Data Protection and Freedom of Information Guidance

University of Plymouth

Data Protection and Freedom of Information Guidance

If you require this document in larger print or an alternative format please contact the University Secretariat on extension 82054/82062 or

Produced by the Governance section, University Secretariat

May 2009

Index

Introduction 3

Data Protection Act 4

What is the Data Protection Act (DPA)?4

What kinds of information does the DPA cover?4

How does the DPA differ from the Freedom of Information Act?4

How does the University use personal data?5

What kind of records does the DPA cover?5

How is a request for personal information made?5

Is a fee charged for providing personal information?5

What is the timescale for providing a response? 5

Is the University is entitled to withhold personal data from

the individual whom it concerns? 6

Can the University disclose personal information to third parties? 6

Data Protection: Frequently Asked Questions 8

Freedom of Information Act 12

What is the Freedom of information Act (FOIA)?12

What kinds of information does the FOIA cover?12

How does the FOIA differ from the Data Protection Act?12

How is a request for information made?12

What is the timescale for providing a response? 13

What information must a response include?13

Is a fee charged for providing information?13

Is any information exempt from the Act?14

Freedom of Information: Frequently Asked Questions15

Appendices

Appendix 1: “Personal Information and Data Protection”

(issued to students)17

Appendix 2: Information exempt from the requirements of the Freedom of Information Act 23

Appendix 3: Information Request Form 25
Introduction

This guide aims to give some basic information about the Data Protection Act 1988 (DPA) and the Freedom of information Act 2000 (FOIA). Both of these pieces of legislation have a significant effect on the University’s operations and the way we collect, process and make accessible the information we hold.

There are a number of external sources of useful information about the applications of both Acts, e.g.

The Office of the Information Commissioner’s website is a useful source of general information about both Acts and can be found on:

http://www.ico.gov.uk

The Joint Information Systems Committee (JISC) also has a number of information sheets, designed specifically for HEI use, about the implications of each Act:

Staff development sessions, offering an introduction to the basic principles of the DPA and the FOIA, are offered on a regular basis. Please consult the latest Staff Development brochure for further details:

The University Secretariat is happy to provide advice and guidance to staff and students about the DPA and the FOIA. Queries should be directed to the Governance section on extension 82054/82062 or using

Data Protection Act

What is the Data Protection Act (DPA)?

The Data Protection Act (DPA) gives individuals certain rights regarding information held about them. It places obligations on those who process information whilst giving rights to those who are the subjects of that data.

Under the Act, an individual about whom data is held has a right to request a copy of that data.

In collecting and using data the University must comply with the Data Protection Act. The Act is based on eight principles. Compliance with the principles will ensure information is collected and used fairly, stored safely and not disclosed to any person unlawfully. The principles are that data will be:

obtained and processed fairly and lawfully
obtained for a specified purpose and not processed in any manner incompatible with that purpose
adequate, relevant and not excessive
accurate and kept up to date
not kept for longer than is necessary
processed with due regard to data subjects rights
kept safe from unauthorised access, accidental loss or damage
not transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

What kinds of information does the Data Protection Act cover?

The Data Protection Act (DPA) covers personal data. Personal information covers both facts and opinions about identifiable, living individuals.

Some data is classified as sensitive personal data. This is data about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical and mental health, gender preference, criminal convictions etc.

Individuals may request their own personal data (known as a “data subject request”) from the University, but personal data on other parties will not normally be disclosed.

How does the DPA differ from the Freedom of Information Act?

The FOIA enables anyone to request information – other than personal information - from the University and requires that the University makes that information available subject to certain exemptions. More information about the Freedom of Information Act is given below.

How does the University use personal data?

The University needs to collect and use personal data about its staff, students and other individuals that come into contact with it for a variety of purposes. These purposes may include:

admission of students
organisation and administration of courses
monitoring of performance and achievements
compliance with statutory obligations to funding bodies, government agencies and other bodies
the provision of services
recruitment and payment of staff
monitoring health and safety
research

Students are advised of the way in which the personal data the University collects about them is used via the statement on “Personal Information and Data Protection” which is issued at enrolment. A copy of that statement forms Appendix 1 of this document.

