1. Policy and Procedures
1.1 Background
1.2 The
8 Data Protection Principles
1.3 Definition
of ‘data’
1.4 University
registration
1.5 Making
a ‘data subject enquiry’
2. General Guidelines
2.1 Procuring
personal data
2.2 Storing
personal data
2.3 Disclosing
personal data
2.3.1 Employment
agencies and prospective employers
2.3.2 Departmental
policies and practices
2.3.3 Enquiries
from Embassies and High Commissions
2.3.4 Emergencies
and dealings with the police
2.4 Protecting
third parties
2.5 Disposal
of personal data
2.6 Agendas
and minutes of meetings
3. Teaching and Examining
3.1 Exam
scripts and comments on scripts
3.2 Theses
and dissertations
3.3 Publishing
examination results
3.4 Feedback
on teaching and training
4. Supplying, requesting
and receiving ‘confidential’ references
4.1 Supplying
personal references
4.2 Requesting
and receiving a reference
4.3 Internal
references
4.4 UCAS/Schools
references
4.5 References
for former students
5. Applications and Interviews
6. Photographs, Videos and Closed-Circuit Television
8. Research involving data gathering from human
participants or from records
8.1 The
status of personal data processed for research purposes only
8.2 Archiving
personal research data
8.3 Limiting
the nature of personal data collected
8.4 Use
of anonymous data
8.5 Disclosing
research data
8.6 Transferring
research data
9. Medical Data and Sickness Records
10. Responsibilities of staff and students
Appendix 1 Data Subject Enquiry Form
1.1. Background. The Data Protection Act 1998 came into force on 1 March 2000. It is concerned with the rights of individuals to gain access to personal information held about them by an organisation or individual within it, and the right to challenge the accuracy of data held. The terms of the Act relate to data held in any form, including written notes and records, not just to electronic data.
This document summarises the implication of the Data Protection Act for the University, sets out the University's general Policy on adherence to the Act, and offers specific guidance relating to:
It is not possible to cover all activities that individuals or departments might engage in. Guidance relating to some other matters can be found in the sources mentioned in the next paragraph. If in doubt contact the University's Records Manager.
This document incorporates guidance from the Information Commissioner's Office, from the Joint Information Services Committee (JISC) and from the Lancaster Data Protection Project. Those sources include advice on several other areas of activity not specifically mentioned below.
1.2. The 8 data protection principles. The Act requires that all staff and others who process or use any personal information must ensure that they adhere to the 8 data protection principles. In summary these require that personal data, including sensitive data, shall:
The Act is meant to be permissive rather than restrictive, which means that provided the above principles are adhered to (e.g., you have permission from the data subjects to process their data and are doing it for a registered purpose) then you can process the data and disclose them to an allowable body (see section 1.4).
1.3. Definition of 'data'. In the terms of the Act, data are information relating to an individual where the structure of the data allows information about the individual to be readily accessed. The information may be held in manual form (e.g., as written notes relating to a person or as part of a filing system, including card index or filing cabinets structured by name, address or other identifier) or in a form capable of being processed electronically. Personal data are any data relating to a living individual (e.g., name, address, payroll details, exam results). Sensitive data form a subset of personal data that relate to a living person, recording such things as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, criminal convictions, etc. Data are processed whenever compiled, stored or otherwise operated upon. So disseminating the examination results of students involves processing data relating to each of them, as does giving and receiving personal references, producing agenda items or minutes for committees at which students are discussed as individuals, etc. Similarly, data about staff are processed when they are committed to manual or electronic records held within the institution.
1.4. University registration. Under the Act the University as a data controller is required to notify the Information Commissioner of certain details of the processing of personal data by the University. Failure to keep the register entry up to date is a criminal offence. The principal purpose for notification and the public register is transparency and openness. The University’s notification to the Information Commissioner lists sixteen specific purposes including Staff, Agent and Contractor Administration, Research and Statistical Administration and Education and Training Administration. The activities within the purposes for which the data may be held or used together with a general description of the individuals, the types of data, and to whom the data may be disclosed or transferred (an ‘allowable body’) may be viewed at http://www.informationcommissioner.gov.uk. The University’s details are used by the Commissioner to make an entry describing the processing in a register which is available to the public for inspection. It is not intended that the register should contain very detailed information: the aim is to keep the content at a general level, with sufficient detail to give an overall picture of the processing. The notification period is valid for one year and any change to some part of the University’s register entry during the year must be notified immediately.
