Internal, open access

Data protection and Freedom of Information

Information Compliance

The three main information compliance regimes - Freedom of Information Act 2000 (FOI), Environmental Information Regulations 2004 (EIR) and the Data Protection Act 1998 (DPA) - impose obligations on Tutors, especially regarding record keeping. Any notes recorded by Tutors are covered by the DPA and FOI (or EIR, depending on the nature of the notes).

Broadly speaking the regimes cover the following information:

  • DPA covers 'personal information'
  • EIR covers 'environmental information' (broadly defined)
  • FOI covers everything else that is not environmental or personal information

The FOI and EIR provides the public with broad rights of access to information about on any subject the University holds information on. The DPA provides individuals, including both members of staff and students, with several rights:

  1. to know what information about them is processed by the University, and why
  2. to obtain access to their personal information (subject access right)
  3. to update their personal information, or, where appropriate, to have such information corrected or erased
  4. to expect that their privacy will be respected.

The most important and significant right above is 2. Students have the right to access all the recorded personal information the University holds on them, in both electronic and manual formats. This right is very powerful and the wide definition of 'personal data' ensures that they will have access to:

  • Emails that their Tutor holds on the student
  • Examiners' comments on an examination script
  • The entire student record held on RISIS
  • Handwritten notes held by a tutor relating to them
  • Progress reports
  • Identifying data (e.g. name, addresses, programme and module details).

Although the above rights are mediated to prevent any third party rights to privacy being infringed, and there are exemptions to some types of information, such as examination scripts, it is best to work on the assumption that students (and staff) have got rights to access most of their personal information recorded by the University.

Personal information that is sensitive, i.e concerning ethnic origins, political opinions, religious beliefs, trade union membership, health (mental and physical), sexual life and criminal history, should only be processed in appropriate circumstances, such as a medical context or in the pursuit of equal opportunities, as special conditions, such as the explicit consent of the student, apply. If you are processing sensitive personal information please refer to IMPS for advice.

The DPA requires that the University ensures that the personal information it processes is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with individuals' rights
  • Kept secure
  • Not transferred abroad without adequate protection.

In practice, observing the principles and complying with the DPA means:

  • As far as possible, limit information recorded about a student to that which reflects legitimate University business.
  • Ensure each student knows, in general terms, what information you hold and why.
  • Ensure records you make are accurate, relevant and justifiable, and use appropriate language
  • If you are writing references, please follow University guidance:
  • Adverse comments, in particular, should be worded in an appropriate, professional manner. Bear in mind that what you commit to paper or email may be accessible to the student under the DPA.
  • Keep records secure .
  • If you work from home, please follow the University guidance:
  • Only allow appropriate access to any records.
  • Dispose of records appropriately, not holding them longer than necessary and using confidential waste. Advice on how long to hold student records can be found at
  • If you are asked to disclose students' personal information over the phone, follow this guidance:
  • Staff who supervise students who will be processing personal data as part of their studies should inform their IMPS Contact or the University's Data Protection Officer ( to ensure that the activity is covered by the University's registration with the Information Commissioner.
  • Completing both the FOI and DPA training modules: and

Further information about DPA, including detailed guidance, collecting personal data, using photographic images etc. is available at

Things to do now

  • If you have any questions, or need advice on handling a specific case, please contact:

IMPS (Information Management and Policy Services)
Whiteknights House

Page navigation


Search Form

A-Z lists