University home > University Secretary's … > Data Protection > Student Personal Data Policy

1.      This is the policy for the recording, keeping, and transmission of student data within the University.  It should be operated at Faculty and School levels. 

2.      Personal data means information about a living individual who can be identified from that information (including identifiers such as candidate number).  Generalised, anonymised data from which a student cannot be identified personally is not personal data.  

3.       Personal data for example includes an expression of opinion about the individual whether in written form or by email, and in references. Students have the right for all comments about them to be disclosed. Personal data can also include CCTV images, photographs and audio recordings.

4.      Sensitive personal data is strongly protected by  the Data Protection Act. Sensitive data means data that is identifiable and contains any of the following information:

• Racial or ethnic origin
• Political opinions
• Religious or other similar beliefs
• Trade Union membership
• Physical or mental health condition
• Sexual life
• The commission or alleged commission of an offence (and any related legal proceedings)

Sensitive data can only be processed with the explicit consent of the data subject unless there is concern over the well-being of a student. Such cases should be referred to the Secretary’s Office for advice.

5.      Those people with overall responsibility for student personal data for the Faculty will be the Faculty Manager (who also has overall responsibility for the operation of this policy), the Faculty Head of Academic Administration, and the School Administration Managers, or their equivalents.

6.      Personal data can only be held by members of staff with good reason. All staff should be told to securely delete or dispose of personal data they no longer need before the beginning of each academic year.

7.      This policy does not change the nature of the role of the tutor or the pastoral responsibilities of tutors towards their tutees. 

8.       Access to sensitive data should be limited only to those members of school and faculty staff who have a legitimate interest in seeing that data.

9.      Personal data cannot be transmitted to third-parties outside the university without the consent of the student, apart from under very restricted circumstances. Students consent through the Student Agreement to the transmission of data to several named third parties.

Further information on how the University uses student personal data is available at:

http://www.bris.ac.uk/secretary/dataprotection/individ/students.html

Any requests from third parties (such as the police) asking for the disclosure of student personal data without consent should be referred to the Secretary’s Office. 

10.  It must be possible to respond within seven days to a request for disclosure of personal data made to the Information Rights Officer.

11.  In any case of doubt in the operation of this policy, the Information Rights Officer at data-protection@bristol.ac.uk should be consulted.

12.  The policy on Student Personal Data should be published in the Faculty handbooks.

Acquisition of student sensitive data

13.  The people responsible for the acquisition of sensitive student data will be the School Administration Managers at School level and the Faculty Head of Academic Administration at Faculty level.

14.  Students may only submit sensitive data via this person or their designate(s). They may not submit it via third parties such as personal tutors (in such cases, tutors should inform their tutees of the correct contact person). On submission, if the information is having a significant effect on the student’s studies then he or she should be encouraged to discuss this with their tutor, but not required to do so.

15.  Where sensitive data is required to be submitted to the Faculty, this should go through the Faculty Head of Academic Administration.

16.   The number of copies of sensitive data must be minimised. If copies must be made, they should only be retained for as long as is necessary and  be securely deleted when they are no longer required.

 Keeping of physical student personal data

17.  All physical personal data (other than those collected for academic purposes such as assessment marks) are the responsibility of the School Administration Managers and the Faculty Head of Academic Administration as appropriate in each school and the Faculty.

18.  The student personal files should hold the originals of all documents.

19.  All student personal data should be kept physically secure in one place.

20.  Access to student personal data should be controlled at all times.

21.  Student personal data must not be left unattended at any time.

22.  Student personal data must not be reproduced except for specific purposes. Once those purposes are fulfilled, the record must be securely disposed of.

23.  Non-sensitive student personal data may only be taken off the University campus if it is held within the Data Protection Principles. Sensitive data should not be taken off campus.    

24.  Personal data held on a student’s personal file should normally be kept for at least eight years, but after the student has left the university they should be centrally filed in the University’s Filing Office in Senate House.

25.  Student personal data must be securely disposed of using the confidential waste bins provided, not the ordinary waste bins or blue waste paper bins.

26.  The keeping of all personal records must be reviewed at least once a year.

27.  Examination scripts from Year One should be disposed of in the student’s second year provided any appeal or complaint procedures are not outstanding. 

28.   Examination scripts from the second year onwards should be kept for the duration of a student’s studies and for one year after their studies terminate to allow time for appeal or in case of any other dispute.

 Keeping of electronic student personal data

29.  Personal data must only be stored on secure, University owned computers. Personal data must not be stored on personally owned computers, portable computers or portable drives.

30.  Computers used for processing personal data must be secured when not attended. Screens should not be readable by casual passers-by.

31.   The keeping of computer files containing personal data should be reviewed at least once a year.

32.  The disposal of computer equipment must be undertaken in accordance with the University’s policy on the disposal of computer equipment

Keeping and transmitting student personal sensitive data

This section refers to the types of data described in paragraph 4.

33.  All sensitive data must be treated carefully and securely in accordance with the Data Protection Act.

34.  The data should only be stored on secure School or Faculty servers, not on desktop computers.

35.  All sensitive data should be strongly encrypted both when stored and when transmitted. An example of how this can be achieved is through 7-zip program, which is widely installed on University computers.  Instructions to use this may be found at http://www.bristol.ac.uk/engineering/computing/encryption.html.

36.  The encryption keys should be kept in the same place as the paper sensitive records and not reproduced. They may also be stored on the personal non-portable computers of those authorised to see sensitive data, but they must be stored anonymously and discretely (e.g. not named “sensitive data key”).

37.  Encryption keys must be changed at least once a year.

38.  Sensitive data should only be transmitted via Fluff, not as e-mail attachments.

39.  Sensitive data must not be stored on non-university owned systems or computers.

40.  It is the Faculty Manager's responsibility to ensure that all computers that are used to process sensitive data are effectively managed i.e. software is kept up to date, the computers have a firewall, anti-virus software is installed, personal data is not processed when running with administrative rights etc.

41.  The Secretary’s Office and Information Security Manager should be notified immediately if there is a loss or a suspected loss of any personal data.

42.  If you need to discuss a student matter involving sensitive data always try to meet face to face or talk on the phone.

This policy should be read in conjunction with the following:

• Data Protection guidance
• Information Access and Security Policy
• Information Access Matrix

The Information Access matrix gives details of the levels of accessibility to personal data.

November 2010