Data Protection: Frequently Asked Questions

How does the Data Protection Act 1998 affect me?

Unlike the Data Protection Act 1984, the new Act covers manual as well as electronic records. This means that student files, card indexes and all other paper-based record systems which contain information about identifiable living people are subject to the new Act.

I have been asked by a student to supply a copy of their records. What should I do?

Refer the request to the Information Protection & Security manager. The student will be asked to complete and return a form setting out the information they wish to see. They may also have to pay a fee which is currently £10. The University is obliged to provide the information to the student within 40 calendar days of receiving the completed request form.

What about exam marks and results?

Exam marks and any minutes from an exam board meeting relating to a particular student should be disclosed. Exam scripts themselves are exempt from disclosure but data subjects do have right of access to any comments or notes recorded on the script. Exam markers should be aware of this and ensure that they do not record any comments on the exam script which they would not be happy for the data subject to see. There are additional rules which state that exam results need not be disclosed any earlier than they are publicly announced.

Can we still publish degree results on Faculty notice boards?

This issue has been considered by the Information Commissioner (formerly the Data Protection Commissioner) who has concluded that provided there is nothing which would enable individual students to be contacted i.e. by the inclusion of e-mail or postal addresses or telephone numbers, then the publishing of degree results does not breach the terms of the new Act. However, if individual students were to indicate that they did not wish their names to be included on the published list, their wish should be respected.

I want to create a Photoboard showing photographs of all students within my school. Can I do this?

Photographs constitute personal data so you must get consent from all the individuals concerned before you display their photographs. Consent could, for example, be obtained by asking students and staff to supply photographs and informing them at the point of collection exactly how the photographs are to be used. If an individual objects to the display of their photograph then it must be removed. Since photographs may reveal details of the subject's race and ethnic origin they are classified personal data. Generally photographs should only be used and retained where strictly necessary.

DownloadTaking photos in schools - Data Protection guidance
(PDF, File size: 78 KB)

I have obtained consent to display certain items of personal data on the Faculty notice board/in a faculty handbook. Can I also publish the information on the department website?

Only if you have obtained specific consent to this from the individuals concerned. You cannot assume that consent for a particular use of data extends to any other use. If you have consent to use personal data for a particular purpose and wish to use this data for another different purpose, additional consent must be obtained from all the relevant individuals. This is especially important in relation to the publication of personal data on websites because the World Wide Web makes information globally accessible.

I am already holding personal information on a database of contacts which I have compiled over a number of years. Can I continue to hold and use this information?

Yes, but you should think about what personal data you are collecting and holding and why. All the information should be relevant, accurate and held for no longer than necessary. If you are storing or using old or unreliable personal information you should either update or delete it. One way to do this would be to write to the individuals concerned, notifying them of the data you hold and asking them to check that it is correct. You can also inform them of the purposes for which the data is being held and seek their consent.

I have sent literature about forthcoming events, reunions etc. to former students of the University. A few people have objected, saying that they do not wish to receive any further communications. What should I do?

You must ensure that these persons are not sent any further communications. If mail is generated electronically you must introduce a system which ensures that people who have objected to receiving communications from the University are removed from your mailing list.

Some of our student files contain comments of a personal or derogatory nature. Could these be viewed by the individual concerned under the terms of the Act?

Yes. Potentially all personal information can be disclosed. The general rule is that you should not record, however informally, comments which you would not be happy for the data subject to see.

What about confidential information such as references. Do these have to be disclosed?

Potentially yes. There are complicated rules relating to references but basically although the subject of the reference cannot demand a copy from the person giving the reference, they could possibly obtain it from the person (or institution) to whom the reference was sent.

I have been contacted by a third party requesting information about a student/member of staff. What should I do?

The general rule is to be very careful about who information is disclosed to. You need to find out exactly who requires the personal data and why. Ideally you should obtain the consent of the relevant student/member of staff before any data is disclosed to a third party, although this may not always be possible (e.g. in a medical emergency). If you are in any doubt as to whether information should be disclosed please contact The information Protection and Security manager.

I have a form/questionnaire which students/members of staff/third parties complete and return. Do I need to modify this form to comply with the new Act?

Yes. Please contact the: The Information Protection and Security manager who will be able to advise you on amending any forms to include a statement informing recipients what their personal data will be used for, where it will be held and to whom it may be disclosed. 

What about records. How long should I retain them?

The new Act states that personal data should be held for no longer than is necessary. In general it is good practice not to collect or retain more personal information than is strictly necessary. All irrelevant or out of date personal information should be destroyed. For advice on the management of your records please contact the he Information Protection and Security manager.

This all seems quite complicated. Is there a basic rule I should remember?

Be very careful about the personal information you hold and in particular who you pass it on to. Think about what you are using personal data for and whether this is what the individual concerned would expect you to be using it for. Wherever possible obtain specific consent.

More information about Data Protection

If you require more information about the Data Protection Frequently Asked Questions or Data Protection at Staffordshire University, please contact the Data Protection and Security manager.


Information Protection & Security Manager
Staffordshire University
Stoke on Trent
t: +44 (0)1782 294365