Staff must take particular care when disclosing personal data to third parties, to ensure that there is no breach of the Data Protection Act or the law of confidence.
Disclosure may be unlawful even if the third party is a family member of the data subject, or a local authority, government department or the police. A key point to consider is whether the disclosure is relevant to and necessary for the conduct of the School's business. For example, it would generally be appropriate to disclose a staff member's work contact details in response to an enquiry relating to a function for which they are responsible, but it would not be reasonable or appropriate to disclose a staff member's personal address or bank account details.
The disclosure of personal data represents a form of processing of the data. This means that the conditions for fair and lawful processing of personal data and sensitive personal data set out in first Data Protection Principle must be met (see Data Protection Act Overview). Consideration should also be given as to whether the disclosure was one of the purposes for which the data were originally gathered; in particular, whether the disclosure is covered by SOAS's entry in the Information Commissioner's Register of Data Controllers, or is a purpose to which the data subject has consented. If not, the disclosure is likely to represent further processing contrary to the second Data Protection Principle.
Disclosure of personal data which are not sensitive personal data is most likely to be justified if one or more of the following conditions applies:
- The data subject has given his/her consent to the disclosure (e.g. at the time when the data were gathered).
- The disclosure is in the legitimate interests of SOAS or of the third party to whom the data are to be disclosed, and does not prejudice the rights, freedoms or legitimate interests of the data subject.
- There is a statutory or legal obligation to disclose the data.
- The disclosure is required for the performance of a contract (e.g. between a student and a sponsor).
- The disclosure is necessary to protect the vital interests of the data subject.
More stringent restrictions apply to the processing of sensitive personal data (see Data Protection Act Overview). The most likely conditions that would justify disclosure of sensitive personal data are:
- The data subject has given his/her explicit (ideally written) consent to the disclosure, or
- There is a statutory or legal obligation to disclose the data, or]
- The disclosure is necessary to protect the vital interests of the data subject.
The Data Protection Act also allows personal data to be disclosed to third parties without the consent of the data subject, in the following circumstances:
- The disclosure is necessary for safeguarding national security.
- The disclosure is necessary for the prevention or detection of crime, or the apprehension or prosecution of offenders.
- The disclosure is necessary for the assessment or collection of any tax or duty.
- The disclosure is necessary for the discharge of regulatory functions (including the health, safety and welfare of people at work).
- The data to be disclosed are to be used for research purposes, subject to the rules governing the Use of Data in Research.
- The data are information which SOAS is obliged by legislation to provide to the public.
- The disclosure of the data is required by legislation, rule of law or the order of a court. For example, certain data on students and staff have to be supplied by SOAS to the Higher Education Statistics Agency (see Transfer to HESA).
The Freedom of Information Act 2000 sets out certain circumstances in which personal data can be disclosed to a third party (i.e. someone other than the data subject) who has submitted a Freedom of Information (FoI) request. In particular, the FoI Act provides that personal data can be disclosed where doing so would not breach any of the Data Protection Principles (see Data Protection Act Overview). Guidance from the Information Commissioner suggests that this is likely to apply to data relating to an individual's official or work capacity which it would normally be reasonable to release, such as name, job title, official functions, grade, decisions made in an official capacity, and salaries of senior staff. Data relating to an individual's private life would not normally be disclosable under FoI. See Publication of Staff Details for further information on what SOAS routinely makes available about its staff.
There are also two other special situations where the FoI Act allows personal data to be released to a third party in response to an FoI request, provided a public interest test has been met:
- The data controller has received a formal objection from the data subject, under the Data Protection Act, to the disclosure of the data (known as a Section 10 Notice).
- The release of the data to the data subject would be prevented by one of the exemptions in the Data Protection Act.
In such cases, there is no automatic requirement to release the data to the third party, but data controllers have to consider whether it would be in the public interest to release the data. Such cases are likely to be rare.
FoI requests for the release of personal data to third parties need to be handled according to the rules set down in the FoI Act, which are different from those in the Data Protection Act (for further information, see Submitting a Freedom of Information or Environmental Information Request). Any release of personal data in response to an FoI request should be cleared in advance with the School's Information Compliance Manager (see Data Protection Contacts). In addition, it should be noted that the FoI Act does not grant individuals any right to request data relating to themselves (see Access to Data).
Staff should always exercise caution when dealing with requests from third parties for the disclosure of personal data. Disclosure requests should normally be required to be in writing, and should be responded to in writing. Where reasonable, the party making the request should be required to provide a statement explaining the purpose for which the data is requested, the length of time for which the data will be held, and an undertaking that the data will be held and processed according to the Data Protection Principles. Where the request relates to the prevention/detection of crime, the apprehension/prosecution of offenders, assessment/collection of any tax or duty, or the discharge of regulatory functions, appropriate paperwork should be produced by the enquirer to support their request (e.g. official documentation stating that the information is required in support of an ongoing investigation). Guidance for staff on how to respond to requests for data from the police and similar agencies is available in SOAS's Police Disclosure Guidelines.
Personal data should only be disclosed over the telephone in emergencies, where the health or welfare of the data subject would be at stake. If data have to be disclosed by telephone, it is good practice to ask the enquirer for their number and to call them back. For further information on how to respond to emergency requests, see the Police Disclosure Guidelines.
Particular care should be taken when dealing with requests from embassies and high commissions, as data subjects may choose to have little or no contact with representatives of their home states. Similarly, members of SOAS may have reasons for not wanting contact with parents, other relatives or friends. Requests from relatives, friends etc for the contact details of students should therefore be treated with caution. It is good practice to offer to pass on any message without providing contact details or confirming or denying that the person is a member of SOAS.
An image of an identifiable individual is personal data about them. In some situations, publication of an image without the individual's permission with infringe their right to privacy and the Data Protection Act. Staff involved in publishing images on the SOAS website should consult the SOAS Web Picture Policy, which provides guidance on appropriate safeguards for the publication of images of individuals.
Last updated April 2008