Disclosing personal data
This section deals with:
It also provides a checklist for dealing with requests for personal data from third parties, a for dealing with requests that cite Section 29 (s.29) of the Data Protection Act (DPA) and guidance on releasing information to parents, other relatives and third parties.
Please use this link for information on the .
The University is the data controller of all the data held by the different schools/offices within the University and in many circumstances it is permissible to pass personal data between schools/offices if the information sharing is reasonable and expected, and provided the Data Protection Principles are adhered to. In certain cases, personal data cannot be shared unless you have the explicit consent of the data subject. These cases include:
sharing personal data that is sensitive or confidential
sharing personal data for purposes of marketing
The Data Protection Principles state that personal data must be processed fairly and for limited purposes, which means that it should not be shared without good reason. So, for example, the University may process personal data of students applying for places and it is perfectly permissible for this information to be shared by student services and relevant schools.
The shared personal data must also be relevant and not excessive. So, for example, if a student's data is being passed to the Accommodation Office from an office that holds the student's full record it is not necessary for the student's academic achievement details to be shared; only those details that are necessary for the Accommodation Office to do their job properly.
The shared data must also be accurate and up to date, not kept for longer than necessary. So, before sharing personal data with other offices/schools within the University you should satisfy yourself that the data you are sharing is the most up to date available and that some procedures are put in place to ensure that the other office/school's record will be updated if and when necessary. You should also have a retention schedule in place to ensure that the data will be retained no longer than necessary. Also, shared information must be kept secure. You should ensure that the other office/school will store the data as securely as you do. There is no point in you locking away files in filing cabinets if the other office/school will keep the same information in folders on open shelves. Similarly, if you store the data in a password-protected electronic form, you should ensure that the other office/school will do the same.
Personal data must not be transferred to other non-EEA countries without adequate protection so you must be sure that any other office/school you share information with understands this; this includes putting information up on the web, which is effectively publishing it to non-EEA countries
When dealing with personal data you can consult the checklist for dealing with third party requests to help establish that you are processing according to the DPA. This checklist may also be useful when you are considering whether to share personal data with another office/school. If you have doubts whether to share or you are unclear, please contact us in order to confirm whether sharing is permissible within the terms of the DPA.
Some of the advice given in the applies equally well to dealing with requests from other schools/offices within the University. For example, whenever you are passing on personal data, you should ensure the identity of the enquirer before disclosing the information, especially when the request is made by telephone. Also, in the case of an enquiry, good practice would be to take the contact details of the enquirer and pass them on to the subject concerned.
Students enquiring about other students should be treated as external enquirers, not internal enquirers.
The University receives regular requests from a whole range of third party sources asking staff to confirm various facts about staff and/or students. In general, the DPA does not allow disclosure to such third parties, which includes relations, sponsors and others acting in a similar role. However, under certain circumstances disclosure is permitted, subject to the identity of the requestor being confirmed as described in the checklist for dealing with third party requests.
Disclosure of personal data is permitted only in the following circumstances:
- if written consent from the individual concerned has been obtained or
- if it is for the purposes of a legitimate interest pursued by the third party or
- in certain exceptional circumstances
In most cases, you should refer external requests regarding students to and external requests regarding staff to Human Resources. Media enquiries should always be referred to firstname.lastname@example.org.
A list of the third parties to whom the University may disclose personal data of students, including sensitive personal data, is given in the section Students' Fair Processing Notice (FPN).
Further guidance is given on releasing information to parents, other relatives and third parties.
If you know that you will need to pass on personal data to a third party , for example when a student has a sponsor, it is advisable to state this clearly when collecting the information and identify the purpose for which the personal data will be used. Advice on how you do this is given in .
The third party is not allowed to use the personal data for any other purpose than that stated when the data is collected.
Disclosing information to a third party for a legitimate interest is permitted only if disclosure would not prejudice the rights and freedoms or legitimate interests of the data subject. For example, if the police require information about a particular person, they must produce the appropriate data protection release form. The third party requesting the information should be happy to explain the legal basis for their enquiry but, if you are in doubt, take a message and contact us for assistance. If the request cites s.29 of the DPA you should read our on this subject.
Except in exceptional circumstances personal data should not be disclosed to third parties.
Exceptional circumstances could include:
- protecting the vital interests of the data subject (ie release of medical data where failure to release the data would result in harm to, or the death of, the data subject)
- preventing serious harm to a third party that would occur if the data were not disclosed
- safeguarding national security
- prevention or detection of crime
- apprehension or prosecution of offenders
- assessment or collection of any tax or duty or of any imposition of a similar nature
- discharge of regulatory functions, including securing the health, safety and welfare of persons at work
If you think any of these exceptional circumstances apply, contact us before disclosing any personal data. If the request cites s.29 of the DPA you should read our on this subject.
There are some recommended ways of dealing with requests for personal data of another person or persons by a third party:
- When dealing with enquiries by telephone it is good practice to offer to telephone back with the information to ensure some measure of authentication or perhaps send them the information by an alternative (recordable) means
- it may be best if the third party could arrange for the data subject to request the information on their behalf
- as an alternative to divulging a student's personal data, you could accept a sealed envelope to forward to the student's last-recorded address or you could forward an incoming email message to a student. However, you must take care not to confirm the student's status in the process of arranging this
- where the matter is urgent, you should attempt to contact the data subject by telephone or other means in order to put him or her in touch with the enquirer
- if you refuse a request for information about a data subject, but the subject-matter of the enquiry is clearly of importance to the data subject, you should inform them of the enquiry unless this is against the interests of the enquirer. This will allow the data subject to contact the enquirer should they so wish
You should always take care to prevent the inadvertent disclosure of personal data (for example a student's attendance at the University) to unauthorised third parties. If you receive enquiries as to whether a named person is a student of the University, the enquirer should be asked why the information is required. If the reason is not one that would justify disclosure, you should decline to comment one way or the other. Similarly, even if the data subject is not known to the University, a similar response should be given to ensure a consistent approach. (A firm "No" when the individual is not known makes any other response a tacit "Yes").
Enquiries from Embassies and High Commissions should be treated with extreme caution. Data subjects may choose to have little or no contact with representatives of their home states, the extent of the relationship is a matter for the data subject, not the University, to determine.
If you are not sure, you should contact us to discuss the issues before disclosing any personal data.
Further guidance is available on releasing information to parents, other relatives and third parties.About us
Read further guidance
- Telephone: +44 (0) 118 378 8981
Find out if you need to do a DPIA here: