On or prior to arrival at College, all students, members of college, common room and staff are required to sign appropriate forms, consenting to the collection and processing of relevant personal data including 'sensitive' data.
DPA Form and DPA Form Guide (Acrobat Reader or similar required).
Access to and dissemination of data
The following notes are for the guidance of
- Members and former members of college and others who may seek access to data held by the College
- the notes will give indications of how such requests will be dealt with
- Staff and members with access to data held on College computer systems and in paper files
- the notes will give guidance on how to deal with such requests.
The Freedom of Information Act 2000 and the Data Protection Act 1998 govern the access to personal information held by the College and the University (as Public Authorities).
A flow chart showing the inter-relationship of the two pieces of legislation and the decision-making process has been prepared by the University Data Protection office and is linked here for reference. (Acrobat Reader or similar required).
Publication Scheme
The Freedom of Information Act requires the College to produce a Publication Scheme, showing where information can be obtained. The College has adopted (and customised) a template prepared by the Legal Group of the Conference of Colleges.
Guidence on the way staff will give information about members:
General Information
While a limited amount of information about some members of College is published on the World Wide Web, other information about individuals should only be given out after careful consideration of the rights to privacy of the data subjects (ie those concerned). The following notes may be of guidance:
In all cases where you experience difficulty, or are uncertain about what you should do, please do not hesitate to discuss the matter with the Data Protection Officer or the Bursar.
Requests from Current Members
Addresses and telephone numbers may be given except where database records are flagged 'Secret Info No Calls'. In such cases inquirers can be invited to write to the person concerned c/o the College.
Requests for email addresses can be referred to the University contact page (in some cases access may be denied, or people may be ex-directory). No other information should be given out.
Requests from former members
Addresses and telephone numbers may not be given, unless you are quite satisfied that the inquirer is a former member with a reasonable basis for requesting contact. You should tell the person that you will have to check their bona fides; it may be necessary to call them back. Ask them (eg) what subject they studied, and check against the database.
In cases where there is any doubt, or if the person being enquired about has their database record marked 'Secret Info No Calls', inquirers can be invited to write to the person c/o the College, or (if the person proposed to be contacted has an email address known to the College) to email the relevant head of department, asking for the message to be forwarded. No other information should be given out.
Requests from Oxford University and colleges (and academic or sporting Clubs and Societies thereof)
The bona fides of the organisation should always be checked. Requests for addresses but not telephone numbers, and lists based on subject of study (as held in the Subject field on the database), year of attendance, nationality or interests may be complied with.
Requests for lists or information based on other matters, eg family information, details of study area, should be treated with caution, and advice should be sought from the Data Protection Officer (or the Bursar). It may be necessary to inquire of the data subjects' wishes.
Requests from statutory bodies, educational establishments, etc
The bona fides of the organisation should always be checked.
UK
Generally, information sought from UK Government agencies or similar official bodies in the UK, and (where appropriate) from other educational establishments, can be complied with.
Overseas
Requests from overseas governments and organisations should be treated with caution and advice should be sought in each case, as many countries do not comply with the requirements of UK Data Protection Act. In such cases the consent of the data subject may be necessary.
Requests from outside/unconnected/unkown individuals and organisations
Information should not be given out, nor listings provided.
Inquirers can be invited to write to individuals (if they know their names) c/o the College, or to write to the Data Protection Officer/Bursar stating the reasons for the request and the purposes to which the data will be put. In such cases the consent of the data subject(s) may be necessary, and costs may be incurred and charges made.
Access to data by the 'Data subject'
The 'data subject' is the person about whom the data is held.
Individuals have a right of access to view data about themselves held on file or on computer systems.
Any such requests should be notified to the Data Protection Officer(or the Bursar) immediately.
The response will be that the College requires at least 5 working days' notice to make such arrangements.
During that period the head of department concerned will be required to review the data held, and to check that nothing in that data refers to other data subjects, to which the person who has made the request is not entitled to access.
The data subject must be told that the College is entitled to make a charge for this service, and such charge will be at the discretion of the Bursar.
The person requesting the information may be allowed to examine the relevant documents, but must be supervised at all times, and should not be allowed to remove documents.
The person can be provided with copies of documents or data, but the cost of making such copies is chargeable.
If the person requests the removal or updating of any data, such request should be passed on to the Data Protection Officer (or the Bursar) immediately.
Updated and approved by Bursar 18/08/2003
Note: In 2002, there was a change in the way records were flagged on the database. The flag 'Secret Addresses' was changed to 'Secret Info No Calls'. This was to signify to those with access to the database, particularly in the lodge, that calls should not be put through to them.
