Planning, Governance and Compliance

Guidelines for the handling of student personal data

1. Introduction

1.1 Scope of these guidelines

These notes are aimed at anyone working for the University whose duties include the handling of students' personal data. They set out the practical implications of our responsibilities under the Data Protection Act (DPA) and the University's Code of Practice on Handling Personal Information [PDF 14.48KB].

Where these notes refer to student files, these are files held on students for the purposes of general administration (including financial matters and provision of services such as computing, library and welfare facilities). They also relate to files related to student academic assessment and discipline.

1.2 What is student personal data?

'Student personal data' means practically any information about, or correspondence relating to, a named student. This includes names, addresses, nationality/domicile, sponsorship details, as well as more obviously 'sensitive' information such as assessment results, data on ethnic origin/social class, or medical information. DPA legislation applies to all of this record-keeping - and it is especially strict about the handling of the more 'sensitive' types of data.

1.3 How the data is held

The way in which the data is held is irrelevant. The same law applies whether the information is on paper, computer/magnetic media, microfilm, or in any other format. A typical student paper file definitely comes under these guidelines.

2. Types of enquiry and how to handle them

2.1 Internal enquiries

You may release (verbally or via electronic or 'hard' copy) student personal data to fellow University employees who require that information in order to carry out their normal duties. Note that this does not include the non-University organisations on campus (banks, etc.). Even with University employees this sometimes requires care: it would not be appropriate, for instance, to release a student's home address to a colleague merely for social reasons.

The University has a Code of Confidentiality [PDF]which you should observe where the personal data in question is of a sensitive nature and is given in confidence (i.e. it falls under the Data Protection Act's defintion of sensitive personal data and concerns in particular a student's domestic circumstances, physical or mental health or condition, or sexual life).

In most cases it is likely that the enquirer will be well-known to you, and you will not be in any doubt about her/his identity. However, there will sometimes be cases where you are contacted by an enquirer where you only have the say-so of that person that they are 'internal' and entitled to the data. Where you receive such an enquiry by telephone, it is recommended practice to call the enquirer back on a verifiable telephone number, allowing a delay. For in-person enquirers, you should ask for some identification. For written enquiries (having satisfied yourself that the request is legitimate), check that the enquirer is indeed an employee of the internal University unit in question.

2.2 Normal External enquiries

'External' enquirers are defined, for these purposes, as anyone who does not meet the criteria under 2.1 above. Such enquiries must be treated with great caution.

There are two main sorts of enquiry that you are likely to receive about students: (a) cases where the enquirer wishes you to provide, or confirm, the personal details of a student; and (b) cases where the enquirer is trying to contact a student who they think is studying at Sussex.

Such enquiries seem to be (and most are) perfectly innocent, and it may seem safe enough to do things like offer to forward a message. However, there is a small but constant number of students who indicate to us that they do not wish to have the fact that they are studying here revealed to anyone, and we must respect such instructions - there is often a very serious reason behind them.

So, you should first check the Restricted Data List (also known as the 'opt-out' list) which will be available in your departmental office. This details the few students who have requested that no information be revealed about them to any enquirers. If you look up a 'restricted data' student on the database a warning will also pop up on screen. If they are on the restricted data list then you must not confirm anything about the student to the enquirer, not even the fact that they are studying here.

If the student is not on the list, you should still provide as little information as possible to the enquirer. Most importantly, never give out a student's address - except in the exceptional/urgent cases, usually involving the police, described in 3.6 below. The most that would normally be disclosed to an external enquirer is to disclose:

  • that the named person is/was a Sussex student
  • if asked, their mode of attendance (full/part time)
  • if asked, the start date and expected/actual end date
  • if asked, the degree awarded and classification (but not failure)

You may confirm the following (but do not disclose it if it differs):

  • whether the address that the enquirer has is the same one we have
  • whether the date of birth that the enquirer has is the same one we have

2.3 Special or urgent external enquiries

There are three 'special' types of external enquiry:

(a) Where the information is required by law;

(b) Where the information is required in the overriding interest of the individual;

(c) Where the data subject has explicitly consented to the release of the data.

Requests to release student personal data under (a) or (b) above should be referred urgently to the Information Officer. (Interpretation and authorisation of cases involving the interest of the individual rests with the Director of Planning, Governance & Compliance, to whom such enquiries should be referred directly in the absence of the Information Officer.)

You may also release data on the basis of explicit written consent from the individual concerned.

3. Handling difficult cases

3.1 Parents/spouses/other relatives

Students' relatives do not have the general right to information about their child/partner/relative which they often assume. In such cases, the enquiry should be referred to the Information Officer, who may refer it to the Student Support Unit in order to pass on messages. If there is a pressing case for releasing the data in the interest of the individual, contact the Information Officer for guidance.

3.2 The data subject him/herself

Although students (like staff) have a general entitlement to access the records the University holds about them, they have no right to demand to see their records immediately. In most cases it will be necessary for students to make a Subject Access Request under the Data Protection Act.

3.3 Other students

Other students do not have special rights to information about their fellow students. Refer enquirers to the Student Systems Office, who will normally offer to pass on messages to individuals.

