Checklist for compliance with DPA for Advisers of Studies
The Data Protection Act 1998 [DPA] is concerned with the processing of personal and sensitive personal data about a living individual. Personal data may be any information on any document from which a living individual may be identified from that data where;
the individual is the focus of a document,
the data includes significant biographical facts, opinions and intentions,
the processing of the data affects the individual’s privacy.
The document may be in any format on any media. Sensitive personal data includes issues relating to the sexuality, mental & physical health, ethnicity, and political and religious affiliations of an individual. More information on the coverage and rules of processing personal & sensitive personal data are available via the topics in the A to Z Guide.
Access to records by students
- Students have the right, under the Subject Access Request [SAR] provisions of the DPA, to request access to all documents held by the University that contain personal data about themselves. Such documents are not restricted to paper documents but also include documents stored in IT systems such as e-mail and file-store. Advisers must beware the retention of inappropriate or 'subjective' comments in a student's file as these will have to be released to a student under the SAR provisions. There are a few potential exceptions to the access rights covering medical, and similar, issues.
Consent to handle personal data
- The student gives consent, as part of the registration process, to the University to process personal, and sensitive personal, data to manage their time at the University. The consent to sharing personal data includes handling by authorised support staff. Advisers of Studies need not seek additional consent from the student.
- The extent of the concent is detailed in the personal data section of the University Calendar.
- The consent includes the need for personal data and sensitive personal data to be disclosed to, received from, and shared with, other members of Staff of the University on a need-to-know basis when the sharing of the data is necessary.
- Some specialised services within the University, such as the Student Disability Service & the Student Counselling and Advisory Service, request explicit consent from the student when he/she seeks to use that service.
Sharing of personal data
- The Adviser of Studies need not seek additional consent to share personal data with authorised colleagues and authorised support staff. See previous section Consent to handle personal data.
- The consent includes sharing the data with Staff of another Institution where the course is joint with, or in collaboration with, that other Institution.
- In some cases, to avoid misunderstanding, it may be prudent to advise a student that personal data will be shared for an agreed action to be carried out. For example, the Adviser of Studies may need to pass personal data to another department or Faculty in the University.
- Sensitive personal data, such as disability or impairment information, must not be publicly displayed.
- The University has no direct responsibility towards parents or guardians and must respect the privacy of its students. The Adviser must not reveal or confirm the presence of an individual as a student at the University, nor disclose any information about the student without the consent of the student. The Adviser must inform the parent of the requirements of the DPA such that information cannot be disclosed.
Security of personal data
- Student files must be kept secure in locked filing cabinet(s) in a locked office.
- Only authorised persons must have access to an Adviser's office and to the contents of relevant filing cabinets.
All Advisers should seek advice from their local IT support or from the IT Services HelpDesk to ensure the following arrangements were operational:
- The Adviser to have a unique user-ids/passwords that must be used to access both local and central MIS/corporate systems where personal data is stored;
- The Adviser's PC's to have a password protected screen saver, or other similar facility, to ensure information displayed on a screen is protected from casual sight by unauthorised persons;
- Advisers to save personal data files and E-mail messages to a secure network drive/server, and not to a local disk drive in the Adviser's PC, to protect against information disclosure and/or loss in the event of theft/damage;
- All Advisers' and support staff PCs to run anti-virus software with the software updated at regular intervals;
- Access to the personal data files on the network drive/server to only be available to the Adviser and to authorised support staff;
- The secure network drive/server to be backed-up on a daily basis to protect against total loss of personal data in the event of fire/damage/failure;
- Advisers must be careful with the cc & bcc facility available in e-mail systems as it can lead to the accidental disclosure of email addresses. In cases where email recipients (particularly external recipients) have no need to know who else will receive the e-mail, or where it is not clear whether they are aware that others might be given their contact details, Advisers must use the bcc facility to ensure there is no accidental disclosure.
- Advisers, when communicating with students via e-mail, must use the student's University e-mail address.
Retention & disposal of personal data
- Documents containing personal, and sensitive personal, data must not be retained for longer than is necessary.
- Documents may include e-mail messages plus the contents of spreadsheets, databases, and other resources held on IT systems. These IT and paper-based documents must be considered as one logical set of records applicable to an individual student.
- Advisers must beware the retention of inappropriate or 'subjective' comments retained in a student's file as a students has a right, under the Subject Access Request [SAR] provisions of the DPA, to have access to all documents held by the University that contain personal data about themselves;
- Advisers must use secure disposal procedures, such as shredding or incineration, of manual personal data.
- Advisers must seek advice from their local IT support or IT Services HelpDesk when an Adviser's PC is identified for reallocation or disposal. The University's Disposal of IT equipment' policy must be adhered to.
- The advice below is general and applies whether the reference is written by an Adviser, tutor, lecturer, examiner, or other member of Staff, or from consulting the individual's record;
- A reference must state whether it is written on behalf of the University or in a personal capacity, and whether the individual is known to the Referee.
- Advisers should indicate to students whether they will (a) provide a reference based on the factual record in the individual's file, or (b) only provide a reference when the student seeks the Adviser's prior permission.
- A reference that is very brief or overly enthusiastic may invalidate the reference in the eyes of the recipient.
- A reference originating from the University is exempt from a Subject Access Request submitted direct to the University, though the recipient of the reference may release the document at his/her own discretion. There is no requirement by the recipient to seek the Referee's consent.
- A reference received by the University would normally have to be released under the Subject Access Request rules.
- A reference must be factually correct as far as is practical and state within what parameters the reference is given - As an Adviser, tutor, lecturer, examiner, or other member of Staff, or from consulting the individual's record.
- Any evaluative comment in a reference must be clearly identified as such.
- An opinion, within a reference, about a individual's suitability must be based on facts available to the Referee.
- A reference must not be ambiguous, use coded language, nor allude to issues that cannot be mentioned in a written reference.
- A reference must not provide any sensitive personal data, such as health information, without the explicit consent in writing of the student. If necessary a response such as "I am not in a position to comment regarding X's health/sickness/.." is acceptable.
- If an Adviser is not able or willing to provide a reference then the refusal must neutral and not imply a negative reference.
- A copy of a reference should be retained for one year.