What kind of records does the DPA cover?

The Act applies to data held in any form provided that it can be related to an individual – it covers computer records, e-mail, manual records and pictorial images relating to living individuals.

How is a request for personal information made?

Individuals have the right to access any personal data that the University keeps about them either on computer or in manual files. They are also entitled to access any recorded opinion about, or intentions regarding, them.

Requests (known as “data subject requests”) must be made in writing (which includes fax and email) to the Secretariat (for students) or Personnel and Development (for staff). The requester does not need to specify that this is a request for information made under the DPA. The University may take steps to verify the identity of the individual making the request if it deems it necessary.

Is a fee charged for providing personal information?

There is a statutory fee of £10 payable when making a data subject request, regardless of the volume of data requested. A cheque, made payable to “University of Plymouth” must be submitted with the request.

What is the timescale for providing a response?

The University must provide the information within 40 days of receiving the fee (note that this is different to the timescale for responding to requests made under the Freedom of Information Act – see page 13).

Is the University entitled to withhold personal data from the individual whom it concerns?

There are certain circumstances where the University is entitled to withhold personal data from the person to whom it relates. The principal example in this area is that of confidential references. If the University provides a reference about an individual, it is not required to give a copy of the reference to that individual. However, if the University receives a reference about an individual, it is required to provide a copy of the reference to the individual, if requested, under the rules governing normal subject access. This means, of course, that a student or member of staff whose request to see a reference provided by the University is refused may simply approach the body to whom the reference was given and obtain a copy that way.

Clearly, references will contain personal information related to the author of the reference and that person, too, has a right to privacy of their personal data. Steps should therefore be taken to gain the consent of the author to release of the reference (and/or deletion of personal information about the author from the reference).

If it is not clear whether data can be withheld or not, clarification should be sought from the Secretariat before any disclosure is made.

Can the University disclose personal information to third parties?

Normally, the University is not authorised to release any information about a student or member of staff (or any other individual on whom it holds personal data) to anyone except that individual. Unauthorised disclosure of information is not only a breach of the Data Protection Act, for which the University would be liable, but also breaches the undertaking of confidentiality to staff and students.

This applies even if the request for information comes from a relative, partner, colleague or close friend of the student/staff member. This may seem overly prescriptive – and can be difficult to explain to the person seeking the information - but it is what the University is obliged to do.

The University may disclose personal information to a third party if it has the specific written consent of the individual to whom the personal information relates.

There are, however, certain circumstances specific in the DPA in which the University is permitted to disclose personal information to a third party without the consent of the individual to whom the data relates. These include (but are not limited to) cases where:

the University is in receipt of an arrest warrant or a court order requiring disclosure; or
a request has been received from the police, accompanied by a Declaration Form under the Data Protection Act confirming that the information sought is necessary for the prevention or detection of crime or the prosecution of offenders; or
release of the information is an agreed pre-condition of student funding (e.g. attendance reported to Student Loan Company); this does not mean that all sponsors have rights to student information.
a request has been made by the Tax Office, the Council Tax Office, Benefit office or other statutory body for information necessary to the collection or imposition of a tax or duty.

If it is not clear whether there is a duty to disclose information to third parties or not, clarification should be sought from the Secretariat before any disclosure is made.

Data Protection: Frequently Asked Questions

I am a member of staff and I have received a request from a third party – what do I need to do?

Explain that under the provisions of the Data Protection Act 1998 the University is required to keep all the personal data it holds confidential. The University cannot disclose any information – even just to confirm that the individual is a student, for example – to anyone without either the individual’s written consent or a court order or formal police request
Explain that if the enquirer wants to contact an individual whom they believe to be a student, they should write in, and if that person is a student and the University has their address, it will be forwarded
If the request is from the police, ask for a Data Protection Declaration Form, on receipt of which the University can disclose.

