The following sections provide information and guidance on the disclosure of personal data to third parties and how to protect the confidentiality of personal data.
Confirmation of University attendance or employment
The University receives regular requests from a whole range of sources asking staff to confirm if a student is attending the University or a member of staff works here. Obtaining consent from the individual concerned and documenting this is the best way to proceed for ad-hoc requests and this should be the default course of action.
In some circumstances, however, it is possible to provide confirmation without seeking consent. Data Protection law allows a disclosure of personal data to a third party as long as there is lawful basis in place to support this processing i.e. the disclosure. Consent is one such lawful basis or condition but there are a number of others that might apply, such as that the processing is necessary:
- for a contract with the individual, or because they have asked us to take specific steps before entering into a contract;
- to comply with the law;
- to protect someone’s vital interests;
- to perform a task in the public interest or for our official functions; or
- for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
If the University has a requirement to regularly disclose information relating to attendance or employment to a third party, this will be detailed in the relevant central privacy notice and the legal basis will already have been established. For example, confirming a student's attendance to a financial sponsor is consistent with the student privacy notice.
In these circumstances you should be able to proceed with the disclosure; however, if you are in doubt, or you believe the request for disclosure is unusual, is not mentioned in a privacy notice and/or does not have a clear lawful basis, contact the Information Governance Office before you make the disclosure.
Personal data requests from parents or relatives
The University often receives enquiries from relatives about a student or even a member of staff. In accordance with data protection legislation, the general rule must be that students and staff are private individuals and the University has no responsibility or obligation to keep their relatives informed of any aspect of their studies, professional activities, or private lives. As such, data can only be disclosed in accordance with the legislation, paying particular attention to special category personal data requirements. Generally, this means it is best that personal data is not disclosed without the consent of the individual involved. Written rather than verbal consent is also recommended.
In cases where an individual's life or health is seriously threatened, the usual need for consent before disclosing to relatives may be waived as the legislation allows disclosure if it protects that person's "vital interests". Under these circumstances, a judgment will need to be made as to whether disclosing data to a relative protects the individual's interests.
Requests for personal data from the police or official authorities
Occasionally, the University receives requests from the police and other official authorities for personal data. Disclosing data under these circumstances is not compulsory but the University will always aim to assist any officials as far as possible and particularly as the data protection legislation does allow disclosure of data if non-disclosure would prejudice:
- the prevention or detection of crime
- the apprehension or prosecution of offenders
- the assessment or collection of any tax or duty
All requests from the police or other official authorities should be directed to the Information Governance Office to ensure that no unauthorised disclosures are made.
Subject Access Requests
The UK General Data Protection Regulation (UK GDPR) gives individuals a right to access the personal information which the University holds about them, thereby allowing individuals to be aware of what data is being processed and to verify the lawfulness of this processing. They may exercise this right by making a subject access request. Individuals wishing to make a subject access request should be directed towards the Subject Access Request form.
Requests will normally be free of charge; however, a ‘reasonable fee’ may be charged in certain circumstances.
What is a Subject Access Request?
The UK GDPR gives individuals the right to obtain confirmation as to whether or not personal data concerning them are being processed and where that is the case, access to the personal data, along with other information such as how long it is envisaged that the data will be stored for.
They do this by making a data subject access request which might be received by any member of staff.
Requests can be made verbally or in writing and the University has one month in which to respond.
The request can be very broad, such as, ‘give me a copy of all the information you hold about me’, or it can be very precise, such as ‘give me a copy of the letter you wrote about me yesterday’. Note that personal data on any communication channel (eg email, Microsoft Teams Chat) may be subject to disclosure, in response to an information rights request.
What to do if you receive a Subject Access Request?
All subject access requests should be forwarded immediately to the Information Governance Office who will coordinate a response.
Personal data used for the University's teaching, learning, research, administrative and commercial activities must be protected from unlawful disclosure which may result in harm and distress to the data subject and significant financial and reputational damage for the University.
This section provides guidance on how to protect the confidentiality of personal data.
Protecting personal data
Any device used to access University data must be password protected and it is a requirement that all University-owned laptops must be encrypted, regardless of funding source.
Personal data should only be removed and stored temporarily off the University’s central servers in exceptional circumstances. Personal data must never be kept on laptops, PCs, or portable storage (such as USB drives) unless the device or the file has been encrypted.
All paper-based personal data should be kept in locked storage such as filing cabinets, all filing cabinets should be locked at the end of the working day and the office should always be locked whenever it is left unattended.
Disposal of personal data
Any material which contains personal information about identifiable individuals must be protected from unauthorised access and disclosure throughout its lifecycle, from creation to final disposal, as failure to protect such information may result in significant financial and reputational damage to the University.
'Blue bag' collection
Paper records which contain personal data must be shredded once they are no longer required. The 'blue bag' collection by Estates and Facilities does not provide a secure disposal route.
Personal data should only be stored on secure University network drives and must not be stored on portable media or desk top PCs unless appropriately encrypted. In the event that confidential information has been inappropriately stored you should contact the IT Service Desk to determine if it is possible to erase the data or ask them to arrange for it to be destroyed.
Further information is available regarding the disposal of confidential material.
Loss, theft or unauthorised disclosure of personal data
It is important that incidents involving personal data are reported as soon as possible to the University’s Information Governance Office.
Once the Information Governance Office are notified, they will provide advice and guidance on the next steps to be taken to ensure that the rights of the individuals are protected and, where appropriate, inform the Information Commissioner’s Office.
The Information Governance Office can be contacted on 0161 275 7789 or by emailing firstname.lastname@example.org outside office hours.
Further information, including the forms which need to be completed, can be found at How to report a data protection incident.