Telephone Protocol for the Disclosure of Personal Data

The University must ensure that personal data held on individuals are not disclosed to unauthorised third parties including family members, friends, government bodies and in certain circumstances, the Police. All staff should exercise caution when asked to disclose personal data to third parties. These guidance notes are intended to provide guidance for staff who deal regularly with telephone calls from third parties requesting personal data on students and staff and should be read in conjunction with the University's Data Protection Policy.  This document is Appendix VI to the policy.

Section

  1. General Information on Disclosure of Personal Data.
  2. Internal (within University) Disclosures by Telephone.
  3. External (outside University) Disclosures by Telephone.
  4. Conclusion


Section 1: General Information on Disclosure of Personal Data

Disclosing Personal Data

In accordance with Principle 1 of the Data Protection Act, personal data should only be disclosed if one of the conditions set out in Schedule 2 are met. The most likely conditions applicable to the disclosure (over the telephone) of student or staff data to third parties are:

  1. the student or member of staff has given their consent.
  2. the disclosure is in the legitimate interests of the university or the third party to whom the information is being disclosed (except where this would prejudice the rights, freedoms or legitimate rights of the student or member of staff).
  3. disclosure is required for performance of a contract (eg contract between a student and their sponsor).

Disclosing Sensitive Personal Data

In accordance with Principle 1 of the Data Protection Act, sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions) should only be disclosed if one of the conditions set out in Schedule 2 (see above) AND one of the conditions set out in Schedule 3 are met. The most likely conditions (of Schedule 3) applicable to the disclosure (over the telephone) of sensitive student or staff data to third parties are:

  1. the student or member of staff has given their explicit (ideally written) consent.
  2. disclosure is in the vital interests of the student or member of staff (eg information relating to a medical condition may be disclosed in a life or death situation).

Disclosing Personal Data Overseas

In accordance with Principle 8 of the Data Protection Act, personal data should only be disclosed outside of the EEA (the fifteen EU Member States together with Iceland, Liechtenstein and Norway) if one of the conditions set out in Schedule 4 are met. The most likely conditions applicable to the disclosure (over the telephone) of student or staff data to third parties overseas are:

  1. the student or member of staff has given their explicit (ideally written) consent.
  2. disclosure is required for performance of a contract.
  3. disclosure is necessary for the purpose of any legal proceedings.

Consent

The University understands "consent" to mean that the student or member of staff has signified their agreement whilst being in a fit state of mind to do so and without pressure being exerted upon them. There must be some active communication between the parties, consent cannot be inferred from non-response to a communication. In most cases, verbal consent should be acceptable so long as proper security checks are made to ensure that the person giving the consent is the student or member of staff. For telephone consent, this will mean asking the subject to confirm several separate facts that should be privy only to them (student/staff identity number, telephone number, date of birth etc). For sensitive data, consent should NOT be obtained over the telephone and explicit written consent of students or staff should be obtained unless an alternative legitimate basis for processing exists (see above).


Section 2: Internal (within University) Disclosures by Telephone

You should always think carefully before disclosing student or staff personal information to work colleagues whether they be from within, or external to, your own department. Under the Data Protection Act, you should not disclose personal data to colleagues unless they have a legitimate interest in the data concerned. As there is no definition as to what a "legitimate interest" is, it will have to be a matter of judgment in each case. As a rule you should consider whether or not the information is necessary to allow your colleague to perform their job. When sharing information with colleagues, you should consider the level of detail necessary to enable them to perform their job.

If you can identify the member of staff making the telephone enquiry (eg from their voice) and you are satisfied that they have a legitimate reason for requesting the personal information, you may disclose this over the telephone. Take care to ensure that in disclosing the information over the phone, you are not inadvertently disclosing the information to other members of staff. This is particularly important in the case of sensitive personal data and for staff working in an open plan office.

If you cannot be sure of the identify of the member of staff making the telephone enquiry, you should ask them to put the request in writing (email is preferable) so that you can deal with it at a later stage. Again, before releasing the information, you need to be satisfied that the member of staff is requesting the data for a legitimate purpose. Ask the enquirer to indicate what they will be using the information for and keep the written communication as background evidence should the disclosure be questioned at a later date. To avoid embarrassment you could say that you do not have the information to hand and that you need time to find it and get back to them. Alternatively you could offer to take a contact telephone number and call them back later once you have gathered the information.


Section 3: External (outside University) Disclosures by Telephone

General

In general, disclosures to external bodies/companies/agencies/individuals should not be made over the telephone. It is strongly advised that you ask enquirers to submit their requests in writing (where appropriate on headed paper). This will give you time to check whether or not the request is legitimate and where possible obtain consent for the disclosure from the member of staff or student about whom information is requested. You should, wherever possible, reply to the request in writing.

The University recognises that in some, exceptional situations, time constraints and other factors make it a necessity to disclose information over the telephone. Good practice is considered to be only releasing information to those individuals who have access to a unique identifier (UCAS no., staff or student number) or know at least 3 identifying data (e.g. name, address and date of birth) about the data subject. This should minimise the potential for damages because a relationship between the data subject and the caller has been established. If you find yourself in a position where it is necessary to disclose information over the telephone, you should take a contact number and ring the enquirer back. This will go some way to ensuring that the caller is who they say they are. Even the above procedures could be subject to fraud and should only be used when no other alternative exists. In such cases, the University should at least be regarded as having taken reasonable precaution given the circumstances - i.e. that the security in place was appropriate to the risk involved in unlawful processing of data. As always, particular care should be taken when disclosing sensitive personal data or information that could potentially cause the student or member of staff to suffer subsequent damage and/or distress.

