Those of you who will be at the SROC event in Huddersfield next Thursday should
look away now, as what follows below is largely what I'll be saying there, too.
As part of the HEFCE-funded DP project here at Lancaster, we have been looking
at the issue of archived records. This issue was discussed yesterday with Phil
Boyd and Peter Bloomfield at Wilmslow, and the following main points were
covered -
(i) There is nothing wrong per se with going on a file filleting exercise,
though extreme care should be taken not to destroy anything that might later be
required to prove the nature and outcome of a former student's time at your
institution (e.g shredding all record of the marks they got for their
individual modules is foolish, as is retaining a name but destroying all other
personal details - date of birth, in particular - thus making it difficult, at
a later date, to conclusively establish someone's identity).
(ii) However, the OPDC compliance unit recognises that is will be practically
impossible for most institutions to go through their archives and remove
unneccesary information. They are pretty sanguine about this - after all,
archives are pretty inert things, used only occasionally to confirm the
qualifications of a former student, or for internal performance analysis, so
the chances of archive records infringing the rights of data subjects is very
small. Insititutions may additionally consider this point - we all know that
there will be, in various files, potentially defamatory material about former
students (ditto staff in personnel archives) - but the chances of any one
former employee or student coming back to demand subject access if small, so
the risk involved in continuing to hold your archive is also small (in answer
to Lisa's question - I don't see why keeping an address should particularly
challenge subject's rights or the act's principles - yes, it will quickly be
out of date, but this is an archive, so that's inevitable, and its unlikely to
be used in any further processing).
(iii) Having said that, the compliance guys were keen to stress that, as of
now, institutions should review their archiving policy and adopt practices that
meet not only Principle one but, particularly, Principles three and four (data
should be adequate, relevant, not excessive, accurate).
(iv) The section below titled "Student Archives" is an excerpt from my
suggested code regarding how institutions should approach the issue of student
archives (personnel archives may raise slightly different issues). Can I stress
that the Lancaster project is still young and this sort of material is very
much "work in progress" - if you have suggestions concerning form or content,
please pass them to me, but please don't shoot me down in flames because these
guidelines are constantly evolving and I'm happy to make changes where
justified.
Hope this helps
Andrew Okey
Lancaster Data Protection Project
Student archives
All institutions will hold archival records concerning former students. These
will vary widely in both the level of detail held, and the format in which they
are held. In many institutions, information about former students may be held
in several formats and many locations, including material held on an ad hoc
basis by individual members of staff. Data controllers must apply the
Principles and regulations of the 1998 Data Protection Act not only to
computerised records but also to those held in relevant filing systems (a
phrase that should cover any properly managed archive system). This means that
institutions will need to pay careful attention to the content of archival
records, and will have to take appropriate cognisance of the fact that former
students will be able to see their archive details by exercising their subject
access rights. Institutions also will have to ensure that archive records are
held securely and must guard against loss of, or damage to, these records.
Principle Three, that requires that data should be adequate, relevant and not
excessive to its purpose, might be used to challenge the content of many
University archives.
(i) When creating and managing archived records, institutions should:
* Consider drawing together all non-computerised records relating to a student
at their point of departure, for storage in a single archive. This will assist
the institution in responding to subject access requests and may also help
ensure that an institution does not keep multiple records about a student which
are internally contradictory (a situation which would fall foul of Principle
Four, which requires that data be accurate). Staff should be given guidance on
the keeping of records, and discouraged from keeping "private" archives,
whatever their content.
* Consider a two-stage archiving process. In the first instance, a full student
record should be retained for as long as the institution allows students to
appeal against, or query, their final outcome (many institutions set the length
of this period as one year, though there is no time-span specified in law).
Once that period has elapsed, the record should be reduced to its minimum
amount: i.e. enough material to confirm the student's personal details, marks
and degree class (and, if relevant, the process that led to that outcome). All
other materials should be destroyed, as arguably they are excessive and
irrelevant to the intended purpose (see Schedule 1 Principle Three of the Act).
Furthermore, sensitive data should be removed at this stage (though see the
discussion of research information below).
* Ensure that if archival data is to be kept for research purposes (e.g.
assessing an institution's degree awarding performance) then -
(i) registration materials make plain this purpose to incoming students
(ii) any archival data retained for the purpose of research are anonymised
* Consider moving away from paper and microfiche archives in favour of holding
archive material in more easily accessible ways (particularly computer
databases or electronic document imaging). Some institutions may wish to move
previous archive material to new formats, though this will probably be
impractical for most institutions.
* Whatever the format of archive holdings, consider pruning previous archive
material, though again this will probably be impractical for most institutions.
* Consider whether archive records are properly protected against loss or
destruction, and are secure against accidental disclosure. Properly backed-up
computerised archives are specifically recommended because disaster recovery is
relatively simply. If paper archives are destroyed and an institution can no
longer confirm the degrees of their alumni, they could face action for damages
(see Section 13 of the Act).
* Consider generating a single reference for each student as they depart,
storing these ready for use in their archives. This would mean that, should
minimal archive data be retained, an informed reference can still be provided
to legitimate enquirers.
(ii) It is a primary requirement of the new Act (Schedule 1 Principle 1) that
data controllers inform data subjects about any processing of their data.
Clearly, it is not practical for institutions to contact their former students
and inform them of the fact that archive records are being kept about them.
However, institutions should prepare a statement to this effect which can be
issued if any enquiry is received from a former student or if an enquiry is
received from a third party about that student.
(iii) Many archives will include material submitted to an institution in
confidence before the advent of the 1998 and/or 1984 acts. Faced with a subject
access request, an institution might reasonable refuse access to this material,
on the grounds that it would involve the release of details relating to a third
party (i.e. the originator of the documentation) (Section 7 (4-6)).
Institutions should, however, release this material where it is possible to
simply disguise the identity and personal details of the third party.
> -----Original Message-----
> From: Lisa Strachan [SMTP:[log in to unmask]]
> Sent: 19 January 2001 16:03
> To: [log in to unmask]
> Subject: staff/student files
>
> I too am having to deal with the possibility of weeding out personnel
> files and would appreciate any advice on what people consider
> necessary to remove.
>
> Is even keeping a former member of staff's address for the duration
> of their file's retention an infringement?
>
> Thanks in advance for any help
>
> Lisa
>
>
> Lisa Strachan
> Senior Records Management Assistant
> Dundee University Archives
> Tower Building
> Nethergate
> Dundee DD1 4HN
> Scotland
>
> tel: +44 [0]1382 344095/345615
> [log in to unmask]
|