Data Protection Act 1998: good practice guidance

This guidance covers every day Data Protection problems that are likely to affect staff and students. It isn’t legal advice.

The guidance can't cover every possible scenario. If in doubt please do contact the Information Assurance Manager, who is always happy to provide advice to staff and students.

The guidance is a 'live' document that is updated to cover new issues as they arise. If you would like to see advice on a particular issue or problem that is not covered, please contact the Information Assurance Manager.

Find out more about the Data Protection Act. For more on how to request data under the Act, please visit the Requesting Information page. To find out what we do with your information look at the Policies, procedures and schedules page and scroll down to “Your Information”.

On this page “the Act” means the Data Protection Act. We’ve used “information” instead of the official term “data” because it’s easy to think that “data” is just numbers or computerised information. In reality it covers electronic and paper files, pictures, emails – any sort of information at all that is kept about an identifiable living individual.

Practical Tips: when “third parties” ask for information

Practical Tips: Data Protection and every day activities

Practical Tips: when “third parties” ask for information

What is a “third party”?

“Third party” means anyone who asks for information about someone other than themselves. So if Jayne Smythe asks for information about Fred Bloggs, that’s a “third party” request. If Jane happens to be Fred’s mother, daughter, aunt, sister, partner, ex-wife, sponsor or have any other relationship with him, it is still a “third party” request.

Staff and students give their information (“data”) to the University so that we can administer all aspects of their work or study here. Have a look at the Privacy Policies for more information on how we use information about people.

We have to avoid giving out (or sharing) information for any other reason than those listed in the Privacy Policies. It’s partly a matter of common sense. Think how you would feel if it was your personal information being given out. If you think that it would be unreasonable and you’d be unhappy about it, then it’s likely that you shouldn’t share the information.

The best answer is often to ask the student or staff member whose information is being asked for. If they are happy for you to give out the information then there is no problem. If in doubt, always contact the Information Assurance Manager for advice.

You should also look at the third party contact policy and practical guidance.

Confirming that someone works or studies at the University

If you are asked to confirm that someone is a student or a member of staff here, and they are not actually here, then you can say so.

If the student or staff member is here then in some circumstances you can confirm that. Check that the person asking for the information is who they claim to be. Ask to have their request in writing (fax or email is fine). They also need a legitimate reason to be asking. This doesn’t cover parents and relatives trying to find out if their family member is studying here.

You should also look at the third party contact policy and practical guidance.

If in doubt always ask the Information Assurance Manager before releasing any information.

Contact details and email addresses

We’re often asked either to hand out contact details or to pass on information to groups of staff or students and generally we should not do this. In most cases the contact details are wanted for some sort of marketing. There are strict rules that allow people to opt out of receiving marketing. We also want to avoid adding to the email avalanche that many people struggle with.

There is an opt-in mailing list and web page for people wanting to find volunteers to take part in research.

Have a look at the email guidance for more information.

Immigration officials

The University often receives requests from immigration officials about individuals either studying at or on their way to the University. Please pass all these enquiries on to the Student Services Hub.

Parents and relatives

The third party policy and practical guidance are both useful when dealing with parents and relatives. The general rule is that students and staff are private individuals and the University has no responsibility or obligation to keep their relatives informed of any aspect of their studies, professional activities, or private lives.

The police and other officials

Occasionally, the University receives requests from the police and officials for personal information. It’s not compulsory to give out information in these cases. The police can submit a “section 29” form explaining exactly why they need the information. This still doesn’t mean that information has to be released, although obviously the University will always try to help where possible. If we still do not want to release the information then the police can force us to do so with a court order.

Even the police cannot ask for information out of general interest. They should be able to show that it is not possible for them to get the information they need by any other method. They also need to be looking for a specific individual for a specific investigation. We have an information sharing agreement with Essex police (.pdf) that explains how, when and where we can share information.

“Other officials” includes benefit fraud agencies trying to confirm that claimants are students and entitled to make claims, or immigration officials checking that a person is a student sponsored by the University.

