Disclosure of Student Information

The University must ensure that personal data held on students are not disclosed to unauthorised third parties including family members, friends, government bodies and in certain circumstances, the Police. All staff should exercise caution when asked to disclose personal data held on students to third parties.

These guidance notes should be read in conjunction with the University's Data Protection Policy, which includes a section on Disclosure of Data.  This document is Appendix V to the Data Protection Policy.

Section

Further guidance


Section 1: General Information

Disclosing Personal Data 

In accordance with Principle 1 of the Data Protection Act, personal data should only be disclosed if one of the conditions set out in Schedule 2 are met. The most likely conditions applicable to the disclosure of student data to third parties are:

  1. the student has given their consent
  2. the disclosure is in the legitimate interests of the university or the third party to whom the information is being disclosed (except where this would prejudice the rights, freedoms or legitimate rights of the student)
  3. statutory obligation of the University (eg HESA and other Funding Council statistical returns)
  4. disclosure is required for performance of a contract (eg contract between student and sponsor)

Disclosing Sensitive Personal Data

In accordance with Principle 1 of the Data Protection Act, sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions) should only be disclosed if one of the conditions set out in Schedule 2 (see above) AND one of the conditions set out in Schedule 3 are met. The most likely conditions (of Schedule 3) applicable to the disclosure of sensitive student data to third parties are:

  1. the student has given their explicit (ideally written) consent
  2. statutory obligation of the University (eg equal opportunities monitoring)
  3. disclosure is in the vital interests of the student (eg information relating to a medical condition may be disclosed in a life or death situation)

Disclosing Personal Data Overseas

In accordance with Principle 8 of the Data Protection Act, personal data should only be disclosed outside of the EEA (the fifteen EU Member States together with Iceland, Liechtenstein and Norway) if one of the conditions set out in Schedule 4 are met. The most likely conditions applicable to the disclosure of student data to third parties overseas are:

  1. the student has given their explicit (ideally written) consent
  2. disclosure is required for performance of a contract
  3. disclosure is necessary for the purpose of any legal proceedings

Informing Students of Disclosures and Obtaining Consent

Students should be informed of predictable disclosures (such as confirmation of student status, responding to a request for a reference) when they register with the University. Some students will choose to opt out of certain processing (including disclosures) on their registration form. This information is recorded on the University database and all staff should check a student's record before releasing any information.

In less predictable situations (eg parent phoning for financial details, taxi firm who has found wallet and wants to contact student) where the student has not been previously informed of a possible disclosure, the student should give their consent before any information is released.

The University understands "consent" to mean that the student has signified their agreement whilst being in a fit state of mind to do so and without pressure being exerted upon them. There must be some active communication between the parties, consent cannot be inferred from non-response to a communication. In most cases, verbal consent should be acceptable so long as proper security checks are made to ensure that the person giving the consent is the student. For telephone consent, this will mean asking the subject to confirm several separate facts that should be privy only to them (student identity number, date of birth etc). For sensitive data, explicit written consent of students should be obtained unless an alternative legitimate basis for processing exists (see above).

There are certain exemptions (Section 29) from the requirement to inform students of disclosures if the information is being released for the prevention or detection of crime AND if informing the student of the disclosure would prejudice the enquiries. See Section 2 for further detail.

Requirement to Disclose?

Except in cases where there is a statutory obligation for an HEI to comply with a request for student data, there is no compulsion to make a disclosure, even in cases where the Act allows this. Unless there is a legal or statutory obligation, you are advised not to disclose any personal information about students without their consent. Please note that disclosure includes confirmation of a student's presence at the University. If you are in any doubt as to the legitimacy of a disclosure, then no disclosure should be made.

Method of Disclosure

Disclosures should not be made over the telephone. The minimum security option is to take a number and ring the enquirer back. However, it is strongly advised that all enquirers should be asked to submit their requests in writing (where appropriate on headed paper). Once you have checked whether or not the request is legitimate, you should, wherever possible, reply in writing.


Section 2: Disclosure to Work Colleagues

You should always think carefully before disclosing students' personal information to work colleagues whether they be from within, or external to, your own department. Under the Data Protection Act, you should not disclose personal data to colleagues unless they have a legitimate interest in the data concerned. As there is no definition as to what a "legitimate interest" is, it will have to be a matter of judgment in each case. As a rule you should consider whether or not the information is necessary to allow your colleague to perform their job. So for instance, it would be legitimate to pass information to the Graduation Office regarding student addresses, degree classification and disabilities if special arrangements were needed to enable the student to attend the ceremony.

