Data Management

Data Protection

The Student Advice Centre is fully committed to compliance with the requirements of the Data Protection Act 1998 which came into force on 1 March 2000.

The Student Advice Centre will therefore follow procedures which aim to ensure that all employees and others who have access to any personal data held by or on behalf of the bureau, are fully aware of and abide by their duties under the Data Protection Act 1998.

The Student Advice Centre is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Statement of policy

In order to operate efficiently, the Student Advice Centre has to collect and use information about people with whom it works. These may include clients; current, past and prospective employees; and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this.

Given the nature of the service and its aims and principles, we view the lawful and correct treatment of personal information as very important to its successful operations, and to maintaining confidence between service and the people we work with.

To this end, the Student Advice Centre fully endorses and adheres to the principles of Data Protection as set out in the Data Protection Act 1998.

The principles of data protection

The Act stipulates that anyone processing personal data must comply with eight Principles of good practice. These Principles are legally enforceable.

The Principles require that personal information:

1.Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met

2.Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes

3.Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed

4.Shall be accurate and where necessary, kept up to date

5.Shall not be kept for longer than is necessary for that purpose or those purposes

6.Shall be processed in accordance with the rights of data subjects under the Act

7.Shall be kept secure i.e. protected by an appropriate degree of security

8.Shall not be transferred to a country or territory outside the European

Economic Area, unless that country or territory ensures an adequate

level of data protection.

The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.

Personal data is defined as data relating to a living individual who can be identified from:

● that data

● that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information as to:

● racial or ethnic origin

● political opinion

● religious or other beliefs

● trade union membership

● physical or mental health or condition

● sexual life

● criminal proceedings or convictions.

Handling of personal / sensitive information

The Student Advice Centre will, through appropriate management and the use of strict criteria and controls:-

● Observe fully conditions regarding the fair collection and use of personal information

● Meet its legal obligations to specify the purpose for which information is used

● Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements

● Ensure the quality of information used

● Apply checks to determine the length of time information is held

● Take appropriate technical and organisational security measures to safeguard personal information

● Ensure that personal information is not transferred abroad without suitable safeguards

● Ensure that the rights of people about whom the information is held can be fully exercised under the Act.

These include:

● The right to be informed that processing is being undertaken.

● The right of access to one’s personal information within the statutory 40 days.

● The right to prevent processing in certain circumstances.

● The right to correct, rectify, block or erase information regarded as wrong information.

In addition, we will ensure that:

● There is someone with specific responsibility for data protection in the Students’ Union

● Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice

● Everyone managing and handling personal information is appropriately trained to do so

● Everyone managing and handling personal information is appropriately supervised

● Anyone wanting to make enquiries about handling personal information, whether a member of staff or volunteer or a member of the public, knows what to do

● Queries about handling personal information are promptly and courteously dealt with

● Methods of handling personal information are regularly assessed and evaluated

● Performance with handling personal information is regularly assessed and evaluated

● Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.

All employees are to be made fully aware of this policy and of their duties and responsibilities, and will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. In particular they will ensure that:

● Paper files and other records or documents containing personal / sensitive data are kept in a secure environment

● Personal data held on computers and computer systems is protected by the use of secure passwords

● Individual passwords are such that they are not easily compromised.

Data Processing Notices

A clear notice informing clients about how their data is processed by the Student Advice Centre should be clearly displayed in the Reception Area. This information is also contained in the Student Advice Centre website. A copy of the policy is available at Reception if clients wish to read it.

Confidentiality

Information relating to individual users of the Advice Centre will be recorded in confidential case records, which are accessible only to staff of the Student Advice Centre. It is necessary for staff in the Advice Centre to share such information with each other in order to ensure that advice and information is consistent and comprehensive.

Each client will be asked to give consent to the keeping of a record of the enquiry, in order to ensure compliance with the Data Protection Act. Consent may be oral or written. Where the client refuses consent the record will be kept anonymously.

The Student Advice Centre will collect the student registration numbers of students using the service in order to analyse and monitor the use of the service. This information will be separated from details of the student’s case and shared with the Students’ Union’s Data & Research Department to support in the future planning and development of student advice. A confidentiality agreement will be signed by staff within the Data & Research Department before they are provided with access to any data from the Student Advice Centre.

With this exception, no personal information regarding an individual service user shall be given out directly or indirectly to any organisation or individual outside the Student Advice Centre without the service user’s clear consent.

All staff are expected to ensure that no discussion relating to individual users of the Student Advice Centre takes place outside the Centre.

Confidential interview rooms are available for discussions between advisers and users. Users are not required to disclose any details of their enquiry at the reception desk, although it is helpful for the receptionist to have some idea of the nature of the enquiry, so that an appointment can be made with the most appropriate specialist adviser.

Staff should not disclose any information about a client, or that they have used the Student Advice Centre, to other members of their household, without the client’s expressed consent

Breaches of confidentiality

There may occasionally be circumstances in which an adviser feels they need to breach the usual policy of confidentiality. Where there is a conflict of interest between two parties, each of whom has sought advice from the Centre, it will be necessary to inform the second party that the Student Advice Centre cannot act on their behalf. In these circumstances, the second party should be informed about the Conflict of Interest Policy and that the Centre is already acting for another party in the case, but should not be told the identity of the other party (although this will be often be apparent) or any other information about the case. In these circumstances the Head of Advice Centre should be informed of the case but further authorisation of this specific and limited breach is not required.

Other circumstances where there might need to be a breach of the confidentiality policy are:

  1. Where the adviser believes that there is a risk that a user might cause harm to themselves or others, or be at risk from other people.
  1. Where the adviser receives information which may help to prevent acts of terrorism or apprehend a terrorist, where it is an offence to fail to disclose such information under the Prevention of Terrorism (Temporary Provisions) Act 1989.
  1. Where there is a court order requiring disclosure.