In all these cases it is best to ask the Information Assurance Manager before responding.

Qualification checks

If a prospective employer, recruitment agency or other body wants to check whether someone holds a qualification awarded by Essex then they need to use HEDD. There is a small fee and they will need to have the details of the qualification being claimed.

If they need to confirm that someone is still studying with us, and has not yet graduated, this information isn't on Hedd. They should make contact by email, not phone, including their full contact details. Many employers and recruitment agencies will also supply a form signed by the student, confirming that they are happy for this information to be shared. If in doubt check with the student concerned, if possible, or contact the information assurance manager.


The Act is not very straightforward when it comes to references. The organisation giving out a reference for a person does not have to show a copy to that person. However, the organisation that receives the reference does have to show a copy to the person, if they ask.

It is best to assume that at some stage any reference you write will be seen by the person you are writing about. Human Resources have some useful guidance on references. There are two basic things to remember. The first is that you must distinguish carefully between your opinion and fact. So your opinion about a person might be that they are lazy and lack commitment. The fact will be that they only attended 30% of lectures in their final year or that they arrived late to work 12 days in the last month.

The second thing to remember is that you should only reveal what is necessary and what you know the student has already given out. So you would not reveal that a student had help during the course for dyslexia. If the student didn’t ask for help with dyslexia until late in their studies, and you think that this affected the grade they got, then speak to the student and ask them if you can tell this to the prospective employer.


Financial sponsors can be individuals or organisations, or even a relative of the student. Because they are paying for the student to study they often feel they must have a “right” to know about the student.

This isn’t so! Students are private individuals and the University has no responsibility or obligation to keep financial sponsors informed of any aspect of their studies or private lives.

We can sometimes provide limited, relevant information, although it will vary from case to case. The student and sponsor may have a contract that sets out what information can be shared, and we can give out information covered in such agreements. Otherwise it is best to ask the student’s permission to give information to the sponsor or contact the Information Assurance Manager.

Practical Tips: Data Protection and every day activities


Please see the email guidance

Employing students

The University sometimes employees registered students, for example, through the Frontrunners scheme. If you have a student employed in your section, department, or office, you need to make sure that as part of their induction they are told about the importance of Data Protection and understand that the information about students or staff that they have access to has to be treated confidentially.

There is a standard form for students to sign, agreeing to treat personal information confidentiality. This is not a way of passing responsibility on to students; you will still need to ensure they are given a proper induction. If you would like help with explaining data protection issues to an employed student then please contact the Information Assurance Manager.

Examination Marks and Results

Students have the right to see preliminary marks and comments that contribute to final assessments, if they ask to see their exam marks.

If a student puts in a subject access request the University has to provide access to all examination marks either within five months of the request (if the results haven’t yet been published) or forty days after the official release of results - whichever is sooner. The delay is to stop students trying to find out what their marks are before the results are made official.

We can’t withhold information from students who are in debt to the University.

Examination pass lists

You should not post personal information on notice boards. The Information Commissioner has said that because exam pass lists have gone up on notice boards for many years that we can carry on doing it.

Tell students in advance that this is how their exam results will be published. If a student objects then you should not put their name on the list and you will need to find another way of letting the student know about their results.

Examination Scripts

The law says that the University does not have to give copies of exam scripts to students who ask for them. However, we can let students see scripts if we chose to.

A student who has failed a paper or been offered a re-sit can be offered the chance to see the script, with a member of academic staff present, if we think that will help the student. The student is not allowed to take originals or copies of the exam scripts away with them.

Examiners’ comments

Students have a right to see comments made by internal and external examiners. This means that comments must be intelligible and appropriate. It’s helpful if examiners’ comments are made on separate comment sheets, rather than directly on the scripts. Examiners need to be made aware of this in advance.

If comments are handwritten and potentially illegible, it may be necessary to supply a typed version. If the examiners’ comments have been made directly onto the exam script itself, the student cannot see the script so the comments would have to be transferred to a separate sheet that the student is allowed to see.

