Code of practice: personal information about students
7 June 2010
This Code of Practice is applicable to any item of personal information about a student which may be recorded or otherwise held by the University of St Andrews. It therefore applies to any such information received (e.g. medical, legal, personal) from any internal or external source (e.g. doctor, police, the student, the family of the student). For the purposes of this document "departments" shall cover all units of the University of St Andrews, including halls of residence, administrative units, and academic schools.
Copies of this Code of Practice will be displayed on the University's website and all staff will be made aware of it and its implications. The induction programme for new members of staff will highlight the Code of Practice.
The Code was revised in June 2010 on the authority of the Proctor, who will be responsible for its update or review as required.
The University is committed to a policy of protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998, and is registered as a Data Controller under the terms of that Act. (See Appendix 3.)
In the normal course of business the University has to gather, use and maintain personal information about its students. Purposes for which we use this data include:
- maintenance of the student record (including personal and academic details)
- management of academic processes (for example, academic audits, examination boards)
- awarding of degrees
- the management of University residences and University social events
- alumni operations, including fund-raising
- compiling records and statistics for research purposes and management information
- the provision of advice and support to students (via, amongst others, the Registry, Student Services and the Careers Service)
Internal communications
By matriculating, the student effectively enters into a contract with the University. In fulfilling its side of the contract the University adopts management practices that require collection and internal distribution of information to those staff and departments that need to know. Students cannot dispute the University's need to process information for these purposes. Within a department, use of personal information must be restricted to those members of the department who "need to know" (See Appendix 2.) Beyond the uses described in Appendices 1 and 2 the student must be informed of any proposed distribution of personal information and given a clear indication of who will receive the information prior to its distribution. Permission for this distribution will be sought from the student.
Where permission is refused by the student, there will be consultation with the appropriate deputy of the Principal whose decision, after discussion if possible with both parties, shall be final.
Where the the deputy of the Principal has deemed the student's permission to be unnecessary, the student, wherever possible, must be informed of this prior to the distribution of information.
External communications
Except where there is a legal or contractual requirement to do so (see Appendix 1), or in exceptional circumstances (see Appendix 2), personal information will not be given out externally without the student's permission. This restriction includes passing information to parents, legal guardians and next of kin.
If, exceptionally, personal information is to be released without the student's permission, the permission of the Head of Department responsible for the security of that information must be obtained and the student must be informed, except in cases where it is deemed legally inadvisable to do so.
Where necessary, approval from the deputy of the Principal, who might seek legal advice, will be sought prior to the release of such information.