Data Protection and Information Management Guide for College Mentors
In your role as a college mentor you are likely to create, send or receive information about the University’s students. This information is subject to the Data Protection Act and this guide will help you to ensure that you are aware of your obligations with regard to this legislation and help you to manage the information well.
All college mentors who hold student information must complete the University’s online Data Protection, Freedom of Information, Records Management and Information Security training course.
Further details will be provided by your college.
The Data Protection Act applies to personal data. Personal data can be factual data about an individual (such as name, address or phone number), details of where an individual was/will be at a certain time, opinions about an individual or a photograph in which an individual can be identified. Sensitive personal data is data about racial/ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or the commission/alleged commission of an offence and any related proceedings. Although all personal data should be held securely, there are even stricter requirements for the careful management of sensitive personal data.
The following are examples of documents that you may hold and may contain personal, or sensitive personal data, about students:
- Emails (and attachments) that you have sent or received about students, including any from the college (or students directly) providing student contact details
- Handwritten notes that you have made about students, such as following a meeting with them
- Copies of forms that you have completed about students at the request of the college
Please note that if you are an employee of the University and have been provided with access to corporate information systems (such as the Banner database) or college/department student information for the purpose of your employment, you should not be using this access to acquire information about your mentees.
The information you require for your role as a college mentor should be provided by the college and directly from your mentees only.
In order to help yourself, and the University, to comply with the Data Protection Act, please take the following steps:
Students must be told what you are going to do with their personal data before you do it
For example, if a student declares to you that they have a disability or health issue, you must inform them if you intend to disclose this information to the college or the University’s disability service.
Personal data, and especially sensitive personal data, must be held physically secure
You must ensure that personal data cannot be accessed by anyone without appropriate authority to do so. This includes family, friends, colleagues or any third party. Simple steps to help achieve this include ensuring that:
- You use an email account for your mentoring role to which only you have access. This should preferably be a Durham University account
- Passwords are used where relevant to prevent access to electronic documents
- Your pc or mobile computing device (smartphone, ipad) is locked when not in use
- Paper documents are kept locked away
Personal data must be kept confidential
Confidential matters must not be discussed with anyone unless there is a clear and justifiable requirement to do so. No third party (and this includes the police, the council and the UK Border Agency) has a right to demand access to personal data without appropriate conditions being met in writing. Any such request for access should be passed to the college. In a life or death situation it is permissible to pass personal data to a third party without seeking to meet certain conditions, but in all cases an immediate attempt should be made to seek advice from the college first.
Any references you provide for students in your role as a college mentor should be personal character references only and should not discuss issues relating to the University. You should not write personal references on University headed paper or send them to prospective employers from a University email account.
If you are asked to provide a corporate reference on behalf of the University, you should refer the request to the college.
Personal data must not be held longer than necessary
You should only keep information about students for as long as it’s required for your role as a college mentor. Once a student has left the University, you should pass to the college any factual information you hold about the student, such as contact details.
All other information must be destroyed. Paper documents should be shredded. Electronic documents should be deleted.
When your role as a college mentor ends, you must do the above for all students that you have mentored.
Individuals, including students, have the right to request formally a copy of the information you hold about them in your role as a college mentor
The University must respond to such a request within 40 calendar days. It’s therefore very important that, should you receive such a request directly from a student, you forward the request to the college immediately. Similarly, it is important that if you are asked by the college or the University’s Information Governance Unit to provide information that you hold about a student you do so immediately.
You should not provide information directly to the individual. The Information Governance Unit will check the information before release as in some circumstances we may lawfully withhold all or part of it. In some circumstances it may also be more appropriate for the information to be handed over in person by the college if the student is likely to require support.
You can help yourself and the University to comply with the Data Protection Act by managing information well. Good practice includes:
- Creating and/or holding only that information about students that is necessary for you to perform your role as a college mentor, and no more
- Ensuring that the information you create is accurate and can be defended if the individual should ask to see it
- Ensuring that you use appropriate tone and language in your communications with (or about) students
- Keeping information (paper and electronic) secure and away from unauthorised access
- Keeping information only as long as necessary
In the first instance, please refer to your college for advice.
Further information about the Data Protection Act can be accessed via the links on the left-hand side of this page.