• Back to previous menu
• Data Protection guidance for staff
• • Guidelines for the handling of student personal data
  • How to request your own information under the DPA (for staff)
  • Writing references for students

Guidelines for the handling of student personal data

1. Introduction

1.1 Scope of these guidelines

These notes are aimed at anyone working for the University whose duties include the handling of students' personal data. They set out the practical implications of our responsibilities under Data Protection legislation and the University's Code of Practice on Handling Personal Information [PDF 14.48KB].

Where these notes refer to student files, these are files held on students for the purposes of general administration (including financial matters and provision of services such as computing, library and welfare facilities). They also relate to files related to student academic assessment and discipline.

1.2 What is student personal data?

'Student personal data' means practically any information about, or correspondence relating to, a named student. This includes names, addresses, nationality/domicile, sponsorship details, as well as more obviously 'sensitive' information such as assessment results, data on ethnic origin/social class, or medical information. DPA legislation applies to all of this record-keeping - and it is especially strict about the handling of the more 'sensitive' types of data.

1.3 How the data is held

The medium in which the data is held is irrelevant. The same guidance applies whether the information is on paper, computer/magnetic media, microfilm, or in any other format. A typical student paper file definitely comes under these guidelines.

2. Types of enquiry and how to handle them

2.1 Internal enquiries

You may release (verbally or via electronic or 'hard' copy) student personal data to fellow University employees who require that information in order to carry out their normal duties. Note that this does not include the non-University organisations on campus (banks, etc.). Even with University employees this sometimes requires care: it would not be appropriate, for instance, to release a student's home address to a colleague merely for social reasons.

The University has a Code of Confidentiality [PDF]which you should observe where the personal data in question is of a sensitive nature and is given in confidence (i.e. it falls under the Data Protection Act's defintion of sensitive personal data and concerns in particular a student's domestic circumstances, physical or mental health or condition, or sexual life).

In most cases it is likely that the enquirer will be well-known to you, and you will not be in any doubt about her/his identity. However, there will sometimes be cases where you are contacted by an enquirer where you only have the say-so of that person that they are 'internal' and entitled to the data. Where you receive such an enquiry by telephone, it is recommended practice to call the enquirer back on a verifiable telephone number, allowing a delay. For in-person enquirers, you should ask for some identification. For written enquiries (having satisfied yourself that the request is legitimate), check that the enquirer is indeed an employee of the internal University unit in question.

2.2 Normal External enquiries

'External' enquirers are defined, for these purposes, as anyone who does not meet the criteria under 2.1 above. Such enquiries must be treated with great caution.

There are two main sorts of enquiry that you are likely to receive about students: (a) cases where the enquirer wishes you to provide, or confirm, the personal details of a student; and (b) cases where the enquirer is trying to contact a student who they think is studying at Sussex.

Such enquiries seem to be (and most are) perfectly innocent, and it may seem safe enough to do things like offer to forward a message. However, there is a small but constant number of students who indicate to us that they do not wish to have the fact that they are studying here revealed to anyone, and we must respect such instructions - there is often a very serious reason behind them.

So, you should first check the Restricted Data List (also known as the 'opt-out' list) which will be available in your departmental office. This details the few students who have requested that no information be revealed about them to any enquirers. If you look up a 'restricted data' student on the database a warning will also pop up on screen. If they are on the restricted data list then you must not confirm anything about the student to the enquirer, not even the fact that they are studying here.

If the student is not on the list, you should still provide as little information as possible to the enquirer. Most importantly, never give out a student's address - except in the exceptional/urgent cases, usually involving the police, described in 3.6 below. The most that would normally be disclosed to an external enquirer is to disclose:

• that the named person is/was a Sussex student
• if asked, their mode of attendance (full/part time)
• if asked, the start date and expected/actual end date
• if asked, the degree awarded and classification (but not failure)

You may confirm the following (but do not disclose it if it differs):

• whether the address that the enquirer has is the same one we have
• whether the date of birth that the enquirer has is the same one we have

2.3 Special or urgent external enquiries

There are three 'special' types of external enquiry:

(a) Where the information is required by law;

(b) Where the information is required in the overriding interest of the individual;

(c) Where the data subject has explicitly consented to the release of the data.

Requests to release student personal data under (a) or (b) above should normally be referred urgently to the Data Protection Officer. (Interpretation and authorisation of cases involving the interest of the individual rests with the Academic Registrar, to whom such enquiries should be referred directly in the absence of the Data Protection Officer.)

In exceptional and urgent circumstances (i.e. cases where there are reasonable grounds for believing that an individual has become a danger to him/herself or others, or has committed/is about to commit a crime), you may release personal data directly to a law officer (see 3.6 below for detailed guidance).

You may also release data on the basis of explicit written consent from the individual concerned.

3. Handling difficult cases

3.1 Parents/spouses/other relatives

Students' relatives do not have the general right to information about their child/partner/relative which they often assume. In such cases, the enquiry should be referred to the Student Systems Office, whose normal practice is to offer to pass on messages. If there is a pressing case for releasing the data in the interest of the individual, contact the Academic Registrar for guidance.

