A student’s parent calls and asks for information about their performance or for their contact details – what do we do?
Issue: details of a student’s performance, their contact details, even the fact that they study at SOAS is personal data. Disclosure to a third party in these circumstances is unlikely to be compliant with the Data Protection Act.
Suggested approach: do not confirm anything that is put to you. Politely offer to take their details and pass them onto the student. Then it is up to the student to contact them if they wish to.
UKVI, HMRC, or a local council get in touch and ask for details about a student – are they entitled to this information?
Issue: UKVI and other authorities occasionally ask for information about students. Some of these requests will be legitimate, but it is possible that some won’t be. Also, how do staff know that they are who they say they are?
Suggested approach: there are conditions under which we are expected to share data with Government bodies such as UKVI. But there is a need to be cautious. First of all, staff need to be sure that the enquirer is who they claim to be – that may be obvious from the context (email address, letterhead, etc). Staff might also ask them for the number of their switchboard so that they can call them back (with most authorities it will be possible to double check the number by checking their website). Staff also need to be sure that they have the power to obtain the data. They should ask them why they need the data and what, if any, legislation empowers them to obtain it from us. If the request is legitimate, they should be able to explain this.
What should I do if the Police ask for information about a student?
Issue: the police occasionally ask for information about students as part of an inquiry. Is it OK to share this information?
Suggested approach: the police don’t have an automatic right to information about students or staff at SOAS. We need to know that they are asking as part of official business, and be assured that they need the information, and that the request is proportionate. All of this is usually satisfied by the provision of a “Section 29 form”. More details can be found in the guidance on dealing with enquiries from the police.
Is it OK to publish the names of graduates?
Issue: it used to be common practice for lists of graduates to be made publicly available. Many higher education institutions and student unions sell merchandise such as T-shirts with the names of graduating students printed on them. This is less common now, possibly because of the data protection and confidentiality issues that it raises.
Suggested approach: most students will be perfectly happy for other people to know that they have successfully completed their degree (and to have their name on a keepsake such as a T-shirt). However, it is a good idea to allow students the opportunity to opt-out if they wish, perhaps by writing to them early in the year in which they graduate to inform them of what will happen and how they can opt out if they don't want their name to be included.
Is it OK to confirm that a student studies at SOAS?
Issue: somebody rings up or sends an email asking if a person is a SOAS student.
Suggested approach: students may not want people outside the School to know they study at SOAS. For example, they may be a victim of domestic violence or stalking, and fear being tracked down by the perpetrator. Never confirm whether a student studies at SOAS unless you are content that there is a good reason that can be justified under the Data Protection Act (eg legally required to, legitimate interest, consent of the student).
How do we ensure that we give information to the right students without appearing too bureaucratic?
Issue: students turn up to collect their exam results or other information without proof of identification, or send someone else to collect them on their behalf.
Suggested approach: make sure that students are told in advance that unless they have identification they will not be able to collect items. If they send someone else, they should inform you in advance and the person collecting the letter should have their own proof of identification with them. It is a good idea to include a list of acceptable forms of identification in the guidance you issue. You should never give personal information to someone without being sure that they are the person concerned or that you have been given permission to give the data to another person.
Can we share information with student accommodation providers?
Issue: SOAS does not own any Halls of Residence, as they were sold many years ago to a private provider. However, it is only SOAS students who use these halls. There are occasionally requests to share information on both sides, usually for student welfare reasons.
Suggested approach: although there is by custom a close relationship between SOAS and the accommodation providers, we should treat them just as we would any other private landlord. If there is a good reason to share information about students that can be justified under the DPA (and the welfare of students is likely to be a good reason), then data can be shared. But only the minimum information that needs to be shared should be. If sharing is likely to take place on a regular basis, then a formal written agreement should be put in place setting out the circumstances under which it can happen and what safeguards will be put in place. Seek advice from the Information Compliance Manager.
How can we keep data about students or members of staff secure if we want to transfer it by email?
Issue: sometimes it may be necessary to share data about students with other parts of SOAS or even with outside bodies.
Suggested approach: if possible, avoid email. If other departments need access to data about students as part of routine service provision, it would be better for them to have access to the same systems, which have their own security in place such as secure log in. Another option is to place the data in a secure location and send a link to that location to the recipient. For example, set up a folder in the shared network drive and ask IT to set permissions so that only you and the recipient have access. Another option which is increasingly viable is to place the file in MySOAS (Sharepoint) and send a link to the document. If email is the only option, encryption should be considered – tools are available online and the Information Compliance Manager and IT can provide advice on this. In most circumstances, email is secure enough – but without encryption if something went wrong, it would be difficult to claim that we had done all we could to protect the data in transit.
How do we verify a caller who calls in by telephone?
Issue: a student calls asking for details of their examination results.
Suggested approach: you have to be satisfied that the caller is who they say they are, and that they have a right to access the data, before you disclose anything. Think about when you go to a GP’s surgery or if you call your bank. You will be asked a range of questions designed to verify your identity. The same approach should be used when a student calls and asks for personal information that they wouldn't want others to know. Don’t just take their word for it.