Lancaster University

Policy on dealing with requests for information on students and staff - HR/882

The Data Protection Act 1998 provides individuals (Data Subjects) with a greater degree of control over the parties to whom their personal data is released. The University must therefore ensure that personal data is not disclosed to unauthorised third parties which may include family members, friends, local authorities, government bodies (both UK and Foreign) and in certain circumstances the Police.

Data may be legitimately disclosed only where specific conditions or exemptions as set out in the Act apply. These include:

• where the individual has given their consent,
• where the disclosure is in the legitimate interests of the institution, e.g. disclosures to staff (see requests for information within the university),
• where the institution is legally obliged to disclose the data, e.g. Disclosures to HESA made under the terms of the 1992 Education Act,
• where the disclosure of data is required for the performance of a contract, e.g. if a student has a contract with a sponsor and the sponsor needs, therefore, to keep in touch with the student's progress,
• where specific exemptions for disclosure without consent apply (see Disclosures without Consent).

Requests for information from within the University

When a University employee requests personal data about another individual, such information should only be released if it is clear that the member of staff requires that information in order to perform his/her official duties. In the case of any doubt the request should be referred to the Head of Department or nominee.

Requests for information from outside the University

When members of staff receive enquiries as to whether a named person is a student or a member of staff of the University, the enquirer should be asked why the information is required. If the reason is not one that would justify disclosure without consent (see below), the member of staff should decline to comment one way or the other. Please remember that merely confirming that an individual is a member of the University may constitute an unauthorised disclosure.

Enquiries from Embassies and High Commissions should be treated with extreme caution as Data Subjects may choose to have little or no contact with representatives of their home states, the extent of the relationship is a matter for the Data Subject, not the University, to determine.

Disclosure without Consent

Certain disclosures are permitted under the Data Protection Act 1998 provided one or more of the following criteria are met:

• **For the purpose of safeguarding national security,
• **For the purpose of preventing or detecting crime including the apprehension or prosecution of offenders,
• **For the assessment or collection of tax or duty,
• **To discharge regulatory functions, including securing the health, safety and welfare of persons at work.
• For the purpose of preventing serious harm to a third party if the data were not disclosed,
• For the purpose of protecting the vital interests of the individual i.e. release of medical data without which the individual could suffer harm,

** Requests relating to disclosures of this nature (including enquiries from the police) should be supported by the appropriate paperwork and referred to the appropriate Data Protection authority: see Sources of Advice.

Telephone Requests

Under normal circumstances information should not be provided in response to a telephone request as individuals may use deception to gain access to information to which they are not entitled.

Bodies/individuals that request personal data should be asked to provide a written or faxed request and/or provide documentary evidence to support their request, e.g. many police forces have a specific procedure that officers must follow to obtain official documentation stating that the information is required in support of an ongoing investigation. The absence of such documentation or a warrant may justify refusal to disclose the requested personal data.

Ideally, the request for the disclosure of the details to the third party should either come from the Data Subject directly, or a statement should accompany the request from the third party from the Data Subject consenting to the disclosure.

Action when disclosure is refused

If the subject matter of the enquiry is evidently of importance to the Data Subject, they should be informed of the enquiry. This will allow the Data Subject to contact the enquirer should they so wish.

As an alternative to divulging personal data, the University may be willing to accept a sealed envelope which it will attempt to forward to the student or staff member's last-recorded address or to forward an incoming email message.

Where the matter is urgent, an attempt should be made to contact the individual by telephone or other means in order to put him/her in touch with the enquirer.

N.B. Forwarding such information should be done conditionally i.e. 'if the person is a student/staff member' to avoid confirming their presence or absence at the institution.

Sources of Advice

In Summary

• treat all personal data with care
• ensure consent has been provided, unless consent is not required
• if in doubt do not disclose, always ask for advice
• do not provide information over the telephone
• ask that requests for information are submitted in writing/by email
• keep notes of what has been disclosed and to whom
• wilful disclosure of personal information will be treated as gross misconduct