When sharing information with colleagues, you should consider the level of detail necessary to enable them to perform their job. So for instance, if you knew that a student was going to be absent for a significant period of time, you may wish to notify colleagues in the department of this fact. However, it might not be appropriate for all colleagues to be made aware of the specific reasons (health or otherwise) resulting in the absence.


Section 3: Disclosure to Relatives/Guardians and Friends

The University has no responsibility or obligation to disclose any personal information relating to students to relatives, even if they are contributing to tuition fees.

All students are given the opportunity, both at initial registration and re-registration to provide a data release password. The student may then provide that password to a third party and tell them to quote it whenever they contact the university about them.

You should always check a student's record to see whether or not the third party is quoting the password held on record. You may come under pressure to discuss individual students with parents/guardians or even friends. However, in these situations it is essential that you do not disclose personal data without the prior consent of the student - it would be a breach of the Data Protection Act to do so. If the student has provided their password to a third party (see above) they are understood to have given prior consent.

You are, of course, free to discuss institutional procedures with parents (eg describing reassessment procedures, releasing dates of graduation ceremonies according to department or programme, advising on when invoices should be paid by) but the specific circumstances of an individual student cannot be discussed without the consent of that student.

There may be occasional, exceptional circumstances (in which a student’s life or health is threatened) in which the usual need to get consent before disclosing to parents/guardians may be waived. The University holds details of students' "next of kin" for such purposes.


Section 4: Confirmation of Student Status and Award

Student status is regarded as personal data and therefore must be processed in accordance with the Data Protection Act, this includes protecting the information against unauthorised disclosure. By confirming whether or not an individual is (or has been) registered at the University could be a breach of the Act.

The University receives enquiries regarding individuals' student status on a regular basis. The nature of the third party requiring the information can range from current or prospective employers genuinely trying to confirm details on a job application form to estranged or abusive partners trying to trace an individual's whereabouts. Therefore, whenever faced with a request for confirmation of student status, you should exercise caution before responding. The majority of requests will be from agencies with a genuine interest in the information. For this reason, students are informed (on their registration form) that, if requested, details of their student status and final award, will be disclosed to the Home Office, the Police and prospective/current employers/educational institutions. Students are given an opportunity to opt out of these disclosures and so you should always check the student's record before responding. You should always employ appropriate security measures to check the identity of the enquirer and you should not disclose the information over the telephone. Wherever possible, ask the enquirer to put their request in writing, preferably on headed paper.

For other enquirers, where there is no statutory or other legal obligation for you to disclose information, you should not confirm or deny the student status of an individual without their consent.


Section 5: Disclosure to Sponsors (includes Student Loan Company and Research Councils)

Students are informed that details of their attendance and progression may be passed to sponsors on their registration form and are given an opportunity to object to such disclosures. Before releasing information to a sponsor, you must check the student's record to make sure that they have not opted out of the processing.

Some third parties may choose to sponsor a prize and are therefore likely to request personal information regarding the prize-winners. You are advised to make prize-winners aware that their acceptance of the prize will indicate consent for their details to be disclosed to the prize-giver. Only relevant information (name and (in some cases) academic performance) should be released to the sponsor. Student addresses should not be released and the University must undertake to post cheques (and other related correspondence) to the student on behalf of the sponsor.


Section 6: Disclosure to Local Education Authorities

Local Authorities (LAs) assess undergraduate student eligibility for fees and loan payments. The first assessment is conducted between the student and the LA and the University would not be involved at this stage. However, LAs do require confirmation of students' registration status. The University is under a statutory obligation to make such disclosures and students are informed of this when they register (Student Handbook). Disclosures to LAs should be limited to the facts. Student consent is required if sensitive data (e.g. regarding health) is to be disclosed to their LA.


Section 7: Disclosure to current and prospective Employers and Educational Institutions

You may receive requests for information regarding individual students (current or former) from current/prospective employers/educational institutions. Typically this occurs when the student has applied for a job or a place on a programme of study. The disclosure will usually be in the best interests of the student and more often than not, the student will be aware that such a request would be made. The information released should be kept to a minimum - usually registration status and/or award. As disclosures of this nature are a regular occurrence, students are informed on their registration form and given the opportunity to opt out. Before releasing the information, you should check the student's record to make sure they have not opted out of this processing. As always, care must be exercised in the method of disclosure (see Section 1).

See Section 8 for more detail on Personal References.


