University Challenged

Print this page Email a link to this page

Further and higher education institutions have duties under the Data Protection Act 1998 (the Act) to protect the personal data of their students. As ‘data controllers’, the Act requires universities, FE colleges, schools and other education providers to process data lawfully and fairly and ensure that the information that is held is adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.

Most organisations will rely on securing the consent of an individual to ensure that their processing is both ‘lawful’ and ‘fair’, however, circumstances may arise where an individual refuses to give consent to the release of their personal data, perhaps where a third party such as the police or social services request it. This poses difficult ethical and practical considerations for data controllers. Fortunately, the Data Protection Act contains important derogations that allow an organisation to release personal data without breaching its provisions as was recently reinforced in case law.

In Bangura v Loughborough University [2016] the court considered whether Loughborough University had breached the Act by providing the name, address and date of birth of a student to police officers investigating allegations of rape and sexual assault. They had done so without the explicit consent of the student and without a formal written request from the officers. Citing s29 of the Act, the court found that a data controller (in this case the University) can disclose personal information without the knowledge or consent of an individual if it is required in connection with the prevention or detection of crime, and that there was no need for a request to be made in writing.

The student further claimed that the release of details was a breach of contract. Dismissing the argument, the court found that the University’s privacy policy was not incorporated into the registration documents that the student had filled out on admission.

Whilst great care must be taken by education providers to protect the data of their students, Bangura confirms that there may be circumstances in which personal data can be released without the consent of an individual, and emphasises the importance of understanding whether a privacy policy is intended as guidance or has contractual force.

For more information, help or advice in this area please contact Alan Grisedale on 0191 211 7905 or via [email protected].