Information for staff > Data protection > Data protection guidance > Information governance: what directors of studies and student support officers need to know

Information Governance: What Directors of Studies and Student Support Officers Need to Know

On this page:

• Audience
• Purpose
• Key requirements
• Background
• What help is available?

Audience

1. This document has been prepared for undergraduate directors, postgraduate directors, senior directors of studies and lead student support officers within the College of Humanities and Social Science.

Purpose

2. It sets out those aspects of information legislation most relevant to directors of studies (DoSs) and student support officers (SSOs) so that the information can be cascaded to them and other relevant colleagues.
3. This briefing pulls out the key elements of data protection and freedom of information legislation as they apply to the DoS and SSO role.

Key requirements

4. Students have the right to ask to see any information the University holds about them. The University has 40 calendar days to respond. If a student asks to see information that you hold about them, if you have no concerns about showing it to them and doing so involves little work, please do so. If you have concerns, contact your local freedom of information practitioner as soon as possible.
5. You must tell individuals what you do with information regarding them, including to whom you disclose it, unless it is obvious from the circumstances. For example, if a student tells you that they have a disability, you must explain to them what you are going to do with that information.
6. You must keep information about students securely. If you have any set of information about 50+ students, store it on University networks, use encryption and adopt other appropriate security measures. The threshold for special circs or similar material is much lower. See the link below for more information.
   • Policy on the Storage, Transmission and use of personal data and sensitive business information out with the university computing environment
7. Information about past and current students is confidential to the University and to the individual student. Any member of staff except for good, duly considered reason, should not disclose information to a third party. For more information, including circumstances when it would be appropriate to disclose information about students see:
   • Guidelines on the disclosure of information about students
8. You must not keep information about students for longer than is necessary. For example, unless other local policies apply and with the exception of references, DoSs should destroy most information they hold about undergraduates a year after they graduate. For more information see:
   • Student records retention schedule
9. Anyone, including students, has the right to request access to any recorded information in any format and on any subject. The University has a maximum of 20 working days to respond. If a student asks to see information that you hold, if you have no concerns about showing it to them and it does not involve much work, please do so. If you have concerns or wish to refuse access, contact your local freedom of information practitioner as soon as possible.
10. Create clear and professional information as any work document, note or email you create could be released in response an information request.
11. Make your information accessible to other staff so they can find it should it be needed to answer a request, even when you are not there.
12. Avoid complications by following the procedures. See:
    • Request handling procedures

Background

13. Information legislation, primarily the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002, places obligations on the University with regard to all paper and electronic information created and received by DoSs as part of their work.
14. A failure to safeguard personal data could breach the Data Protection Act, which could lead to the University being fined up to £500,000 or being sued. In addition to financial penalties, a data protection breach could cause serious harm to the individuals concerned or to relationships with potential students or research funders.
15. A failure to comply with either piece of legislation could lead to reputational damage, regulator action and contempt of court. There are also criminal offences associated with the deletion of information after it has been requested in an information request.

What help is available?

16. A list of local freedom of information practitioners is available at:
    • Who Is My Freedom Of Information Practitioner?
17. The university Records Management Section provides advice, guidance and training on data protection, records management and freedom of information issues. Much information is available on our website, or you can contact the Section by email.
    • Records Management Section website
    • recordsmanagement@ed.ac.uk

Page last updated: Tuesday February 21 2012