1.5. Making a 'data subject enquiry'. Subject to a limited number of statutory restrictions, an individual or data subject (who could, for example, be a past or present student or member of staff of any category) can request to see whatever personal / sensitive information are held on them within the University. They can do this by filling out a Data Subject Enquiry form (Appendix 1) and submitting it, together with a small fee (currently £10) and proof of identity, to the University's Records Manager who will then co-ordinate access to such data as is held within the whole of the institution. It is the University's policy to channel all data subject enquiries through the University Records Manager. This is partly to ensure parity of treatment for all enquiries, and partly because data relating to an individual may be held in several different places within the University. All personal data should be accessible in response to a single enquiry to a central co-ordinator rather than separate enquiries needing to be made to different sectors of the University.
2.1. Procuring personal data. The Act does not allow an individual to prevent an organisation from making reasonable use of personal data in the interests of providing an education or employment. For example, staff and students must expect certain information about them to be placed in the public domain (telephone extension number, college affiliation, email address, digital image, etc). Any permission to process staff/student information necessary in accordance with the University’s contract to provide education or employment will be gained by central administration at the commencement of such a contract. Principle 3 of the Act requires, however, that only necessary data shall be collected. Departments, Units etc should ensure that they only collect data on individuals that are necessary for the effective functioning of the institution or section. Procedures should be reviewed at intervals to ensure that this is the case, and that unnecessary information is not being requested or retained.
2.2. Storing personal data. Personal data must be held securely. In the case of manual data this could be in filing cabinets, locked cupboards or rooms with access restricted to named individuals or categories of individual only. In the case of electronic information, access should be subject to reasonable controls, which might include passwords, encryption, compartmentalised access and access logs. Reasonable steps should be taken to detect and prevent unauthorised access. There should be regular backups to ensure that important data cannot be lost as the result of malfunctioning of a single machine. Particular care should be taken when laptops or PCs are used to process personal data away from the University. Advice on recommended retention periods for certain classes of data can be ascertaied from the University Records Manager. Section 8 below notes that data may be kept for longer than the purpose for which they were originally collected if they are to be used for research purposes, including historical or statistical research.
2.3. Disclosing personal data. Personal data should not generally be disclosed to third parties without the permission of the individual concerned. In this context, "third parties" includes family members, friends, local authorities, government bodies and the police, unless disclosure is exempted by the 1998 Act or by other legislation. Under certain circumstances, data may however be released. Note that among other circumstances the Act permits release of data without express consent:
Most bodies that may request personal data in such circumstances should be able to provide documentary evidence to support their request. For example, many police forces have a specific procedure for requesting information in support of an ongoing investigation. The absence of such documentation or a warrant may justify refusal to disclose personal data. If in doubt, contact the University's Records Manager.
2.3.1. Employment agencies and prospective employers. A further issue arises where employment agencies or prospective employers contact institutions to verify details about an individual, such as attendance records, examination results, and degree classifications. In most circumstances, the individual concerned would not object to the disclosure of such information, and indeed it would appear to benefit the individual. However, care should at least be taken to ensure that the third party has a genuine requirement for the information. Depending on the sensitivity of the data being sought it may be appropriate to seek evidence of consent having been given by the person to whom the data relate. As from August 2002, the University will obtain permission from students at registration for basic, non-sensitive information to be disclosed in response to reference requests.
