Skip navigation to content

2. General guidelines

NB. These guidelines should be read in conjunction with the University's .

These guidelines are based on current interpretation of the provisions of the Act. They may therefore be reviewed as interpretations change and as case law emerges.

2.1 Collecting personal data

Schools and Units have to gather a certain amount of personal data (name, address, contact details, etc.) to carry out their normal functions. The Act requires, however, that only necessary data shall be collected. Schools and Units should therefore ensure that they only collect data that is necessary for the effective functioning of the unit. Procedures should be reviewed at intervals to ensure that this is the case, and that unnecessary information is not being requested or retained.

2.2 Security of personal data

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that access to the data must be restricted. All staff should ensure that:

  • Manual records are kept in a locked filing cabinet or in a locked drawer. Care must be taken to ensure that manual records, e.g. staff or student files, or printouts containing personal data, are not left where they can be accessed by unauthorised staff.
  • Computerised information is password-protected.
  • Computer monitors are sited so that they are not visible except to authorised people. Screens should not be left unattended when personal data is being processed.
  • Manual records, once they are no longer required, should be shredded or bagged and disposed of securely.
  • Records, both manual and electronic should be retained/disposed of in accordance with the Student Record Retention Schedule.

Staff should bear in mind that any personal data (either paper or electronic) taken away to be worked on at home needs to be treated with the same care for security.

2.3 Disclosing personal data

Students are private individuals and their data should not be disclosed to third parties without permission. In this context, "third parties" includes family members, friends, local authorities, government bodies and the police, unless disclosure is exempted by the Act or by other legislation.

There are certain circumstances where the Act permits release of data without express consent:

  • For the purpose of protecting the vital interests of the individual (e.g., release of medical data where failure to do so could result in harm to, or the death of, the individual).
  • For the prevention or detection of crime.
  • For the apprehension or prosecution of offenders.
  • For the discharge of regulatory functions, including securing the health, safety and welfare of persons at work.
  • Where the disclosure is required by legislation, by any rule of law, or by the order of a court.

2.3.1 Relatives and guardians

Parents may find it difficult to understand why a member of staff cannot discuss the academic progress of their child. Without the consent of the student involved, however, no such discussion is legally permissible. Written, rather than verbal, consent is recommended.

It is, however, perfectly allowable to discuss institutional procedures with parents. A member of staff may safely describe the procedures involved in re-sits, but not the reasons why Student X failed.

If there are circumstances where it is foreseeable that personal data might have to be released to parents (for instance if a student is spending a year abroad) written consent to this release should be obtained before the student leaves.

2.3.2 The Police

Disclosures to the Police are not compulsory except in cases where the institution is served with a Court Order requiring information. There is a limited exemption, however, which allows data to be disclosed for "the prevention or detection of crime" and "the apprehension or prosecution of offenders".  Police officers making such requests should provide a 'Request for information under Section 29(1) of the DP Act' form, which should be retained and copied to the Data Protection Co-ordinator.


2.3.3 Other government agencies

All requests should be referred to the .

2.3.4 Embassies and High Commissions

Any request from a foreign embassy for information about students or staff should be treated with great caution. It may be that the individual concerned has no desire for any contact with his home state or its representatives. This is for the individual concerned to decide.

If a School or Unit receives such a query about a student or graduate, they should request that it be made in writing and addressed to the .

2.3.5 Employment agencies and prospective employers

Employment agencies or prospective employers may contact the University to verify such details about an individual as examination results and degree classifications.

The University is required by statute to maintain a register of all living graduates and their academic qualifications. Registry will therefore provide to such bodies confirmation of graduates' academic qualifications.

2.3.6 Telephone inquiries

Phone calls from a third party asking for information on a member of staff or student should be treated with caution. Members of staff should:

  • Explain that the University does not discuss individuals without the express permission of the individual concerned.
  • Not confirm the presence or otherwise of the individual concerned.
  • Offer to attempt to contact the person concerned and take details of the request for information, including the caller's number.
  • Offer to phone the caller back if necessary (this offers some measure of authentication of the caller).
  • Offer to accept a sealed envelope for the Department to try to forward to the individual concerned.


Data Protection Co-ordinator

IT Services
Butts Wynd Building St Andrews Fife
St Andrews
KY16 9AL
Scotland, United Kingdom

Tel: 01334 46 4010/2776