For other potential criminal offences, there is no duty of disclosure for the adviser, although it an offence to aid, abet, counsel or procure the commission of an offence, so the adviser must ensure that he or she does not give any encouragement or assistance for such an act. In particular, under the Social Security Administration (Fraud) Act 1997, advisers must not knowingly assist in any way with a fraudulent claim, although there is no obligation on the adviser to pass details to the Benefits Agency. In such cases, the adviser should explain the legal implications and possible consequences of a fraudulent claim, record this information in the case file, make it clear that the user has a duty to disclose any change of circumstances and make it clear that the Advice Centre cannot assist with a fraudulent claim.

Where an adviser feels that confidentiality should be breached under (1), (2) or (3) above, he or she should raise the issue with the Advice Centre Manager. The Manader should discuss with the adviser what options are available. If they believe that it is necessary to disclose details of the particular case to someone outside the Student Advice Centre without the specific consent of the client concerned then a specific and limited disclosure may take place. All details of the disclosure shall be recorded on AdvicePro.

If the Advice Centre Manager is not available, the adviser may discuss the case and seek authorisation from the Head of Advice & Representation. If they are not available, they should Director of Membership Engagement. Any potential breach of confidentiality should not be discussed at this stage with the President or other Union Officer, in case they are subsequently involved with a complaint arising from the breach of confidentiality.

Data Storage

All enquiries and cases will have a record stored on AdvicePro, which is hosted on secure servers and which has password access only. This is their data security statement:

AdvicePro is a secure, web-based application built on the Microsoft .NET

platform.

Application security and audit control is initially enforced by

authenticating the user to the system and by continually controlling access

to authorised functions and windows throughout the user session. As a

minimum, user authentication consists of a unique username and password.

Additional database security provides an extra layer of protection for data

accessed through the application and provides security for data accessed

through other tools or techniques.

Encrypted communication (i.e. https) is used at all times between the

production hosted application and a user's web browser with access only via a secure, password-controlled logon. The application enforces a "no-cache" policy which ensures no data is ever held locally. Therefore, there is no need to replicate, copy or transfer files between PCs. In the event of PC theft, no client information will be resident on the local hard drive. This

provides an optimal solution for secure home and outreach working without

the security risks of replicating, copying or transporting files.

Delivering AdvicePro as a fully-managed, secure, web application ensures

system availability and use over existing IT infrastructures as it is usable

both onsite and offsite by any existing PC with an internet connection and

access to Internet Explorer v7 (or higher) or Firefox 2.0 (or higher).

The application is hosted remotely at a secure data centre provided by

Brightsolid online innovations. They are based at Gateway House, Technology Park, Dundee. This enables us to provide automatic nightly backups which are stored securely offsite together with physical building and network infrastructure compliant with Information Security Code of Practice ISO27001 (formerly BS7799).

Our service level agreement with our network hosting partner provides for

99.9% contracted availability during core business hours.

Paper files are stored in lockable filing cabinets. During the working day, case records will only be kept in staffed areas within the Student Advice Centre and staff will ensure that visitors or users of the Centre do not have access to or sight of them. Case records will normally only be taken outside the Student Advice Centre where it is necessary for a hearing or meeting about a client – in these circumstances the adviser will ensure the safekeeping and return of the case record. Case records may also occasionally be taken home by an adviser where it is necessary to do work on a case at home (for example in preparation for a hearing) and where this is done the adviser again will be responsible for the safekeeping and return of the case record. Outside working hours, case records will be kept in offices or filing cabinets within the Student Advice Centre, which will be kept locked at all times when staff are not available.

All staff working in the Student Advice Centre are responsible for ensuring that client confidentiality is maintained. All information related to any client of the Student Advice Centre is either to be stored confidentially or shredded if no longer required. Files are kept for 6 years and then destroyed.

Statistical Recording and Social Policy

Statistical recording of users and cases will be carried out in order to enable the Student Advice Centre to monitor take-up of services, to identify any policy issues or trends and to target information and publicity appropriately. The statistical data that is produced may be distributed to the Senior Leadership Team and to Student Officers and to other committees and organisations, but only in aggregated form, so that individual cases cannot be identified.

Auditing of Case Files

Where an adviser opens a case on immigration matters covered by the regulation of immigration advice in the Immigration and Asylum Act 1999, the adviser will seek the consent of the client to the possible auditing of their case by the Office of the Immigration Services Commissioner. Such consent will be sought by means of a statement on the pro-forma provided by the adviser to the client. In the event of the auditing of any case by the Office of the Immigration Services Commissioner, the auditor will be asked to confirm that no information relating to the circumstances of individual clients will be divulged to any other person, except for the purpose of the audit. If the auditor requires access to any other case records for which consent has not already been provided, or if the Immigration Services Commissioner requires access to a case record in order to investigate a complaint, the consent of the client will be sought before the case record is provided.

The Student Advice Centre has obtained the Advice Quality Standard. In order to retain this, an audit is carried out, usually on a biannual basis by the Advice Quality Standards. The data processing notices displayed in the Student Advice Centre notify clients that the advice given is checked and monitored and may be audited.

In the event of the auditing of any case by the Recognising Excellence, the auditor will be asked to confirm that no information relating to the circumstances of individual clients will be divulged to any other person, except for the purpose of the audit.

Data Access Requests

Clients with an open case at the Student Advice Centre may ask for access to their records at any time. If a case is closed, clients will be asked to complete a Subject Access Request. This request must be made in writing and include sufficient information for the Student Advice Centre to be able to identify the client and find the information. The law allows the Student Advice Centre to charge an appropriate fee (up to a maximum of £10) but this will be considered on a case by case basis.