3.2 The data subject him/herself

Although students (like staff) have a general entitlement to access the records the University holds about them, they have no right to demand to see their records immediately. In some cases it will be necessary for students to make a Subject Access Request under the Data Protection Act.

3.3 Other students

Other students do not have special rights to information about their fellow students. Refer enquirers to the Student Systems Office, who will normally offer to pass on messages to individuals.

3.4 Sponsors

Sponsors and similar bodies (LEAs, Embassies, High Commissions, private companies, charities, etc.) likewise do not have a general right to access 'their' students' personal data (although in some cases the University may undertake routinely to provide academically-related information to sponsors). Refer them to the Student Systems Office if necessary.

3.5 Media Enquiries

Enquiries concerning named individuals or otherwise relating to students should always be referred, without comment, to the Press and Communications Office.

3.6 Law Officers

It is the University's policy to give reasonable assistance to the enquiries of law officers in connection with their investigations. Law officer enquiries should normally be referred to the Student Systems Office, as should enquiries from other government agencies (e.g. HM Customs). In the urgent and exceptional cases referred to under 2.3 above, this may not be possible. In these cases, having verified the identity of the law officer, the person handling the enquiry may release the data directly:

(a) If the enquirer is a Court Bailiff, you must insist on referring him to the Student Systems Office. These enquiries are not usually urgent.

(b) If the enquirer is a Police Officer whose identity you have confirmed, and there are urgent reasons for releasing the data (i.e. the student has become a danger to self or others, or has committed/is about to commit a crime), then you may release the information.

(c) Take a note of all the details (the student in question, the Police Officer's identity, the information requested, the reason given, and exactly what information was provided) and copy this (marked 'confidential') to the Student Systems Office and the Academic Registrar.

4. What to keep on file: dos and don'ts

4.1 Ideal Practice

The best practice is that, wherever possible, the contents of a student's file should be limited to documents which reflect normal University business, and which have either already been copied to the individual in question, or could be so copied without any problem.

4.2 Negative judgements of individuals

You should seek to avoid keeping documents which contain comments or judgements on individuals which are of a negative nature and unsupported by evidence. You should generally seek to minimise cases where the file contains documents which you would be unhappy or embarrassed to have to show to the student(s) to whom they relate.

4.3 Assessment data and the decisions of Examination Boards

Please note that student marks/grades, and the documented proceedings of Exam Boards (including disciplinary sub-committees which investigate matters such as plagiarism), are not exempt from being disclosed to the student in question. Therefore all assessment proceedings need to be minuted and evidenced in a way which is consistent with disclosure to the individuals concerned (e.g. as part of a subsequent appeal).

4.4 Subject Access Exemptions

The main types of document which you may (need to) keep on file, and which the individual in question does not have an automatic right to see, are:

(a) References and similar judgements which are supplied by the University in confidence. The student does have the right, however, to see references received by the University. Similarly, students can obtain copies of references provided by the University from the third party to whom they are addressed.

(b) Documents relating to a negotiation between the University and the individual in question, where release of the document would prejudice that negotiation.

(c) Documents which you could not release to someone without simultaneously identifying some other individual(s).

Contact the Data Protection Officer for further details of these and other exemptions.

5. Good practice for handling student files

5.1 'Private' files on individuals

Occasionally you may be minded to create 'private' files on individuals, separate from the main operational file. The case for doing so has to be justified as being in the interest of that individual (e.g. where the data is particularly sensitive) but bear in mind that the individual almost certainly still has a right of access to that data under Data Protection legislation. In general, where you are in doubt about the best way to proceed, seek advice from the Data Protection Officer to find an arrangement sanctioned by the University.

5.2 Duplication of information

If you can see opportunities for reducing paper filing (e.g. by relying on central database or paper records), and/or unnecessary duplication or fragmentation of files on students in your area, then please take action. Not only will this reduce duplication of filing effort (and duplication of judgement about difficult cases), but it will also help the Data Protection Officer if s/he needs to urgently pull together all of the documents held about an individual, in response to a subject access request.

5.3 Writing references

See Writing references for students.

5.4 Dealing with 'unsuitable' information on a student file

If you find yourself in the uncomfortable situation of being told to file documents which you feel contain negative and unsupported judgements on individuals, you should flag such cases to your line manager, or (if this does not resolve the situation) directly to the University's Data Protection Officer. If these comments/judgements relate to academic assessment, you may bring to the attention of the author the fact that academic judgements are not exempt from being open to the individual in question (see 4.2 above), and that a lack of discretion may lead to the author, the academic unit and the University being placed in a difficult legal position.

5.5 Transferring files between offices

The contents of student files are confidential to any third party, and should not normally be shown to the student in question without that student having made a proper application to the Data Protection Officer. So, wherever feasible, student files should be transferred by hand, rather than via the internal post, and a student should never normally be asked to take his/her own file (or any other student's file) to another office unsupervised.

DATA PROTECTION OFFICER
OCTOBER 1998, UPDATED OCTOBER 2008