Introduction
Disclosure of personal data to any third party is considered to be a form of data processing, thus the disclosure must be made in accordance with the data protection principles set out in Article 5 of the General Data Protection Regulation (GDPR), the College’s Data Protection Policy and the information given to the relevant data subjects at the time their personal data were collected.
A student must be informed at registration of the disclosures the College is likely to make and the basis for such disclosures in the College’s Privacy Notice for Students and Prospective Students. Should further disclosures need to be made later in a student’s course, the student must be informed of this and, where appropriate in terms of the GDPR, the consent of the student sought to the disclosure.
Dealing with requests for student data
The following are examples of disclosures which may be sought from the College by third parties and the conditions under which such disclosures may legally be made:
2.1 Confirmation of Current/Previous Student Status
Requests of this nature are likely to come from a number of sources and it is necessary to determine in each case whether a disclosure can be justified as fair processing and whether the College can ensure that the recipients of such disclosures have a justifiable cause to receive that information.
Requests from potential/actual employers and potential/actual providers of additional education are justifiably within the legitimate interests of the College and those of the recipients of such data. However, the data disclosed should be limited to a student’s period of study, marks and/or degree awarded, attendance record. More detailed disclosures are likely to be irrelevant or excessive in terms of the data protection principles and/or may require the College to release sensitive data for which consent may not easily be obtained or readily given by the data subject. Where the disclosure is requested in the form of a personal reference, there are special conditions which apply concerning access to that data and protection of third party interests.
Where disclosures are relevant and fair, it is important to ensure the validity of each request and to minimise the risk of illegitimate disclosure. Disclosures should not be made over the telephone. Enquirers should be required to submit their request in writing on headed notepaper. Ideally the enquirer should first obtain consent for disclosure from the student concerned. Failing that, the enquirer can establish his/her identity and their right to the data asking them to submit a copy of the first page of the application form submitted by the student.
2.2 Disclosures to Sponsors
Many students receive ‘sponsorship’ in the form of funding towards their studies from government agencies, research councils or private corporations. Parents may also be considered to be ‘sponsors’ but, whereas disclosures can legitimately be made to an accredited organisation, they cannot be made to parents without the student’s consent. It has been agreed that, to comply with data protection law, the College can only legitimately disclose student data to a sponsor who meets the criterion as “someone who has a contractual agreement with the student to pay part, or all, of their tuition fees”. Disclosure to any other ‘sponsor’ not fitting this definition can only be made with the student’s consent unless an organisation can provide evidence of “legitimate interest” in terms of the GDPR.
2.3 Fraud Enquiries
In cases where the College is asked to confirm the details of an individual who is thought to have lied about the qualifications they hold and, where the individual has never had a relationship with the College, it is in order to confirm that the College holds no record of the individual. As there is no personal data held no data protection principle would be breached by such a disclosure. If, however, the individual has attended a course here and perhaps failed, any disclosure must be covered by one or more of the principles e.g. whether there has been previous consent given, such as to a professional organisation, or there has been statutory obligation such as to HESA, or by the requirements of a contract such as to a sponsor. Otherwise, unless it could be held to be in the legitimate interests of the College to make the disclosure or the disclosure can be made to the police “for the prevention or detection of a crime”, the consent of the individual will have to be sought. Should the information be vital to a criminal case then, in response to a Court Order, the disclosure can be made without consent being given.
Except in cases where there is a statutory obligation upon the College to comply with a request for disclosure of a student’s data, there is no compulsion to make a disclosure, even in cases where the GDPR permits it. If there is any doubt as to the legitimacy of a disclosure request, then no disclosure should be made.
2.4 Other Enquirers
The College may receive requests for student data from other enquirers such as Government departments, representatives of the governments of foreign countries and the providers of services to students e.g. landlords, suppliers etc. Where there is no statutory, or other, legal obligation to disclose personal data a disclosure must not be made without the consent of the individual concerned. It should be noted that disclosure includes confirmation or otherwise of a student’s presence at the College.
Disclosure logs
Where exceptional disclosures of personal data are made to third parties, such disclosures should be noted in a log held centrally in College Registry. Each entry should show the name of the staff authorising the disclosure, the data subject’s name, details of what was disclosed, the recipient’s name, the time and date and reason for the disclosure. This will provide evidence of acting in good faith if, at some time in the future, the data subject complains about the disclosure. The table below gives an idea of some of the bodies to which a disclosure might be made by the College and the basis upon which that disclosure may be made.