Data Protection Law For Academics

  Share by Email   Print this article   More sharing options  

Five academic staff members making different mistakes:

  • Jane, a literature lecturer, sent her class a reading. Knowing that many do not pick up university emails quickly, she used personal email addresses. And the “cc” feature, which meant she delivered a list of personal email addresses to the entire class along with the reading.
  • Mark, an FE college administrator, put a box full of old student files in the recycling bin.
  • Malik, a maths lecturer, took a call from an angry parent whose son had failed a module, and explained that poor attendance had impacted the student’s test scores.
  • Louella, a secretary, answered a call from a polite man who asked whether Mark Smith was a student on the Geography course. She said yes.
  • Anne, a university administrator looking to save money, outsourced personnel data management to a company that then had the work done at a back-office centre in India. 

Five different mistakes (all based on true stories), and a good introduction to data protection do’s and don’ts.

Jane’s error was sharing individual students’ contact information without permission. While we hope students will treat each other with respect, there are many instances of bullying and stalking on FE and HE campuses every year. So when sending mass emails, always use “bcc,” not “cc,” and consider whether your message needs to be shared so widely.

Student information must be carefully protected, even when the contents seem banal or have lain untouched in a cupboard for years. If you inherit a cache of files, or simply need to clear space, ask your university’s data protection office about what procedure to use. Normally there is a secure waste disposal system available.

It should come as a relief to staff troubled by “helicopter parents” that discussing students with family members is strictly forbidden, unless a signed consent form is in place. Malik should have said: “I’m afraid I’m not allowed to discuss student performance with parents, but I’m sure he can tell you more.” This leaves it up to the student to decide whether he can confide with his family about his poor attendance.

Louella fell victim to a duplicitous debt collector, who then lay in wait for the unfortunate student on campus. It’s hard enough to hide in the age of Google and Facebook, but both staff and students have the right to expect freedom from harassment or embarrassment whilst teaching and learning. Don’t give out information about student or employment status, schedules, or office locations without asking the person in advance.

As for Anne, sending private data outside the EEA is an area so tricky that an entire body of legal procedures exists around it. If your employer is outsourcing, make sure that any contractors (and their subcontractors) adhere to stringent guidelines.

For academics, the biggest issues are keeping files safe in locked storage, and reserving access to electronic data. For the latter, network security and high-quality encryption are essential. Contact your ICT department for the latest software and training, and don’t risk bypassing security procedures, even if they take a few extra minutes.

Finally, if you work with data, watch out for errors, unnecessary information, and potentially harmful data. Not only can individuals make compensation claims for unauthorized disclosure or loss of data, incorrect or misleading data is actionable.


Start with your employer’s Data Protection policy, and the department that administrates it.

Information Commissioner’s Office (2014) “Data protection: How to get it right.” Online at  [Accessed 11 February 2014]

Under the Data Protection Act, FE and HE institutions and their employees must comply with eight data protection principles. All personal data must be:

1. fairly and lawfully processed;

2. processed for limited purposes;

3. adequate, relevant and not excessive;

4. accurate and up to date;

5. not kept for longer than is necessary;

6. processed in line with the rights of individuals;

7. secure; and

8. not transferred to other countries without adequate protection.

Share this article:

  Share by Email   Print this article   More sharing options  

What do you think about this article? Email your thoughts and feedback to us

Connect with us