Keeping files on individuals

The University keeps files of relevant information on staff and students. Everyone has a right to ask to see the information we keep about them.

This means that you need to think carefully about the information you keep about people. It does not mean you can only ever write nice things about people on their file. It does mean that you should always use balanced and measured language in what you write. You should stick to facts, not opinions. Where you do need opinions then you should clearly state that’s what they are. You should never make notes that are rude, offensive, derogatory or damaging.

Information about someone doesn’t need to be in an actual physical file for them to ask to see it. It can be an email or electronic document. This means that you should think carefully about what you put in emails. See our email guidance for more information.

There are retention schedules that explain how long we keep information for.

Personal information on the University Website

The website is a public space. We generally publish information about people’s official roles and functions. This helps people who need to deal with the University to find the right person to contact. It can also promote the University by letting people see which high profile academic staff we have in departments.

It is important that anybody whose name and other information appears on the website knows that it is there and that there are ways for them to object and for the information to be removed if need be. Personal information about people should not be published on the website. This applies to information that’s on the open part of the website, and on the campus only sections. It applies to staff, students and anyone else whose details we put on the website.


A photograph of a person is “personal data”. Some departments and sections in the University put photographs, and sometimes biographical information, about staff on notice boards and web pages.

This is fine, but people have the right to refuse to have their photograph or personal information published in this way, even if the web page can only be seen by people on campus. It is best to ask people before you make their picture and details public.

Even though the information is likely to be work related and not to do with their private life it still counts as personal information.

Research Activity

The Act applies to people collecting or using personal information as part of research. It’s important that if you collect personal information as part of your research you explain to people what you are collecting, why you are doing it, what you will do with the information. Remember to tell them about all the things you’ll do with their information. You may be collecting for a PhD thesis now, but if you are intending to publish that as a book later, then let people know.

There are some parts of the Data Protection Act that don’t apply in quite the usual way when personal information is being collected for research. The main one is that personal information collected and used only for research purposes, can be kept indefinitely.

Please read our guidance on data protection and research activity. You can get more advice from the Information Assurance Manager or the Research and Enterprise Office.

If you are doing social research you’ll find more detailed ethical guidelines on the website for the Social Research Association and the Economic and Social Research Council.

Sharing Information with Colleagues

The University is a single “Data Controller”, so passing information about staff or students between staff, departments or sections doesn’t include a “third party”.

However, this does not mean that information can be shared freely. There should be a good reason for the information to be shared, and the minimum amount of information should be shared each time. So it’s possible that someone in Payroll needs to know that a member of staff is going to be off sick for seven weeks so that they can make sure they are paid appropriately, but they don’t need to know why the person has to take that amount of sick leave. It is particularly important to make sure that information about sensitive issues, including disability, sexuality or ethnicity, are not shared unless it is absolutely necessary. The staff guide to supporting students is very useful.

If you pass information through email or internal post you need to make sure that it will safely reach the person you mean to send it to, and won’t accidentally be seen by anyone else. This means checking the name in the email “to” box carefully before hitting “send” or writing the name and department clearly on an envelope. Envelopes and emails should be marked “confidential”. You should avoid faxing personal information as this isn’t secure or confidential.

Working from home

If you work from home you still have to abide by the Data Protection Act. It is important that personal information isn’t accidentally lost or revealed to anyone who doesn’t have a right to see it.

If at all possible avoid taking personal data home. It is better to put it somewhere that can be accessed from home without having to be physically carried there in paper form or on a disk or memory stick. Consider finding a way to anonymise information that you need, to encrypt it or password protect it.

If you work on electronic information at home then make sure you do not save it to your own computer. If you need to do that while you are working on it then remember to delete it when you’ve finished. If you need print something out when you are at home you should either shred it afterwards (if you are able) or bring it back to work for shredding.

If people in your section or department regularly need to take personal information home with them then it’s best to have a system to record who has taken information away, what information they took, when they took it, whey they took it, and when they bring it back again. This means you can be sure that you know where all of your information is.

Last revised March 2016