Student Records Management in Academic Departments

These guidance notes should be read in conjunction with the University's Data Protection Policy.

The Data Protection Act 1998 gives individuals the right to access the information that an organisation holds on them. In order to comply with this part of the Act, organisations need to have in place effective means of extracting and retrieving information from a variety of sources.

Academic departments hold a great deal of information on their students, usually in a variety of forms and locations. In order to comply with a subject access request, departments will need to be able to locate and collate the information quickly. It is therefore vital that key personnel (typically Head of Department and/or Data Protection Adviser) know what information is held and by whom. Ideally, all information relating to individual students in academic departments should be kept in central departmental student record files (paper or electronic) so that, in the event of a subject access request, the department can be confident that all the information is easily accessible from a limited number of central sources. However, the University recognises that this may not always be the case in practice. Departments should ensure that departmental student record files are as complete as possible but it is acknowledged that there may be some instances where designated individuals* (e.g. Disability Co-ordinators, Personal Tutors) need to retain information on students which would not be appropriate for more general access.

* As departmental practice varies across the University, Data Protection Advisers will be responsible for agreeing lists of designated individuals who are likely to hold information on individual, or cohorts of, students. A database of designated individuals might be a useful tool to develop and the Data Protection Officer is happy to offer advice and assistance.

Information held on students can be categorised in one of two ways:

  • i)  “classified information” is information which a student has requested be kept confidential between the student and the designated individual to whom they disclose the information. Designated individuals should give students the opportunity to define information as classified (when, for instance, unauthorised access/disclosure of the information concerned to other staff in the department poses a risk of damage/distress to the student).
  • ii) “unclassified information” is all other information held on students which will be available for general access within the department.

The Data Protection Advisory Group has devised the following guidelines for academic departments to follow:

  1. Copies of unclassified information relating to an individual student should be lodged in the departmental student record file.
  2. Designated individuals may retain copies of classified information without copying it to the departmental student record file.
  3. Designated individuals may retain duplicate copies of any documentation (whether electronic or paper), particularly if the information is consulted on a regular basis.
  4. Members of staff, other than those responsible for the departmental student record files and designated personnel, should not retain information (electronic or paper) about individual students. Documentation should be filed either in the departmental student record file or with a relevant designated individual.
  5. Information should only be retained in accordance with the suggested retention periods in the University’s Records Retention Schedule.
  6. When a designated individual leaves the University, they should pass all information to the member of staff responsible for student files, to be either destroyed (in accordance with the University’s records retention schedule), or filed on the departmental student record file, or passed to a replacement designated individual.
  7. Students should be informed of what information is being held about them, what it will be used for, where it will be stored, and to whom it might be disclosed. This will normally be achieved via the departmental handbook, registration forms and other data collection forms.

If these guidelines are followed, personal information held on students can be easily located from a limited number of sources and departments will be much better prepared to respond to subject access requests efficiently.

For further guidance, please contact the University's Data Protection Officer.