Frequently Asked Questions

What is the difference between the Data Protection Act and the Freedom of Information (Scotland) Act?

The Data Protection Act (DPA) covers personal data held by an organisation about a living person. The DPA gives individuals rights over the security and use of their personal data, and the right to request access to all information that an organisation holds on them.

The Freedom of Information (Scotland) Act covers recorded information held by a public authority. It gives individuals the right to request recorded information on any subject.

If an individual makes a request for information on him/herself, then that must be handled under DPA (see Handling requests for personal data). If an individual requests general information on a subject or another person, then that must be handled under FOISA (see Handling general information requests).

For a more comprehensive breakdown and comparison of the two acts, please see our A to Z entry on DPA vs FOISA.

What do I do if a student asks me to write a reference?

Guidance on writing references for students can be found here: References for Students

What do I do if a staff member asks me to write a reference?

Guidance on writing references for staff members can be found on the HR website here: Reference Requests About Staff.

Can I see a reference written about me?

A reference written by University staff

There is no requirement for the University to release references written by staff, and these references are generally exempt from your right of access under the Data Protection Act.

Please see Human Resources information on Reference Requests about Staff for further guidance.

A reference received by the University from a third party

If you want to see a reference written about you, which was received by the University from a third party (e.g., your referee from a previous post), you can request this through a Subject Access Request.  

For further guidance on access to references, please see Subject's Right of Access to References

For further guidance on Subject Access Requests, see How to Request Information About Yourself

Is there anything that I need to consider when working from home?

You are responsible for the safe-keeping and security of any personal data that you process while working at home.

If you are using mobile devices to transfer data from the office to your home, e.g. on a CD, memory stick, tablet, or laptop, these devices should be securely encrypted.  IT Security has a confidential data policy, which includes information and guidance on encrypting various devices. Do not leave devices containing personal data unattended in cars, briefcases, restaurants, pubs, etc.

When logging in to the University network from your home computer/tablet/laptop, please use the VPN; this ensures secure, encrypted access to University systems and personal data. IT Services provides guidance on using the VPN client off-campus.

If you are backing up personal data, or destroying it, ensure that this data is handled securely and confidentially.

For further guidance on security policies please visit IT Services Information Security. For practical advice on device encryption and security, please contact Information Security Coordinator Chris Edwards, at

What should I do if the Police ask me for information on a staff member or a student?

Under the Data Protection Act, the University can share personal data on a staff member or student without the consent of the individual concerned, if it aids the prevention or detection of crime, or if it is an emergency and in the vital interests of the individual. However, we are not required to share information, so the Police must provide a Section 29 disclosure request form. The form details the information sought and why the Police want it, and it must be signed by two officers.

All Section 29 forms are processed by the Data Protection and Freedom of Information Office and the release of the information is at our discretion. If the Police approach you for information please get in touch with the DP/FOI Office for guidance and assistance.  If you are approached outside standard office hours please contact Security.

For additional information on handling Police requests for information, including what to do in an emergency situation, please see Police Request for Personal Data and Emergency Requests for Personal Data.

What should I do if a parent or third party sponsor asks for information on a student?

In keeping with University policy and the Data Protection Act information on students must not be released to third parties unless there is a legitimate reason for disclosure.

You may receive enquiries from parents, asking for information on their students’ fees, attendance, outstanding debts, etc. Parents do not have a right of access to information on students, even those under the age of 18 – the best response to these enquiries is to neither confirm nor deny whether the individual in question is a student. You may take a message and contact the student yourself, for consent to share his/her data with the parent. Please note that consent from the student must be provided in writing.

You may receive an enquiry from a third party financial sponsor asking for information on a student. Check with Finance or Registry to see if the student in question has an arrangement with the sponsor. Depending on the enquiry, it may be useful to determine whether the sponsorship requires the student to meet any attendance or performance goals – if so, the sponsor may be entitled to this type of information.

Wherever possible, seek the student’s consent regarding disclosure of their personal data. If you do share with the sponsor, make sure you limit the shared information to what was requested and/or determined reasonable to release.

For further advice contact the DP & FOI Office or the Student Services Enquiry Team.

I am moving office, but I do not have space for all of my records and paperwork. What do I do with this information?

Establish if your office has a records retention schedule. A retention schedule lists all the records you create, and how long they should be retained. If you do have a schedule please contact Records & Information Management Service to discuss updating the schedule. We will work with you to determine if records should be kept, or sent to the University Records Centre.

If you do not have a retention schedule, please contact the RIMS as soon as possible ahead of your move.  We will work with you to create a usable schedule.

RIMS provides extensive guidance on retention schedules.

Do not leave your documents or records behind in the old office or in a bin bag/box outside your office. If your records contain personal data on staff, students, or stakeholders, you will be in danger of breaching the DPA without adequate security and disposal processes in place.

The University has procedures in place for the proper disposal of confidential waste in all formats. For further information on using these various services, please see our A to Z topic on Paper Waste Disposal and Confidential Information Destruction.

I need to share student or staff data with an organisation outside the University. Is there anything I should consider before I go ahead with this?

If you are sharing personal data outwith the University, you must make adequate arrangements to safeguard the handling and processing of the University’s data. These arrangements may involve a formal data sharing agreement between the University and the other organisation. A data sharing agreement will ensure that all aspects of the processing of the personal data are managed appropriately. The Data Protection and Freedom of Information Office will assist in drafting a data sharing agreement, should you require one.

Please see our guidance on Data Sharing Agreements for further information.

How can I learn more about Data Protection or FOI?

The DP & FOI Office, in conjunction with Employee and Organisational Development, provides twice annual trainings in General Data Protection Regulation, Freedom of Information, and records management. Information on dates and sign-up is found via the EOD website. There is now online training for the General Data Protection Regulation which can be found on Moodle. 

We also offer bespoke sessions on Data Protection and Freedom of Information. We can provide full 1.5 hour sessions, or brief overviews for presentation at staff meetings or lunchtime drop-ins. Presentations can be tailored for handling DP or FOI in an administrative and/or research context.

If you would like to arrange a training session, please contact for Data Protection training or for FOI training, or call 330 6494.