2.3.2. Departmental policies and practices. Clear guidelines should be in place within departments governing who can release what categories of data to whom and under what circumstances. All staff should receive training in these procedures. As a rule, personal or sensitive data should not be disclosed without the express consent of the individual concerned. Telephone disclosure is generally unsatisfactory, as verification of such details (and of the identity of the enquirer) can be difficult. For example, a student's address, telephone number or email should not be given to a telephone enquirer, even if the enquirer claims to be a close relative or friend. If you receive a phone call from a third party requesting information on a member of staff or student you should not disclose any information about the individual, however hard the caller may press. You should explain that the University does not discuss individuals without the express permission of the individual concerned. Assure the caller of your willingness to help them. Offer to attempt to contact the person concerned and take details of the request for information, including the caller's number. Offer to phone the caller back if necessary (this also offers some measure of authentication of the caller). If necessary, ask them to put their request in writing. Offer to accept a sealed envelope for the Department to forward to the individual concerned. Follow similar guidelines when dealing with written requests for information.
2.3.3. Enquiries from Embassies and High Commissions. These should be treated with extreme caution: individuals (students or staff) may choose to have little or no contact with representatives of their home states, and the extent of the relationship is a matter for the individual, not the institution, to determine. You are advised to respond noncommitally to such enquiries. It may not even be appropriate to acknowledge that the individual is at the University. Ask the enquirer to put the request in writing, and refer it to the Registrar's department.
2.3.4. Emergencies and dealings with the police. Procedures are in place for dealing with requests for information in emergency situations and in dealings with the police. Such requests should be referred to the University Security Centre, which will seek advice from the Director of Personnel (for staff) or the Academic Registrar (for students) if necessary. JISC guidelines indicate that it is not necessary to obtain explicit permission from next of kin etc to store their contact details for use in the event of emergencies, though that information should be kept secure and destroyed when it is no longer needed.
2.4. Protecting third parties. In meeting a data subject access request, it is important that personal data relating to other identifiable individuals mentioned in the documents (e.g., other staff or students) should not also be revealed unless permission for disclosure is given by the individual(s) concerned. Thus, a data subject enquirer has the right to see notes or comments relating to them that are held by the University in manual or electronic form, but the identity of the individual(s) who made those comments should not be revealed without their express permission.
2.5. Disposal of personal data. Personal data should be disposed of when no longer needed for the effective functioning of the institution and its members. The method of disposal should be appropriate to the sensitivity of the data. Disposal may include transfer to the University Archive in appropriate circumstances (see section 8.2). It is recommended that data on paper or microfilm be shredded or incinerated, and that electronic data should be destroyed by reformatting or overwriting. Note that 'deleting' a computer file does not equate to destroying the data: such data can often be recovered. Particular care should be taken when computers are transferred from one person to another, or when they are sold or transferred to outside bodies. It is essential that no personal data should be recoverable from the hard disks. Computing Service will be producing guidelines on the secure disposal of data and computing equipment that will be accessible via its Web page.
2.6. Agendas and minutes of meetings. If a student or member of staff is identified in committee Agendas or Minutes by name or by some code that can be linked to the identity of the individual, then the content of the papers constitute data about the person and are disclosable under the Act. Thus, students can, on making a Data Subject Enquiry, expect to see the contents of Agendas and Minutes of Departmental committees (Boards of Studies, Boards of Examiners etc) and University committees in which they are identifiable as individuals. That includes the contents of minutes referring to "closed" agenda items. Departments may wish to revisit their policies on the inclusion of personal data, including comments relating to individuals, in agendas and minutes bearing in mind the necessity of having an adequate record of the reasons for a particular decision about a person. In meeting a data subject access request, it is important that personal data relating to other identifiable individuals mentioned in the documents (staff or students) should not also be revealed unless permission for disclosure is given by the individual(s) concerned.
3.1. Exam scripts and comments on scripts. Examination scripts are exempt from data subject access because they are statements from the students, not data about them. Hence a student could not use the Act to obtain a copy of an exam script they had produced. But examiner's comments on the content of scripts are disclosable, whether recorded on the script or held separately. This applies to external as well as internal examiners, and is true even of material marked 'blind' (because codes must exist somewhere that allow the identity of the student to be determined). Students have the right of access to data consisting of the marks given, and any comments on which they were based.
All comments committed to writing should therefore be fair and defensible. It is recommended that they should relate to the script rather than the student. Thus it is reasonable to write "good argument" or "weak argument" (provided those judgements can be defended if challenged) but not advisable to write "good student" or "weak student". Departments should be aware that Minutes of Examinations Meetings are also disclosable under the Act where they mention individual students by name or candidate number.