Section 8: Requests for Personal References

If you receive a request for a personal reference relating to a student, you should ensure that

  • the information contained in the reference is FACTUALLY correct
  • where possible, keep the disclosure to a minimum (student's dates of study, marks and/or degree class, registration status)
  • sensitive data (e.g. details of health to explain absences from the University) must not be disclosed without the explicit consent of the student
  • where opinions about a person's suitability are disclosed, your comments are defensible and justifiable on reasonable grounds
  • if you are unable or unwilling to give a reference, such a refusal is communicated carefully, without, in effect, implying a negative reference and thus disclosing personal data
  • you do not disclose any information if asked to give an unsolicited reference (for a student who has not, to your knowledge, cited your name as a referee)

The identity of the person requesting the reference should always be confirmed prior to disclosure. Requests for references should usually be made in writing on headed paper. If you receive an email request for a reference, you should be assured that it is a valid request. If it is from a known source or company domain, you should process the request but you may wish to reply in written format to a known postal address for the company/organisation. If the email domain is not familiar, you are advised to investigate further.

Telephone references are not usually recommended. However, they are acceptable if the student has specifically asked you to provide a reference at short notice. As a minimum security measure it is recommended to ring the enquirer back to check that they are who they claim to be.

Students are informed, on the registration form that we will confirm student status and degree award to prospective employers. Students are, of course, given the opportunity to opt out of this and if they do so, it will be recorded on their student record. The Student Handbook also informs students that we archive student records after graduation, in order to confirm requests from prospective employers, provide references etc.

If a student cites your name as a referee, it is understood that they are giving consent for you to disclose information (regardless of whether they have opted out on their registration form). If you are not aware that a student has cited you as a referee, you should check the validity of the request.


Section 9: Work Placements & Exchanges with other Institutions

Where students undertake industrial placements or formal exchanges with other institutions, there will, of necessity, be a limited flow of student data between Loughborough University and a third party. Students should be made aware of such disclosures before the placement or exchange begins.

Where the work placement or exchange institution is based outside the EEA (15 EU member states plus Iceland, Liechtenstein and Norway), you should ensure that you have the consent of the student concerned. Data protection laws outside of the EEA can be less stringent (if they exist at all) and unless you obtain consent from the student, you could be in breach of the eighth data protection principle.


Section 10: Disclosures to the Police and Legal Proceedings

Disclosures to the Police

Disclosures to the Police are NOT compulsory except in cases where the University is served with a Court Order requiring information. However, Section 29 of the Data Protection Act 1998 does allow limited exemptions from the first Principle meaning that the University may release information to the Police without the consent of students in limited circumstances. Such disclosures should only be made if the Police confirm that they wish to contact a named individual about a specific criminal investigation and where the University believes that failure to release the information would prejudice the investigation. Staff must not release information to the Police over the telephone. The Police must inform the University in writing. Most Police Forces will have their own request form which should always include a statement confirming that the information requested is required for the purposes covered in Section 29, a brief outline of the nature of the investigation, the student's role in that investigation, and the signature of the investigating officer.

Legal Proceedings

Section 35(2) of the 1998 Act exempts data from the non-disclosure provisions (eg obtaining consent from student) in cases where disclosure is necessary "for the purpose of, or in connection with, legal proceedings…..or for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights". In practice this means that the University can disclose information regarding students to its own solicitors when seeking proper legal advice about a case. However, for cases that do not directly involve the University, information should only be disclosed if the relevant student's permission can be obtained. If the information is vital to a case, a Court Order may be issued demanding the information. Section 35(1) specifically allows data controllers to disclose without consent from the data subject (student) when confronted with a Court Order.


Section 11: Audit

Like all other Higher Education Institutions, Loughborough University appoints external and internal auditors who will see some students' personal data during the course of their investigations. Audits of the student record are also conducted by the DfES, TDA and the European Audit Commission. Students are made aware of this possibility when they register (Student Handbook) and therefore, in registering, give their consent for disclosure to auditors.


Section 12: Survey/Research Organisations

Survey/Research Organisations may approach you for a list of addresses or emails for students in your department so that they can market their services or circulate a survey. You must not release this information but instead can offer to mail the information/survey on their behalf. If you do decide to undertake a host mailing, you should include a statement explaining the context of the mailing and reassuring students that their personal data have not been released to the third party. Students are given an opportunity to opt out of such mailings when they register and University systems are designed to take this into account.


Section 13: Forwarding Student Correspondence on behalf of a Third Party

You should not release student addresses or contact details to a third party without the consent of the student. Instead you may offer to forward correspondence to a student on behalf of a third party. Sometimes you may even receive unsolicited correspondence with a request to forward it to a student. You must take care when handling such requests. Remember that an individual's student status is personal data. Therefore if you receive such a request it is important to neither confirm nor deny that that person is a student at the University.

 

For further guidance, please contact your Departmental Data Protection Advisor or the University's Data Protection Officer.