Please note that even confirming whether or not a student or member of staff studies or works at the University could be a potential breach of the Act.


Disclosure to Parents (Student Information)

The University has no responsibility or obligation to disclose any personal information relating to students to parents or other relatives, even if they are contributing to tuition fees.

All students are given the opportunity at initial and re-registration to provide a data release password.The student may then provide that password to a third party and tell them to quote it whenever they contact the University about them.

You should always check a student's record to see whether or not the third party is quoting the password held on record. You may come under pressure to discuss individual students with parents/guardians or even friends over the telephone. However, in these situations it is essential that you do not disclose personal data without the prior consent of the student - it would be a breach of the Data Protection Act to do so.  If the student provided their password to a third party (see above) they are understood to have given prior consent.

You are, of course, free to discuss institutional procedures with parents (eg describing reassessment procedures, releasing dates of graduation ceremonies according to department or programme, advising on when invoices should be paid by) but the specific circumstances of an individual student cannot be discussed without the consent of that student.

There may be occasional, exceptional circumstances (in which a student’s life or health is threatened) in which the usual need to get consent before disclosing to parents/guardians may be waived. The University holds details of students' "next of kin" for such purposes.


What to do if someone calls claiming to be a student

You may receive telephone calls from individuals claiming to be students and asking, for example, for their examination results. Unless you are 100% sure that the person on the line is who they claim to be, you should not disclose information over the telephone. You are advised to ask for confirmation of the student's id number, home address and date of birth before proceeding with the call. If the caller can provide the details accurately, make a note of the information that they require and inform them that you will send it to their University email address. If this is not possible, because, for instance, they are off campus you should send the information to them at an address recorded on the University database. If the caller insists that they need the information urgently, you may take a contact telephone number and call them back with the information.


Home Addresses, Telephone Numbers and E-mail addresses

You should never give out personal/home addresses or telephone numbers of staff or students to third parties over the telephone unless you have been given explicit (in writing) permission by the individual. Instead you could a) take the caller's contact details and say you will pass a message asking the student or member of staff to contact them if they are in the University or b) offer to forward correspondence to a student or a member of staff on behalf of the caller. You must take care when handling such requests. Remember that an individual's student/staff status is personal data. Therefore if you receive such a request it is important to neither confirm nor deny that that person is a student or member of staff at the University.

However, it would usually be deemed appropriate to disclose a colleague's work contact (telephone and departmental address) details in response to an enquiry regarding a particular function for which they are responsible. If you are asked to disclose another member of staff's email address, you should ask the caller to send the email to you and inform them that you will forward the message on to the individual they are trying to contact if they are a member of the University. It would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter.


References

Telephone references are not usually recommended. However, they are acceptable if you have been specifically asked by a student or a member of staff to provide a reference at short notice. The identity of the person requesting the reference should always be confirmed prior to disclosure. As a minimum security measure it is recommended that you ring the enquirer back to check that they are who they claim to be.

When disclosing information in the form of a personal reference please ensure that:

  1. the information you disclose is FACTUALLY correct;
  2. the disclosure is kept to a minimum (dates of study/employment, marks and/or degree class, positions held);
  3. sensitive data (e.g. details of health to explain absences from the University) are not disclosed without the explicit consent of the student or member of staff;
  4. where opinions about a person's suitability are disclosed, your comments are defensible and justifiable on reasonable grounds;
  5. if you are unable or unwilling to give a reference, such a refusal is communicated carefully, without, in effect, implying a negative reference.


Disclosures to the Police

Disclosures to the Police are NOT compulsory except in cases where the University is served with a Court Order requiring information. However, Section 29 of the Data Protection Act 1998 does allow the University to release information to the Police WITHOUT the consent of students or members of staff in LIMITED circumstances. Such disclosures should only be made if the Police confirm that they wish to contact a named individual about a specific criminal investigation and where the University believes that failure to release the information would prejudice the investigation. If you are contacted by the Police and are not sure how to deal with their request you can get in touch with the Data Protection Officer or staff in the Security Office for advice on how to deal with the enquiry.

The Police MUST request the information from the University in writing. You are NOT obliged to release information to the Police over the telephone. Most Police Forces will have their own request form, which should always include:

  1. a statement confirming that the information requested is required for the purposes covered in Section 29;
  2. a brief outline of the nature of the investigation;
  3. the data subject's role in that investigation;
  4. the signature of the investigating officer.


Section 4: Conclusion

The purpose of the Data Protection Act 1998 is to protect the rights and privacy of individuals with regard to their personal information. At times you may feel like you are being obstructive to callers asking for information about students or members of staff. In these cases, explain that the information falls under the Data Protection Act. Follow the above guidelines in a courteous and professional manner and in most circumstances you should not experience too many problems. However, if you are faced with a particularly difficult caller, do your best to diffuse the situation without losing your temper. Explain that you are following guidelines approved by the University and that by providing the information over the telephone, you could be breaking the law. The University has adopted some standard phrases to help you.

Remember:

  • There is no such thing as a Data Protection emergency (except where someone's life or health may be at risk). You are well within your rights to stall a caller whilst you seek further information and advice.
  • If in doubt ASK your Data Protection Advisor or contact the University's Data Protection Officer.