The period of compliance for subject access requests in this category is 5 months, or 40 days from the announcement of the results, if earlier. During that time a student has the right to request that a copy or summary "in intelligible form" is provided. Departments may wish to consider introducing procedures that simplify the production of comments on request (e.g., recording them on a separate sheet). As a minimum, examination scripts and examiner's comments on assessed work should be kept until the period in which academic appeal may be submitted has elapsed. It is University policy that all material relating to assessment contributing to an award of the University should be kept for at least one year after the relevant examinations have been completed, that is to say, after the meeting of the Senate or GUSC at which the results were confirmed.
3.2. Theses and dissertations. The disclosability of internal and external examiners' comments also relates to comments produced by the examiners of theses and dissertations. This includes comments written on the forms that make recommendations regarding the award of higher degrees based on the examination of theses in vivas. Any comments held by the University are disclosable under the Act and must therefore be fair and defensible.
3.3. Publishing examination results. The practice of publishing degree or other qualification results and classifications and interim pass/fail assessment lists via posting on notice boards or inclusion in the local press is permissible if consent is obtained from the candidates. This is now done centrally. Students have the right to withhold such consent. Departments will be informed if this right has been exercised. Consent will not be sought for publication of individuals' assessment marks against their names and these should not be posted publicly without a student's consent.
If a student wishes to obtain results by telephone, then a procedure should be established to ensure that the caller is indeed the individual concerned (e.g., a password, or quoting the student's examination number). The University reserves the right to confirm to third parties the type and level of any academic award conferred by the University upon an individual, to avoid fraudulent claims.
3.4. Feedback on teaching and training. The contents of feedback relating to individual teachers constitute personal data relating to the teacher and is therefore disclosable to the teacher under the Act. This applies to feedback on lectures, practicals and tutorials, as well as to feedback concerning a staff member's performance as a supervisor etc. As always, any disclosure of such information would need to be done with the permission of the individual(s) who provided it, or in such a way that it was not possible to determine their identity.
The precise application of the Act to the giving, requesting and receiving of 'confidential' references is not entirely clear, and is the subject of ongoing discussion. What follows is our current best understanding. If in doubt, please seek advice from the University's Records Manager.
4.1. Supplying personal references. Personal references (and other personal data) supplied for specified purposes, including education, training or employment, are exempt from subject access. Thus, if you write a 'confidential' reference for an individual, you cannot be required to disclose its contents in response to a data subject enquiry.
The exemption from disclosure does not, however, apply to the individual or organisation that receives the reference. They can be expected to disclose a reference, particularly if they judge that it is possible to conceal the identity of the referee (e.g., by blanking out their name, address, etc). If it is not possible for the identity of the referee to be concealed, then they should not disclose the reference without the express consent of the supplier, because to do so would be to disclose personal data about the supplier.
If you would be opposed to having your reference released, it is recommended that you should mark your reference PRIVATE AND CONFIDENTIAL and include in it the following statement:
"The University accepts no legal responsibility for this reference which is given in strictest confidence. You are reminded under the Data Protection Act 1998 that you should not disclose the contents of this reference without first obtaining our/my consent or ensuring the source is not identifiable".
This statement might also be written onto forms on those occasions when the request for a reference comes in the shape of a form to be filled in rather than a request for an open reference.
Note, though, that the inclusion of a disclaimer clause does not discharge you from a duty of care, and be aware that such a clause will not guarantee that all or part of the reference will not be disclosed. Ultimately, a court of law has the power to force disclosure of a reference (as in fact has always been the case). Hence you should always assume that a reference might be disclosed as a result of litigation if a court orders it, and you should include nothing in a reference that you could not defend and justify in court.
With this in mind:
4.2. Requesting and receiving a reference. From time to time members of the University seek references from external organisations about prospective students or employees. In order to protect the interests of those who provide us with references, it is recommended that the following clause be included in any letter requesting a reference:
"Your reference will be treated as confidential unless you indicate that you wish it to be disclosed on request or we obtain your explicit and written consent to disclose the reference or we are obliged to disclose it by virtue of a statutory order."
