Requests from Third Parties for Student Information

Data Protection Policy - Requests for Student Information From Third Parties

Internal Enquiries

Members of staff may release (verbally or via electronic or 'hard' copy) student personal data to fellow University employees, who require that information in order to carry out their normal university-related duties. Please note, this does not include the non-University organisations on Campus e.g. Banks. 

In most cases it is likely that staff will know the enquirer, and will not be in any doubt about her/his identity. However, there will sometimes be cases where members of staff are contacted by an enquirer where they only have the say-so of that person that they are 'internal' and entitled to the data. Where members of staff receive such an enquiry by telephone, it is recommended practice to call the enquirer back on a verifiable telephone number, allowing a delay. For in-person enquirers, staff should ask for some identification. For written enquiries, (having being satisfied that the request is legitimate), check that the enquirer is indeed an employee of the internal University department in question.

External Enquiries

Staff must take particular care when disclosing personal data to third parties, to ensure that there is no breach of the Data Protection Act or the law of confidence. External enquiries are enquiries made by any person who does not work immediately for the university. Disclosure may be unlawful even if the third party is a family member of the data subject, or a local authority, government department or the police.

The disclosure of personal data represents a form of processing of the data. This means that the conditions for fair and lawful processing of personal data and special category data or sensitive personal data set out in first Data Protection Principle must be met. Consideration should also be given as to whether the disclosure was one of the purposes for which the data were originally gathered, or is a purpose to which the data subject has consented. If not, the disclosure is likely to represent further processing contrary to the second Data Protection Principle.

Disclosure of personal data which are not sensitive personal data is most likely to be justified if one or more of the following conditions applies:

  • The data subject has given his/her consent to the disclosure (e.g. at the time when the data were gathered).
  • The disclosure is in the legitimate interests of Swansea University or of the third party to whom the data are to be disclosed, and does not prejudice the rights, freedoms or legitimate interests of the data subject.
  • There is a statutory or legal obligation to disclose the data.
  • The disclosure is required for the performance of a contract (e.g. between a student and a sponsor).
  • The disclosure is necessary to protect the vital interests of the data subject.

More stringent restrictions apply to the processing of special category data or sensitive personal data. The most likely conditions that would justify disclosure of special category personal data are:

  • The data subject has given his/her explicit (ideally written) consent to the disclosure, or
  • There is a statutory or legal obligation to disclose the data, or]
  • The disclosure is necessary to protect the vital interests of the data subject.

The GDPR also allows personal data to be disclosed to third parties without the consent of the data subject, in the following circumstances:

  • The disclosure is necessary for safeguarding national security.
  • The disclosure is necessary for the prevention or detection of crime, or the apprehension or prosecution of offenders.
  • The disclosure is necessary for the assessment or collection of any tax or duty.
  • The disclosure is necessary for the discharge of regulatory functions (including the health, safety and welfare of people at work).
  • The data to be disclosed are to be used for research purposes.
  • The data are information which the University is obliged by legislation to provide to the public.
  • The disclosure of the data is required by legislation, rule of law or the order of a court. For example, certain data on students and staff have to be supplied by Swansea University to the Higher Education Statistics Agency (HESA).

The Freedom of Information Act 2000 sets out certain circumstances in which personal data can be disclosed to a third party (i.e. someone other than the data subject) who has submitted a Freedom of Information (FoI) request. In particular, the FoI Act provides that personal data can be disclosed where doing so would not breach any of the Data Protection Principles. Guidance from the Information Commissioner suggests that this is likely to apply to data relating to an individual's official or work capacity which it would normally be reasonable to release, such as name, job title, official functions, grade, decisions made in an official capacity, and salaries of senior staff. Data relating to an individual's private life would not normally be disclosable under FoI. 

Staff should always exercise caution when dealing with requests from third parties for the disclosure of personal data. Disclosure requests should normally be required to be in writing, and should be responded to in writing. Where reasonable, the party making the request should be required to provide a statement explaining the purpose for which the data is requested, the length of time for which the data will be held, and an undertaking that the data will be held and processed according to the Data Protection Principles. Where the request relates to the prevention/detection of crime, the apprehension/prosecution of offenders, assessment/collection of any tax or duty, or the discharge of regulatory functions, appropriate paperwork should be produced by the enquirer to support their request (e.g. official documentation stating that the information is required in support of an ongoing investigation). 

Personal data should only be disclosed over the telephone in emergencies, where the health or welfare of the data subject would be at stake. If data have to be disclosed by telephone, it is good practice to ask the enquirer for their number and to call them back. For further information on how to respond to emergency requests see the guidelines on disclosures to the Police.

Requests from parents/spouses/other relatives

Students' relatives do not have the general right to information about their child/partner/relative, which they often assume. If there is a pressing case for releasing the data in the interest of the individual, the enquiry can be referred to the Information Compliance Officer (FOI/DP).

Requests from other students

Other students do not have special rights to information about their fellow students. Refer enquirers to the Information Compliance Officer (FOI/DP).

Requests from sponsors

Sponsors and similar bodies (LEAs, Embassies, High Commissions, private companies, charities, etc.) likewise do not have a general right to access 'their' students' personal data (although in some cases, the University may undertake routinely to provide academically-related information to sponsors). Enquiries from Embassies and High Commissions are to be treated with extreme caution. Data subjects may choose to have little or no contact with representatives of their home states, the extent of the relationship is a matter for the data subject, not the University, to determine.