Frequently Asked Questions
How does the Data Protection Act affect my work?
Unlike the 1984 Act, the new Act extends to manual (i.e. non-computerised) as well as computerised files. This means that paper files, card index and other record systems which contain personal data about identifiable living people will become subject to the new Act.
When you are using personal information as part of your job you will have to ensure that your use of the data complies with the 8 main principles contained within the 1998 legislation.
You should also be aware that an individual will have the right to access his/her personal information. He/she will also have the right to seek compensation if it can be shown that we have not used their data in the proper way and as a result they have suffered distress or financial loss.
I have been asked by a student to supply a copy of their records in accordance with their subject access rights under the Data Protection Act 1998. What should I do?
You should refer the request to the University's Data Protection Co-ordinator. The University will provide the information to the student within 40 days of receiving appropriate identification and other information that will identify the nature of the personal data.
Not all requests for personal information need to be subjected to data subject access request procedures, but only those requests that are formally made and cite the data protection legislation as a means of obtaining access to data.
I have been contacted by a third party requesting information about a student/member of staff. What should I do?
The general rule is to be very careful about who information is disclosed to. Personal information should only be disclosed to third parties if they are included as a potential recipient of the data within the University's Official Data Protection Notification, or you have obtained the consent of the data subject to disclose the information. This rule must also be applied to the parents / guardians of students who request information. Requests for personal information by third parties should be made in writing.
How do I respond to a request for personal information over the telephone?
Personal information should only be given to data subjects over the telephone after you have verified their identity and are happy that they are indeed the data subject. Verification should be obtained by asking the caller at least three questions that only they would have the answer to e.g. their date of birth, the house number of their home address, the third letter in their term time address etc.
If you have any doubt as to the validity of the caller you should ask them to put the request in writing, advising them that this is necessary in order to safeguard the security of their data and to comply with data protection legislation. You should also ask them to include a formal identification document with their written request.
Personal information should not be disclosed to third parties over the telephone except in extreme cases.
What about exam marks and results?
Exam scripts themselves are exempt from disclosure. Exam marks, however, and minutes from an exam board meeting relating to a particular student, together with details of examiners’ comments could be subject to disclosure.
There are additional rules which mean that results need not be disclosed any earlier than they are publicly announced.
Please note that we cannot withold exam marks from students who have outstanding debts with the University, but we are allowed to stop them from having their award conferred.
Can we still publish degree results in degree congregation booklets etc. ?
This issue has recently been considered by the Data Protection Commissioner who has concluded that provided there is nothing which would enable individual students to be contacted (e.g. by the inclusion of e-mail or postal addresses or telephone numbers) then this does not breach the new Act. If individual students, however, were to indicate that he/she did not wish his/her name to be included on the published list, this request should be respected.
I want to create a photoboard showing photographs of all staff and students within my Department. Can I do this?
Photographs constitute personal data, so you must get consent from all the individuals concerned to display their photographs. Consent could, for example, be obtained by asking students/staff to supply photographs and telling them at the point of collection what they are to be used for. If an individual objects to the display of their photograph then it must be removed.
I want to publish a list of students’ email addresses/home addresses on the Department notice board. Can I do this?
Consent must be obtained from all the individuals concerned before any such personal data is made public. If an individual does not consent then his/her data must not be published. If an individual initially agrees but then changes their mind, their data must be removed.
I have obtained consent to display certain items of personal data on the notice board. Can I also publish the information on my website?
Only if you have also obtained consent from the individuals concerned to do this. You cannot assume that consent for a particular use of data extends to any other use. If you have consent to use data for a particular purpose and wish to use this data for a further or different purpose, additional consent must be obtained from all the individuals concerned. This is particularly important in relation to the worldwide web because of the universal accessibility of information published on it.
I have a database containing contact details and personal information that I have compiled over a number of years. Can I continue to hold this information?
Yes, but you should think about what data you are holding and why. The information should be relevant, kept up to date and held for no longer than necessary. If you have old or unreliable information you should either update or delete it. One way to do this would be to write to the individuals concerned notifying them of the information you hold and asking them to check that it is correct. You can also then notify them of the purposes for which the data is held and seek their consent.
I have sent literature about forthcoming events, reunions etc. to past students. Some have objected, saying that they do not wish to receive any further communications. What should I do?
You must ensure that these persons are not sent any further communications. If mail is generated by computer you must have a system in place ensuring that people who have objected to receiving communications are removed from your mailing list.
Some of our files contain comments of a personal or unfavourable nature. Could these be disclosable to the individual concerned?
Yes – potentially all personal information could be disclosed. The general rule is that if you would be embarrassed by a person seeing comments made about them, then you should not make those comments.
Do confidential references have to be disclosed to the person about whom the reference is written ?
Potentially yes. There are complicated rules about references but basically, although the subject of the reference cannot require a copy from the person giving the reference, they could possibly obtain it from the person who received the reference. The confidentiality and disclosure of a third party's personal information, e.g. the referee, will be a matter of consideration for the University, but cannot always be assured unless good reasons can be shown for withholding the reference.
I have an application form/questionnaire which requests personal information from students/staff/third parties. Do I need to modify this because of the 1998 Act?
Yes. Basically such forms should tell the person what their data will be used for, where it will be held and for how long, and to whom it may be disclosed.
I use an outside company to process personal data on behalf of the university, e.g.for sending bulk mailings. Are there any special rules for this?
Yes. Under the terms of the 1998 Act, there must be a written contract containing certain specified terms to ensure that the third party complies with the Act.
How long should I retain records that contain personal information?
Data should be held for no longer than is necessary. The University Data Protection Policy contains a retention policy which gives guidance on how long personal records should be retained. In general, it is good practice not to amass more personal information about individuals than is necessary; to discard irrelevant or out of date information; and to destroy unnecessary duplicates or photocopies.