data use by students

Student use of personal data

guide 6 - student use of data

1. Introduction

Students are likely to process personal data on College systems in one or more of a number of capacities, eg:

(a) for research or study purposes as a registered student of the College;

(b) as a Sabbatical Officer of Imperial College Union in connection with the administration of that body or as an officer of one of ICU's clubs or societies;

(c) for approved research or study purposes on behalf of another organisation or as an independent project not associated with their registration with the College;

2. Processing by students where the College is the data controller

In the first two of these cases of student processing, the College is the Data Controller and is liable for the processing carried out by the student. This includes, but is not limited to, liability for compliance with all of the Data Protection Principles  and liability for provision of data in response to a legitimate subject access request.

In essence, the Data Protection Principles require personal data to be obtained and processed fairly and only for a specific legal purpose; the data held should be only that which is sufficient to achieve that purpose; it should be kept up to date and held only as long as is necessary to achieve that purpose; it should be adequately protected and only transferred to a country outside the European Economic Area if that country can provide equivalent levels of protection or if the Data Subject consents to the transfer.

Supervisors of students carrying out research or study as part of their registration with the College must ensure that their processing of personal data is covered by the registration of their Department/Centre/Division (known as a College Administrative Unit CAU) with the College Data Protection Officer. Each CAU has a Data Protection Co-ordinator who is responsible for maintaining that CAU's registration and for dealing with issues of subject access to data being processed. A registration will set out the purposes for which the data has been collected, including the parties to whom disclosure may legitimately be made. Disclosure to any other parties may not be made unless one of the exemptions specified in the Act applies.

The processing of personal data by staff employed by and students working on behalf of IC Union, including the operation of its clubs and societies where this is done using College systems, is subject to the Data Protection Principles and the registration process through its Data Protection Co-ordinator.

The sum total of the registrations made by CAUs constitutes the College's notification with the Office of the Information Commissioner and this notification is in the public domain.

3. Processing by students where the College is not the data controller

3.1 Students processing patient management data under direction are required to comply with the DP Principles when processing such data and should also be aware of the Code of Practice on Handling Patient Data which forms part of College Policy.

3.2 Where processing of personal data is carried out in College for approved research or study purposes on behalf of another organisation or employer, such processing, while still subject to the College's Policy on Data Protection, is not covered by the College's notification and is likely to require notification to the Information Commissioner by the individual or by the parent body.

3.3 Where personal data is used by an individual on a private PC or Laptop only for the purpose of that individual's personal, family or household affairs, including recreational purposes, that data is exempt from the Data Protection Principles, the registration requirement and the Subject Access provisions of the Act.

4. Student access to, and use of, personal data

4.1 Students who have their Supervisor's authorisation to access personal data held within the College network, or obtained via the Internet through such systems, whether from within the College or remotely, must be made aware of the conditions under which they may obtain, process and disclose such personal data. These can be obtained by reference to the College Data Protection Policy and Codes of Practice [3] and the College's notification to the Information Commissioner at https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/.

4.2 Supervisors should make their students aware that the processing of personal data, the registration of that processing and the compliance with the Data Protection Principles apply, not just to data being stored on electronic media, but also to any data held in manual files where these are structured in such a way that specific data relating to any individual may be accessed readily.

4.3 Students should also be made aware that data subjects have a right of access to their personal data and to object to the accessing, processing and disclosure of their personal data in structured manual files or those in computerised form, where data subjects feel it may cause them significant damage or distress. Students should advise Data Subjects that any request for access to their personal data has to be made via the College Data Protection Officer who will determine whether or not the request should be granted.

4.4 Students should also be made aware of the restrictions involved in sending personal data via the Internet because of its innate lack of security. In all such activities the eight Data Protection Principles must be complied with. Additional guidance on security issues relating to personal data may be found in the College Policy on Information Systems Security at https://www.imperial.ac.uk/admin-services/secretariat/college-governance/charters-statutes-ordinances-and-regulations/policies-regulations-and-codes-of-practice/information-systems-security/.

4.5 Any processing of personal data carried out by a student which is not in compliance with the College's policy, including unauthorised browsing or disclosure of personal data, will result in disciplinary action being take by the College or, in more serious breaches of the law, to prosecution by the Information Commissioner.