3.4 Sponsors

Sponsors and similar bodies (LEAs, Embassies, High Commissions, private companies, charities, etc.) likewise do not have a general right to access 'their' students' personal data (although in some cases the University may undertake routinely to provide academically-related information to sponsors). Refer them to the Information Officer if necessary.

3.5 Media Enquiries

Enquiries concerning named individuals or otherwise relating to students should always be referred, without comment, to the Press and Communications Office.

3.6 Law Officers

It is the University's policy to give reasonable assistance to the enquiries of law officers in connection with their investigations. Law officer enquiries should always be referred to the Information Officer, as should enquiries from other government agencies (e.g. HM Customs). Only in urgent and exceptional cases, where you have been unable to reach anyone in the Planning, Governance & Compliance Department would you be able to release the data. In these cases, having verified the identity of the law officer, the person handling the enquiry may release the data directly to:

(a) A Court Bailiff, you must insist on referring him to the Information Officer. These enquiries are not usually urgent.

(b) A Police Officer whose identity you have confirmed, and there are urgent reasons for releasing the data (i.e. the student has become a danger to self or others, or has committed/is about to commit a crime), then you may release the information.

If you have had to released information then take a note of all the details (the student in question, the Police Officer's identity, the information requested, the reason given, and exactly what information was provided) and copy this (marked 'confidential') to the Information Officer and the Director of Planning, Governance & Compliance.

4. What to keep on file: dos and don'ts

4.1 Ideal Practice

The best practice is that, wherever possible, the contents of a student's file should be limited to documents which reflect normal University business, and which have either already been copied to the individual in question, or could be so copied without any problem.

4.2 Negative judgements of individuals

You should seek to avoid keeping documents or emails which contain comments or judgements on individuals which are of a negative nature and unsupported by evidence. You should generally seek to minimise cases where the file contains documents which you would be unhappy or embarrassed to have to show to the student(s) to whom they relate. Remember anyone can put in a subject access request and receive copies of all documents we hold on them, including those giving an opinion about hte individual.

4.3 Assessment data and the decisions of Examination Boards

Please note that student marks/grades, and the documented proceedings of Exam Boards (including disciplinary sub-committees which investigate matters such as plagiarism), are not exempt from being disclosed to the student in question. Therefore all assessment proceedings need to be minuted and evidenced in a way which is consistent with disclosure to the individuals concerned (e.g. as part of a subsequent appeal).

4.4 Subject Access Exemptions

The main types of document which you may (need to) keep on file, and which the individual in question does not have an automatic right to see, are:

(a) References and similar judgements which are supplied by the University in confidence. The student does have the right, however, to see references received by the University. Similarly, students can obtain copies of references provided by the University from the third party to whom they are addressed.

(b) Documents relating to a negotiation between the University and the individual in question, where release of the document would prejudice that negotiation.

(c) Documents which you could not release to someone without simultaneously identifying some other individual(s).

(d) The examination scripts themselves are exempt from subject access requests but can be released, if we wish, with the school's consent. Comments made by examiners on those papers are not exempt from subject access requests and must be released.

Contact the Information Officer for further details of these and other exemptions.

5. Good practice for handling student files

5.1 'Private' files on individuals

Occasionally you may be minded to create 'private' files on individuals, separate from the main operational file. The case for doing so has to be justified as being in the interest of that individual (e.g. where the data is particularly sensitive) and in compliance with the Data Protection Act. Bear in mind, when setting up the file, that the individual almost certainly still has a right of access to that data under the Data Protection Act. In general, where you are in doubt about the best way to proceed, seek advice from the Information Officer to find an arrangement sanctioned by the University.

5.2 Duplication of information

If you can see opportunities for reducing paper filing (e.g. by relying on central database or paper records), and/or unnecessary duplication or fragmentation of files on students in your area, then please take action. Not only will this reduce duplication of filing effort (and duplication of judgement about difficult cases), but it will also help the Information Officer if they need to urgently pull together all of the documents held about an individual, in response to a subject access request.

5.3 Writing references

See Writing references for students.

5.4 Dealing with 'unsuitable' information on a student file

If you find yourself in the uncomfortable situation of being told to file documents which you feel contain negative and unsupported judgements on individuals, you should flag such cases to your line manager, or (if this does not resolve the situation) directly to the University's Information Officer. If these comments/judgements relate to academic assessment, you may bring to the attention of the author the fact that academic judgements are not exempt from being open to the individual in question (see 4.2 above), and that a lack of discretion may lead to the author, the academic unit and the University being placed in a difficult legal position.

5.5 Transferring files between offices

The contents of student files are confidential to any third party, and should not normally be shown to the student in question without that student having made a proper application to the Information Officer. So, wherever feasible, student files should be transferred by hand, rather than via the internal post, and a student should never normally be asked to take his/her own file (or any other student's file) to another office unsupervised.


Last updated April 2016

Contact details:

Information Officer
Planning, Governance & Compliance
Sussex House
University of Sussex

Phone: 01273 606755 ext 3954