5. Processing of Personal Data by Students

5.1 The University's Responsibility

The University is responsible for personal data when it is the data controller for that data i.e. where the University determines the purposes for and the manner in which any personal data is to be processed.  For information on the processing of data by students where this is not for University purposes please consult the University's Information Governance Manager.

5.2 Permitted Use

A student is only permitted to use personal data for a University related purpose with the knowledge and express consent of an appropriate member of staff. For research purposes this would normally be a postgraduate supervisor or the person responsible for teaching the relevant undergraduate class or course. For administrative purposes this will be on the express authorisation of the line manager or supervisor of the project on which the student is employed.

5.3 Staff Responsibilities

Where students process data for the University's purposes, the relevant staff must ensure that:

• The processing is covered by the University's notification with the UK Information Commissioner (ICO)
• The Information Governance Manager is informed of any personal data that is being or is intended to be handled, which is not notified, or of any changes in the way the data is being handled which might affect the University's notification under the Data Protection Act.
• Students are complying with the Data Protection Principles, this Code of Practice, including where relevant Section 6: Use of Personal Data in Research, the University's Information Security and Manual and Physical Data policies. The use of personal data by students should be limited to the minimum consistent with the achievement of academic or corporate objectives. Wherever possible data should be anonymised so that students are not able to identify the subject.
• Written authority from the relevant Head of School or Service has been sought before a current, employed student is given access to the Student Record System, SITS and the relevant oath of confidentiality has been signed 
• Data has been retained in accordance with the University's retention schedules and is capable of being retrieved in response to a data subject access request
• Students are made aware that data subjects have a right of access to their personal data and to object to the accessing, processing and disclosure of their personal data whether held on computer or in manual files where the data subjects feel it may cause them significant damage or distress.

5.4 Student Access to and Use of Personal Data

5.4.1  Students who are authorised to hold or process personal data on computer, online or in manual format are required to:

• Sign an oath of confidentiality at the start of their employment or research project
• Comply with this Code of Practice, the Data Protection Principles, the University's notification with the ICO and relevant University policies. 

5.4.2  All students processing personal data are responsible for ensuring that:

• appropriate measures are taken to prevent personal information (in whatever format) from being divulged to unauthorised persons
• appropriate care is taken in disposing of printed information containing personal information in accordance with the University's guidance on the Safe Disposal of Confidential Waste
• within individual work areas, the current general guidance on handling personal information is followed, together with any specific additional measures that may apply

5.4.4  Employed students are not permitted under any circumstances to remove personal data in any format from the University. 

5.4.5  Any failure to observe these responsibilities, including the inappropriate or unauthorised disclosure of personal data, may lead to disciplinary action being taken under the Student Conduct Regulations.

                                                                                                                Page last updated 04 September 2018