. UCL has the discretion to refuse to release a confidential reference written on their behalf.

Data Protection and Research

Staff or students undertaking research (including oral history) that requires the use of personal data must register the project with the UCL Data Protection & FOI Officer, Alex Daybank, before they start collecting the data. They must also obtain signed permission from their subjects to collect and use their personal data for research.