Student Records Management in Support Services

These guidance notes should be read in conjunction with the University's Data Protection Policy.

The Data Protection Act 1998 gives individuals the right to access the information that an organisation holds on them. In order to comply with this part of the Act, organisations need to have in place effective means of extracting and retrieving information from a variety of sources.

Support Services potentially hold a great deal of information on students from all departments, usually in a variety of forms and locations. In order to comply with a subject access request, sections will need to be able to locate and collate the information quickly. It is therefore vital that key personnel know what information is held and by whom. Ideally, all information relating to individual students should be kept in one central place (includes paper and/or electronic records) so that, in the event of a subject access request, the section can be confident that all the information is easily accessible from one central source. However, the University recognises that this may not always be the case in practice. Sections should ensure that central student files are as complete as possible but it is acknowledged that there may be some instances where designated individuals* need to retain information on students which would not be appropriate for more general access.

*Data Protection Advisers will be responsible for agreeing lists of designated individuals within the section who are likely to hold information on students. A designated individuals database might be a useful tool to develop to oversee the process and the University Data Protection Officer is happy to offer advice and assistance.

Information held on students can be categorised in one of two ways:

  • i. “classified information” is information which a student has requested be kept confidential between the student and the designated individual to whom they disclose the information. Designated individuals should give students the opportunity to define information as classified (when, for instance, unauthorised access/disclosure of the information concerned to other staff in the department poses a risk of damage/distress to the student).
  • ii. “unclassified information” all other information held on students which will be available for general access within the section.

The Data Protection Advisory Group has devised the following guidelines for support service sections to follow:

  1. All support service sections that hold information on students should notify the University Data Protection Officer (through Data Protection Advisers) so that appropriate action can be taken (i.e. all possible sources checked) in the event of a full subject access request.
  2. Copies of unclassified information relating to an individual student should be lodged in a single location/folder/file (hereon referred to as student file). All student files should be kept together, in one place in this section. Some sections may choose to also lodge copies of information with the Student Records Office but this is not a mandatory requirement.
  3. Designated individuals may retain copies of classified information without copying it to the student file.
  4. Designated individuals may retain duplicate copies of documentation (whether electronic or paper), particularly if the information is consulted on a regular basis.
  5. Where filing practice is to keep separate files for certain activities (eg Impaired Performance Claims, Student Discipline, Fines), the student file (paper or electronic) should be marked to indicate that other information is held at a separate location.
  6. Members of staff, other than those responsible for the student files and designated personnel, should not retain information (electronic or paper) about individual students. Documentation should be filed either in the student file or with a relevant designated individual.
  7. Information should only be retained in accordance with the suggested retention periods in the University’s Records Retention Schedule.
  8. When a designated individual leaves the University, they should pass all information to the member of staff responsible for student files, to be destroyed (in accordance with the University’s records retention schedule), or filed on the departmental student record file, or passed to a replacement designated individual.
  9. Students should be informed of what information is being held about them, what it will be used for, where it will be stored, and to whom it might be disclosed. This will normally be achieved via the Student Handbook, registration forms and other data collection forms.

If these guidelines are followed, personal information held on students can be easily located from a limited number of sources and the University will be much better prepared to respond to subject access requests efficiently.

For further guidance, please contact the University's Data Protection Officer