Freedom of Information and Data Protection
As a publicly funded body, 91¿´Æ¬ is subject to the Freedom of Information (Scotland) Act 2002. This means any information or records held by the University relating to collaborations may be disclosed under the Act unless specific exemptions apply. (In some cases, for example, details may be withheld because of commercial sensitivity.) For more information see the 91¿´Æ¬ Freedom of Information web page.
Data Protection
The main laws preventing the disclosure of personal information (including sensitive information) are the General Data Protection Regulation (from May 2018), UK GDPR (post-Brexit) and the Data Protection Act 1998. All of the above Acts protect the confidentiality of individuals’ personal information.
In line with this legislation, personal data must:
- be obtained and processed fairly and lawfully and cannot be processed unless certain conditions are met.
- be obtained for a specified and lawful purpose and cannot be processed in any manner incompatible with that purpose.
- be adequate, relevant and not excessive for those purposes.
- be accurate and kept up to date.
- not be kept for longer than is necessary for that purpose.
- be processed in accordance with the data subject's rights.
- be kept secure from unauthorised access, accidental loss or destruction.
- not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The University and partner institutions must ensure that they follow these Data Protection Principles at all times. Further details of 91¿´Æ¬â€™s Data Protection Policy are available here. Partners may find the privacy statements on the website useful.
Note that both 91¿´Æ¬ and partner organisations will collect data from students, as well as from staff and external stakeholders (such as placement providers). Both partners are considered ‘Data Controllers’ in terms of the legislation and both must gain consent from data subjects. The consent includes consent to sharing data between the partners to the extent that it is necessary to run the programme, support students, and meet any external reporting requirements.
In terms of day-to-day operations, some important issues to be aware of include:
1. Applications and enquiries
As soon as people first contact an organisation to ask about a course, they are passing over at least some of their personal data. Partners are advised to keep information about enquirers only for the duration of each application cycle. (An exception would be if a potential applicant had asked to be kept on a waiting list, for example because they were trying to organise funding to allow them to take the course.) Similarly, application forms should include a statement to confirm that the applicant consents to their data being shared with those employees who need to see it in order to process their application and make a decision on it. Application forms from unsuccessful applicants should be deleted once the application cycle is complete. You should not keep contact details indefinitely or use them for direct marketing.
2. Matriculation and Privacy Statement
When students matriculate online with 91¿´Æ¬ they are consenting to us using their data in line with our published Student Privacy Statement Partners should also ensure that students consent formally to data processing when they enrol with the partner organisation.
3. Current students
Staff should not give out information about students to any third party without the student’s consent. If 91¿´Æ¬ wants to share sensitive or confidential information to a third party, consent of the student is required. Some common situations that might arise include:
-
- Requests from the student’s family on their progress/performance etc. It is often normal and expected for the student’s family to be fully involved in discussions about progress. However, not all families are the same. If a student does not want their parents to be included in such discussions that is their right. Partners should have a process to allow students to make it known if they don't want personal data to be shared with parents.
- Passing on information to placement providers about special student circumstances. Usually placement providers are happy to accommodate students who have health issues, or disabilities, or some other special circumstance that affects their placement. Information of this kind cannot be passed on without the student’s prior consent.
- If pass lists are published they should be anonymised, with students only identified by their matriculation number. Some students might not want their colleagues to know what mark they got, especially if they have failed.
- Information can be shared between staff as long as the sharing is reasonable and expected as part of the operation of the programme. It is important that all employees who have access to personal data understand the organisation’s data protection policies and know how to keep data secure and confidential. Security of data is very important. It is essential that there are procedures in place to stop unauthorised people getting access to student files. Particular care must be taken with transfer of information between 91¿´Æ¬ and partner institutions to ensure the security of data.
- Data must be disposed of securely once it is no longer needed. 91¿´Æ¬ advises that student files be kept for up to ten years after the student has left. Assessments should be kept for one year after the academic year in which they were submitted (in case of appeals or complaints).
- Data protection legislation gives individuals the right to know what information is held about them. This is done through a subject access request, which allows a student access to the information 91¿´Æ¬ holds about them, including their student file. Their file may include completed forms, formal records of meetings and less formal correspondence, for example emails or other correspondence. If either 91¿´Æ¬ or the partner receives a subject access request the two organisations should collaborate to provide the student with all the information they require.
4. Graduates
It is normal to keep contact details of graduates for a number of reasons:
-
- To help graduates by directing them to relevant career opportunities.
- To facilitate the formation of alumni networks.
- To gather feedback to help to improve the programme
Make sure graduates know that you will keep their data and take care not to use it for additional unrelated purposes (eg direct marketing).
5. Staff
91¿´Æ¬ has to approve all staff who teach on the programme. This means that we regularly receive CVs of teaching staff. Partners must gain the staff’s consent for sharing this information. 91¿´Æ¬ deletes the CVs of staff once they have left. It is important to keep 91¿´Æ¬ informed of any changes to staffing.