Offers of places, employment etc. should not be made contingent upon the receipt of satisfactory references. Withdrawal of an offer after references are received could provoke legal action. Normally wait until references are received before making any offer. If exceptionally an offer is made before references are received then the person to whom the offer is made must be informed that confirmation of the offer is subject to references satisfactory to the University.
If you are ever asked to provide access to a reference you have received from a third party, refer the person making the request to the University's Records Manager, who will co-ordinate the University's response. Never disclose all or part of a confidential reference yourself.
4.3. Internal references. References that remain within an organisation (and hence within the purview of the one data controller) are likely to be disclosable under the Act's subject access provisions from the point they have been formally received and considered. This would include references written on behalf of undergraduate students at the University of York concerning their suitability for postgraduate courses at the University of York, references written on behalf of a member of staff applying for a position in another department or unit, and references supplied to Promotions Committee by Heads of Departments. We advise that writers of internal references follow the same guidelines as for references written for other institutions; that is, they should ensure that statements are accurate, that facts are differentiated from opinions (which should be based on verifiable information), that the writer should only make statements that he or she is qualified to make, etc.
4.4. UCAS/Schools references. Schools are not legally required to provide applicants with copies of their references, but UCAS and universities, as recipients and holders of the information, can be asked to provide access to those references. As with all data protection enquiries, these should be channelled through the University's Records Manager.
4.5 References for former students. It is University policy that former students can expect references to be provided by the main department(s) in which they studied, indefinitely, although the content of such references will depend on the information still available within the department(s). If the department is in doubt as to whether the former student has given the department as a reference source, the former student should be contacted for consent before a reference is provided.
5. APPLICATIONS AND INTERVIEWS
Notes made in the course of interviews constitute individual data and are therefore subject to access under the Act. They should be fair, reasonable and defensible. Interview notes relating to successful applicants may be retained while the individual is a member of the University, and hence be disclosable in response to a data subject request. It is recommended that interview notes relating to unsuccessful applicants should be securely disposed of once it is clear that an individual is not going to be selected or appointed. It is recommended that all personal data relating to unsuccessful applicants should be retained for at least 6 months after it has become clear that the individual will not be selected or appointed, but not retained for longer than necessary once that period has elapsed.
6. PHOTOGRAPHS, VIDEOS AND CLOSED-CIRCUIT TELEVISION
Images of identifiable individuals constitute personal data in terms of the Act. Photographs of individuals should not be displayed in departments, used in teaching material, promotional material, prospectuses, etc., displayed on web sites, or in any other way made public without the permission of the individual(s) concerned. The same restrictions apply to video images (or audio recordings) used, for example, in teaching or promotion. If you are allowing others to take photographs or videos at any event you are organising, you are advised to mention this in your publicity and advise those who are attending in advance. If they object for any reason, it is up to you to ensure that they are not photographed or videoed.
The University employs closed-circuit television as part of its security systems. This will be done within the CCTV Code of Practice issued by the Office of the Information Commissioner.
Personal data relating to students or other members of the University past or present should not be passed to marketing organisations without the student's express permission.
8. RESEARCH INVOLVING DATA GATHERED FROM HUMAN PARTICIPANTS OR FROM RECORDS
8.1. The status of personal data processed for research purposes only. The fifth data protection principle states that 'personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'. This poses problems for research because data gathered in the course of a research project are fundamental to the validation of the project, both as it is completed and in the future, as questions raised by the results of the research are revisited over time. The Data Protection Act allows for this situation by granting an exemption from the fifth data protection principle. The exemption allows personal research data to be retained indefinitely, but only as long as a) the data are not processed to support measures or decisions taken at some future time with respect to particular individuals, and b) the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
8.2. Archiving personal research data. The Act also allows secure archiving of data gathered for a particular research project in recognition of the fact that the data may have further research uses not apparent at the time of collection ('the further processing of personal data only for research purposes in compliance with the relevant conditions ... is not to be regarded as incompatible with the purpose for which they were obtained'). There is also an exemption from the need to inform data subjects about the further processing of their data for research purposes provided that the data are processed in compliance with the relevant conditions and the results of the research, or any statistics arising from the research, are not made available in a form which identifies any data subject. Advice on disposal or archiving of research data, and access to data by third parties, once the purpose for which they were collected no longer applies, may be obtained from the University Records Manager at the Borthwick Institute.
