Guidelines on Handling Sensitive Student Information

Guidelines For Staff

    1. The starting point for any consideration of the handling of personal information regarding students is that care should be taken to ensure adherence to AU's confidentiality policy and that student privacy is respected. The provisions of the Data Protection Act must be satisfied regarding students' access, and the access of third parties, to information which is held.

    2. The Data Protection Act enshrines eight 'data protection principles'. They say that personal data must be

      • fairly* and lawfully processed;
      • processed for limited purposes;
      • adequate, relevant and not excessive;
      • accurate and where necessary kept up to date;
      • not kept longer that necessary;
      • processed in accordance with the data subject's rights;
      • secure;
      • not transferred to countries without adequate data protection arrangements.

      Personal data is information which

      • relates to a living person, and
      • identifies an individual either on its own or together with other information that is in the University's possession.

      The Act applies to data that are subject to `processing`; - this includes obtaining, keeping, using, accessing and disclosing them.

    3. More stringent requirements are placed on processing sensitive personal data. This means data containing information on, for example,

      (a) racial or ethnic origin,
      (b) political opinions,
      (c) religious beliefs or other beliefs of a similar nature,
      (d) membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992,
      (e) the physical or mental health or condition of the data subject,
      (f) details of sexual life,
      (g) the commission or alleged commission of any offence, or
      (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

      Sensitive personal data can be processed only with the explicit and informed consent of the subject.

Guidelines for Staff - Disclosure

    1. The disclosure of sensitive personal information to those not entitled to have access to it is likely to cause profound distress. Staff must therefore operate in accordance with the following guidelines in handling such information.

    2. When students disclose sensitive personal information to staff, it should not be assumed that they are implicitly giving consent for the information to be passed on to others; e.g. to be made available to Examination Boards or other departments involved in teaching the student. It should be made clear to students what will happen to the information and their written consent secured to pass it on. If a student asks for the information not to be passed on, this request will normally be honoured, but the student should understand that the information cannot then be taken into account by other staff in assessment of work, granting extensions and so on. In addition, such information cannot be used in appeals by students, who are obliged by the Academic Regulation on Academic Progress to make any circumstances which may affect their performance known to examination boards in advance.

    3. There are certain exceptional circumstances in which confidentiality may have to be breached. The University has a duty of care to its students and its staff, and also a responsibility to the wider community. If failing to act on or forward information to other parties could result in the student harming herself/himself, other students, staff or any other persons, then confidentiality may have to be overridden. This applies where students disclose information about themselves or other students. Decisions not to honour confidentiality must not be taken lightly and will involve a careful weighing of the different responsibilities of the University. Where staff members are unsure of whether or not to breach confidentiality, they should seek advice from the Director of Student Support Services. In potentially serious cases, staff must consult their Head of Department and the Director of Student Support Services, bearing in mind that the University is ultimately responsible for any breaches.

    4. Where information disclosed by students is already a matter of public knowledge, or where students give consent for the information to be shared, then it may be passed on. However, the following points should be observed.

      7.1 Need to Know: Sensitive personal information should be made available only to those who need to have it. It should be made clear to the student concerned to whom the information will be disclosed and for what purposes. Such information should not be circulated to full examining boards but scrutinised by a small sub-group of the board. A report should then be made to the full board saying that there is medical evidence and giving the sub-group's views on the way in which it should be treated.

      Guidelines for Staff - Security

      7.2 Secure Storage: Sensitive personal data should always be kept in secure conditions, for example in a locked filing cabinet in an office which is always either staffed or locked. If such material is filed with other routine information it should be placed in a sealed envelope in the student's file marked confidential and only opened by named staff in certain circumstances. Departments should make it clear to the student who has access to the material and under what circumstances.

      7.3 Secure transmission: Great care should be taken when sensitive data is being sent to other members of staff. Secure means of communication should be used and care taken to address the information correctly and mark it confidential. E-mail should not be used and the University's guidelines on the use of electronic mail should be consulted.

      Secure disposal: Sensitive personal material should be retained only for as long as it is needed and used only for the purpose for which it is collected. Documentation provided for consideration at Departmental or Faculty Examination Boards should be returned to secure storage in Departmental offices or in the Deans' Office immediately after the relevant meetings. Information on a student's module marks should be kept at least until the period allowed for appeals has elapsed. Copies of medical certificates should be kept to a minimum and unnecessary spares destroyed. Such material should be shredded once it is no longer required as part of the examination and appeals processes.

    5. Further information and advice on the above should be sought from the Director of Student Support Services. Staff may also wish to consult:

      *Fair - which requires that they are not used for purposes other than those for which the information was obtained and the subject of the information is not deceived in any way as to these purposes.