If a parent or partner of a student says they have a right to the information because they are paying the fees, explain that although a student’s fee contribution may be assessed on the basis of parents’ or partner’s income, the University contract is with the student. If a fee is not paid, the University cannot take action against a parent (or other sponsor) but only against the student.

If a parent or partner says that they know their son/daughter/partner would not mind/has asked them to act on their behalf/have always told them everything, explain that sadly not every family is as close as theirs seems to be. Indeed there have regrettably been cases of people trying to obtain information under false pretences. Before the legislation, cases where information was disclosed in response to what appeared to be a genuine enquiry, caused students great distress. The University can disclose to a specified third party (e.g. parent) if it gets written consent from the student.

A Solicitor or Barrister has no special status in these matters. Without a court order or the student’s consent the University cannot disclose.

I am a member of staff – how does the DPA affect the records I keep about students?

It is quite likely that members of staff will process personal data on a regular basis. To ensure that the University is compliant with the Data Protection Act the consent of students to process personal data about them is obtained in principle at enrolment. A copy of the data collection notice outlining how data is used is attached as Appendix 1. Processing of sensitive personal data requires express consent.

If you are a member of staff you must ensure that any records or files you keep or process are compliant with the eight data protection principles of the Act (listed on page 3 of this Guidance).

You must take care to keep any information you hold on students in a secure location and to maintain its confidentiality. This means using secure means of communication; keeping filing cabinets locked; switching off any computer holding personal data about individuals if a room is left unattended; ensuring information is not displayed on-screen or readable on a desk or in an in-tray when others are in the room; and shredding confidential papers or using secure disposal.

It may be helpful to ask yourself the following questions:

do I need to record this data?
does the data subject know that this data is held and for what reason?
if the data is sensitive has the formal consent of the data subject been obtained?
if the consent of the data subject is implicit am I satisfied that processing of the data is in their best interests?
is the data accurate and how can this be checked?
is the data held in a secure location such that no-one else will be able to access it without authorisation?
how long do I need to keep the data?
is there a mechanism for securely disposing of the data?

As a consequence it is important that comments on personal files are fair, accurate, and justifiable and that staff would be comfortable to disclose comments. This extends to personal references. Though the University is not required to disclose the references it provides, the body in receipt of the reference is so required.

Most requests for information from students about themselves will be informal and addressed to particular departments, agencies or individuals such as finance, faculty offices, personal tutors etc. Care should be taken to ensure that no data is released that would infringe the rights of third parties. The University can also seek to verify the identity of the individual making a request for personal data if there is doubt about this.

I am a student – what are my responsibilities with regard to my personal data?

The DPA requires that information processed about individuals is accurate. It is essential therefore that you keep the University informed of changes to personal details such as address, name etc – please contact your Faculty office about how to do this, if you are unsure. The University is reliant on accurate personal data for communication with students on assessment results, Award Ceremonies and other matters.

If you are undertaking project work or research, you may need to process personal data. The University is registered to undertake research and statistical analysis, but such work must be fully compliant with the principles of the Act. Project supervisors at undergraduate level and Directors of Study at Postgraduate level will offer advice about data protection issues.

I am a student – am I allowed to see my marked examination scripts/dissertation?

Students may see their marked scripts/dissertations, but only in the presence of a member of staff (so as to prevent any possibility of the work being changed). For those students unable to come into the University to view the work, a copy of the script/dissertation may be sent to them.

Under the Data Protection Act, the student does not have the right to know the identity of each marker.

Freedom of Information Act

What is the Freedom of Information Act?

The Freedom of Information Act (FOIA) came into force on 1 January 2005. It gives everyone a right of access to information held by public bodies, including Universities.

The University of Plymouth strives to be open and transparent and has historically responded positively to the majority of requests for information from both within and outside the University. The Act does make more information publicly available and imposes a timescale for responses.

What kinds of information does the FOIA cover?

The FOI Act covers all information, whether held electronically or in printed form (except personal information, which is covered by the Data Protection Act). This covers not only strategy or policy documents and committee papers, but also correspondence, emails, audio and video tapes. It covers all the information the University holds, whether current or historic.