8.3. Limiting the nature of personal data collected. Only data necessary for the conduct of the study should be collected. In particular, data of a sensitive nature should not be requested unless genuinely necessary. This includes data on racial or ethnic origin, political or religious beliefs, membership of a trades union, physical or mental health, sexual life, criminal offences, proceedings or conviction. If such data are not absolutely necessary for the research study, do not collect them.
8.4. Use of anonymous data. In many circumstances it is not necessary to record the identity of the individual who provides the data for research. Data are exempt from subject access where results or statistics do not identify the individuals from whom the data were obtained. Hence, it is recommended that careful consideration be given at the time a research project is planned as to whether the identities of the participants are required or whether it would, for example, be sufficient to note certain facts about the participant that would not allow them to be identified as individuals. In many situations, the research project does not require the identity of the participants to be noted, in which case the source of the data can remain anonymous.
8.5. Disclosing research data. Researchers should be aware that if research data are not collected anonymously so that it is possible to link the data to identifiable individuals, then the Act grants those individuals a right of access to the data. This would be done by making a data subject enquiry to the University Records Manager. Thus, test results, medical information, questionnaire responses, and other data provided by participants are disclosable where the identity of the participant is retained. This includes a situation in which a separate list or key kept within the institution makes it possible to link research data to an identifiable individual.
8.6. Transferring research data. Transfer of data relating to identifiable individuals to other researchers outside the institution should be avoided if possible. In particular it is advised that non-anonymised data should not be transferred to countries outside of the European Economic Area.
It is important that all members of the University involved in collecting
data from human participants (undergraduate students engaged in projects,
postgraduate students, and all other categories of researcher) appreciate
the importance of ensuring that their procedures comply with the requirements
of the Act. Training on the implications of the Act should be given to
all researchers.
9. MEDICAL DATA AND SICKNESS RECORDS
Information under this heading is ‘sensitive data’. Doctors or persons with an equivalent duty of confidentiality (student counsellors etc) can hold data without contravening the law. Departments can take account of medical information when considering performance in order to fulfil legal obligations or to protect the interests of the data subject. Oral discussion is not subject to data protection regulations where no written record exists. Central administration will seek consent from staff and students to pass on vital medical information in cases of accident or special circumstances.
Sickness records should be held securely to prevent any unauthorised access or use. The principle of ‘need to know’ access should be applied strictly and records structured to facilitate this: so that, for example, information on an individual’s health is not accessed when only information on absence or the circumstances of an accident is needed. Details and records of an identifiable individual’s medical condition, injury or absence should not be made available to other staff unless it is necessary for them to do their jobs, there is a legal obligation to disclose, or the individual has given their explicit consent to the disclosure. Managers should only have access to information that is necessary for them to undertake their managerial responsibilities. Where it is necessary to commission a medical report on a sick worker, only relevant information should be sought. The law does not prevent employers from providing anonymised information to safety representatives, and where the disclosure of identifiable information is required by law (as might be the case under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995), the Data Protection Act does not prevent the disclosure taking place.
10. RESPONSIBILITIES OF STAFF AND STUDENTS
The University expects all its staff and students to comply fully with its Data Protection Policy and the principles of the Data Protection Act. Disciplinary action may be taken against any employee or student who breaches any of the instructions or procedures following from this Policy.
Staff are responsible for:
Students must likewise ensure that any information they provide to the University is accurate and is kept up-to-date. If they find themselves in a position where they are processing personal data about staff or other students (e.g., as a student representative on a University committee or group, or as the secretary of a society), they must ensure that they comply with University Policy and with the requirements of the Act.
Anyone responsible for creating or maintaining web pages should note that University Policy and the provisions of the Act relate to any personal data about individuals that may be held on web pages or accessed via them.