Standards and Procedures for the Release of Data

  1. BSU data is processed in accordance with the Data Protection Act 1998 (DPA) and the BSU 'Data Protection Policy', and retained in accordance with the schedule described in 'Retention of Records containing Personal Data'.
  2. A Data Subject about whom BSU holds information is entitled to receive data held about him/her for which the University is 'Data Controller' as defined by the DPA.
  3. Data shall be supplied in hard copy, or be viewed as required, provided Data Subjects have made an application in the prescribed manner, and have paid the £10 fee.
  4. Applications shall be made on the form 'Data Subject Access Request'. The form includes fields to enable the University to locate the data requested by the Data Subject promptly and efficiently. The more explicit the information given by the Data Subject, the quicker and more complete can be the response to the request. The Data Protection Officer is required to satisfy him/herself of the identity of the applicant and the legitimacy of the request: it is therefore necessary to provide acceptable proof of identity, such as library card, birth certificate, passport or driving licence. This can be done by sending it or bringing it by hand to the Academic Office with any application. Where the application is made remotely, please send a stamped addressed envelope for the return of material authenticating the identity of the applicant.
  5. Copies of data shall be provided within 40 days of receipt of the properly completed application, or the receipt of the fee, whichever is later. Where the fee is paid by cheque, this date is 40 days after the cheque has cleared. Cheques should be made payable to 'Bath Spa University.'
  6. All applications shall be made through the Data Protection Officer, and application in any form made through other members of staff shall be referred to the Data Protection Officer, except in emergency situations (see below).
  7. The Data Protection Officer will log receipt of the application and dispatch of the data to the Data Subject.
  8. Requests may only be made by Data Subjects or by those authorised by a Data Subject to make applications on his/her behalf, except where the DPA makes exceptions, i.e. where:
    1. disclosure is to a police officer and non-disclosure would facilitate a criminal act or inhibit the prevention of one
    2. non-disclosure might reasonably be expected to result in significant harm to the data subject him/herself
    3. non-disclosure might reasonably be expected to result in a significant threat to the health and safety of third parties
    4. disclosure is ordered by a court or similar agency.
  9. The Data Protection Officer shall take all reasonable steps to assure himself of the identity of the applicant and his/her entitlement to the data requested. The standard of this proof shall be similar to the standard required for authenticating applications for places at the University.
  10. The following shall normally be supplied to the Data Subject on application, where the data: identifies the Data Subject either directly or indirectly (i.e. by name, student id number, National Insurance number etc):
    1. Data held by Registry
    2. Data held by academic schools and departments
    3. Data held by student services (e.g. Welfare or Careers)
    4. Data held by any other BSU agency concerned with student welfare, discipline or finance (e.g. Academic Office, Accommodation, Finance Office), such as information on disciplinary interviews or hearings, payments or indebtedness
    5. Data held by BSU agencies concerned with employment or payment (e.g. Human Resources, Payroll)
  11. The following are examples of the kind of data that shall be disclosed on application:
    1. results of assessments or associated data
    2. formal notes and sheets recording performance or attendance
    3. academic staff notes on student attendance
    4. academic staff notes on student assessment
    5. external examiner's comments on student assessment
    6. careers service notes of advisory interviews with students
    7. welfare service notes of counselling sessions with students
    8. finance records of payments or indebtedness
    9. records of disciplinary interviews or hearings
    10. minutes of assessment or appeals boards.
  12. The following shall not normally be supplied to the Data Subject:
    1. data that infringes the data protection rights of a third party, except where the third party has given permission for the information to be released
    2. data the release of which threatens the safety of a third party
    3. data that would take a disproportionate effort to provide
    4. data that has already been requested by the subject, and where a 'reasonable' time has not elapsed since the last request.
  13. The following are examples of the kind of data that shall not be disclosed:
    1. references, where the referee has not given consent to release of the reference
    2. references provided by BSU in connection with an application for training, further education or employment
    3. papers written on behalf of BSU that may be expected to form part of the evidence to be seen by a court.
  14. Where the Data Protection Officer declines to release data an explanation shall be supplied to the Data Subject.
  15. Emergency release of data. Data may be released outside the procedures above under the following conditions only:
    1. The member of staff who receives the request should try to refer it to the Data Protection Officer, or where he is not available to a member of Chancellory.
    2. Where it is not possible to refer the matter to the Data Protection Officer or a member of Chancellory, the member of staff who receives the request should satisfy him/herself of the following:
      1. Would the person about whom the disclosure is made accept that emergency disclosure is justified?
      2. Is disclosure justified in the broader public context (e.g. would disclosure prevent a crime or non-disclosure prevent the apprehension of a criminal)?
      3. Would non-disclosure threaten the health and safety of the data subject or third parties?
      4. Would delay compromise anyone's health or safety, facilitate a crime or compromise prevention of a criminal act?
    3. If the request is made by telephone, member of staff who receives the request should try to ensure that the enquirer is authentic, and
      1. Ask for full details of the caller's identity
      2. Ask for full details of the caller's company or organisation if appropriate
      3. Where possible ask for the telephone number from which the caller is calling, and call back in order to help ascertain the genuineness of the call
      4. Before calling back inform his/her line manager or other senior member of staff and secure agreement that emergency disclosure is justified.
    4. If a member of staff decides on disclosure, then a full written report should be made to the Data Protection Officer detailing the circumstances and the information disclosed immediately.
  16. Contact details for the Data Protection Officer can be found here.  If you have any queries on making an application, it is preferable to make an approach first through email.