Further and higher education institutions have duties under the Data Protection Act 1998 (the Act) to protect the personal data of their students. As ‘data controllers’, the Act requires universities, FE colleges, schools and other education providers to process data lawfully and fairly and ensure that the information that is held is adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
Most organisations will rely on securing the consent of an individual to ensure that their processing is both ‘lawful’ and ‘fair’, however, circumstances may arise where an individual refuses to give consent to the release of their personal data, perhaps where a third party such as the police or social services request it. This poses difficult ethical and practical considerations for data controllers. Fortunately, the Data Protection Act contains important derogations that allow an organisation to release personal data without breaching its provisions as was recently reinforced in case law.
In Bangura v Loughborough University  the court considered whether Loughborough University had breached the Act by providing the name, address and date of birth of a student to police officers investigating allegations of rape and sexual assault. They had done so without the explicit consent of the student and without a formal written request from the officers. Citing s29 of the Act, the court found that a data controller (in this case the University) can disclose personal information without the knowledge or consent of an individual if it is required in connection with the prevention or detection of crime, and that there was no need for a request to be made in writing.