Personal data processed by students
Statement of the Higher Education sector position regarding personal data processed by students.
Students use personal data for three main reasons:
- To maintain a personal life, for example to communicate with family and friends.
- To pursue a course of study with a university, for example to research and write an essay, report or thesis.
- To carry out research as a member of a university established research group.
Students may use many different methods to process personal data, such as maintaining an electronic address book, a computer database, or an email account.
When is a University responsible for the personal data processed by students?
A university is only responsible for personal data when it is the data controller for that data. A data controller is the person who determines the purposes for which and the manner in which any personal data is or is to be processed. Therefore a university is only responsible for the personal data processed by students when students process data for the University's purposes.
The following scenarios are the most likely circumstances in which students will process personal data.
A student processes personal data in the course of his personal life, for example writing an e-mail (using his university provided e-mail account) to his family about a friend's recent birthday.
The University is not the data controller for personal data processed by a student in the course of his personal life, as the University does not determine the purpose of the processing. The fact that the student may choose to use his University provided e-mail account to pursue his personal life does not make the University responsible for the processing of personal data for that purpose. The University did not determine the purpose so the University cannot be the data controller. The student is the data controller and may claim the domestic purposes exemption.
A student processes personal data in order to pursue a course of study with the University; for example, as part of his modern history dissertation /thesis and at the suggestion of his supervisor he interviews individuals who worked in the Land Army in World War II.
The University is not the data controller for personal data processed by a student to pursue a course of study with the University. Students undertake a course of study with a University for their own personal purposes, most obviously to obtain a qualification. The student is not an employee or agent of the University, and neither does he act on behalf of the University. The student decides what work he will do, the way in which he will do it and what he will include in his final write up. He must make these decisions himself in order to prove that he is capable of degree-level work. He works on behalf of himself and not the University. Thus, the University cannot be the data controller for the personal data processed by the student in the course of his studies.
In the example given above the fact that the student was recommended to undertake the interviews by his supervisor does not make the University responsible for the processing of the interviewees' personal data. The role of the supervisor is to advise and teach the student, which includes giving advice on data protection issues as part of the student's training in good research practice, but it was for the student's own purpose that the interviews took place.
A student submits a piece of work (e.g. an essay /report /dissertation /thesis) in which there is personal data, to the University for assessment.
The University is a data controller for the personal data contained within the submitted piece of work from the point at which it is submitted. Once the work has been submitted the University is responsible for processing the personal data within the document for University purposes, for example the member of staff who marks the work is processing the personal data contained within it (by reading it) for the purpose of determining what grade the University should award the student; this is the University's purpose. If the work is then transferred to the University library to be put on reference (for example if it is a Ph.D. thesis) the University is responsible for any processing of the personal data associated with the document being placed on reference as providing a reference service is a University purpose.
A research student processes personal data whilst working for a project led by a University research group.
The University is the data controller for personal data processed by a student working on a research project led by a university research group if the student only processes personal data in accordance with instructions given by their supervisor. The student processes personal data for the purposes laid down by the project, the remit of which has been decided by the University (or the University employed project leader), not the student. The student may contribute ideas about the purposes for processing the personal data but if they have no authority to take those ideas forward without University approval they have not determined the purpose of the processing. The purposes for processing are the University's and not the student's; therefore the University is the data controller and the student is an agent of the University. This is the case whether the student is funded by the research project or whether the student is self-funding.
A research student processes personal data whist collaborating on a project led by a University research group.
The University and the student will be joint data controllers if they discuss and jointly agree the purposes for which the personal data are processed. If the student has no choice but to accept the University's view, the University of the sole data controller.
The University is the data controller for personal data processed by students only in very limited circumstances as described in scenarios 3 and 4; in all other circumstances students process data for their own purposes and not the University's. Normally only postgraduate research students would process personal data in the circumstances outlined in scenario 4. But not all postgraduate research would fall under scenario 4; in many cases the postgraduate himself determines the scope of his research, where this is the case the processing is like that described in scenario 2.
About this guidance
Author: Anne Gryzbowski