Data Protection Guidance on International Schemes

CanterburyChristChurchUniversity

Data Protection

Data Protection Guidance on International Schemes

1The Data Protection Act 1998 (‘the 1998 Act’) contains specific provisions with regard to the transfer of personal data to countries outside the European Economic Area (EEA) (the EU Member States, plus Norway, Iceland and Liechtenstein).

2Date ProtectionPrinciple8states "'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." A number of conditions set out in Schedule 4 qualify this;in particular, personal data is transferable to a country without an adequate level of protection where the data subject has given his consent to the transfer.

3Since Date ProtectionPrinciple8places particular constraints on the transfer of data beyond the EEA, and it is safest for the University to do so only with the explicit consent of the students involved.

4The University offers some schemes with foreign institutions, as well as accepting students from outside the UK. Most schemes and students are based in the EEA, but there are examples of long-standing exchange schemes with the USA, and schemes with the Far East are being offered.

5Formal schemes involve the temporary transfer of students between institutions. For example, American student from Illinois and Missouri study at the University for a semester. During that time, students will take courses and have marks awarded. The University will pass these back to their home institution, possibly with a general reference as to how they performed. In the event thata student runs into academic or personal problems, the University usually alerts their home institution to the situation.

6The arrangements for outgoing students are similar. The University will manage students’ applications to overseas institutions, to ensure that students complete their applications correctly and find an appropriate placement. During the time UK, students are away on exchange, their home institutions will receive reports on any problems they may have encountered. At the end of the year, a student will bring back a transcript of marks that will influence their final degree class. These marks usually have to be “translated” from the grading system of the overseas institution to the grading system of the University, sometimes in a subjective, non-transparent way.

7Data flow is usually between the University and overseas institutions. There are elements of the application forms UK students complete that overseas institutions are likely to be pass to overseas governments.

8There are occasions when overseas exchange students are recruited through agencies based abroad, rather than by overseas institutions. In this case, there will be limited data flow to those agencies. The data transferred and received relates primarily to academic performance, though can sometimes include personal material about the personal problems encountered by students.

9Inevitably, situations arise where students’ parents make contact with the University, trying to get information about their offspring’s performance and personal situation.

10The University should obtain the specific and informed consent of the data subject before transferring personal data to a non-EEA country, that is

• the data subject should be made aware of the risks that the institution may have assessed as being involved in the transfer; and

• the data subject should have given clear consent to the transfer.

11The University should be able to produce clear evidence of the data subject’s consent in any particular case and be able to prove the data subject was informed as required. Consent in writing is recommended, unless there is suitable technological means to ensure authenticated consent can be collected on-line. Where a data subject requests a reference be written and sent to a non-EEA country, the request itself will indicate their consent to the personal data transfer.

12The University should not:

in the absence of a sponsorship arrangement, disclose personal data requested by non-EEA governments, agencies, and organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas, without the specific and informed consent of the data subjects concerned;

disclose personal data requested by non-EEA governments for the purposes of determining liability to attend National Service, without the specific and informed consent of the data subjects concerned.

13To assist the work of the University in relation to international schemes, a Code of Practice has been developed, which should form the basis of dealings involving data transfers that take place to and from countries outside the EEA.

A Model Code of Practice for International Schemes

University departments administering schemes involving students received from outside the EEA, or UK students studying outside the EEA, should:

1. Provide students, whether incoming or outgoing, with written details of all potential overseas data transfers, detailing the type of information and likely recipients. Students should sign a copy of these details to show they have understood, and approve, the implications. For incoming students, this approval process should take place at the registration stage. For outgoing students, it is best for this process to take place during formal application for a place abroad, rather than at the point of first entry into the institution.

1. Ensure, where possible, contractual agreements with overseas institutions include a specific requirement to observe the same confidentiality rules regarding student records as are applied internally

1. Ensure members of staff deal only with overseas institutions through their nominated contacts. All correspondence, whether fax, e-mail or mail, should go to nominated contacts only.

1. Ensure sensitive personal data (including a student’s health, religion and ethnicity) is only transferred overseas with the student’s explicit consent.

1. Where possible, ensure some form of registered mail is used for formal correspondence, so that there is a receipt signed by the nominated contact.

1. Ensure where UK students’ applications to overseas institutions are processed through the University, members of staff dealing with these applications treat all information, which often will include financial and health details, as highly confidential. Disclosure of such information abroad must only take place with the signed consent of the subjects involved.

1. Ensure UK students are clearly informed as to the rules and mechanisms by which any marks received abroad are translated into their UK equivalents. The way marks are translated must be transparent and clearly explained.

1. Ensure where confidential material, such as when overseas institutions provide references or health statements, the providers are aware UK data protection law means subjects will have the right to see these documents.

1. Ensure that, as far as possible, members of staff do not deal with data requests arising from overseas. Such matters should be the responsibility of overseas partner institutions. For example, enquiries from third parties based overseas (government officials, students’ relatives, etc.) should always be answered – if at all – by the overseas partner. The University may issue confirmation of student status certificates, and similar documents, to students on request.

1. Not enter into ad hoc correspondence or discussion with anyone other than institutions contacts and placement agencies.

1. Disclose information to the parents of overseas students, the Home Office, and overseas consulates unless there is the additional explicit consent of the data subject. Where US students need the University to liaise with financial support companies or other organizations based in the USA, consent must be obtained usually in the form of general consent signed by the student.

1. Make cleat that while the University is legally obliged to provide students with details of their own data holdings on receipt of a subject access request, a subject access request cannot also apply to data held by an overseas institution. This is true even where a formal exchange contract exists between the overseas institutions and the University. Students wishing to find out information held about them at their exchange institution must contact that institution directly. Dealing with such a request is not the responsibility of the University.

1. Ensure staff who travel overseas to teach or support schemes are aware they will often effectively engage in the overseas transfer of data, for example, if they travel abroad to attend an examination board and give the opinions of themselves or their colleagues regarding student performance. Staff should be warned to release student information only to properly authorised bodies and to keep all such discussions private.

1. The same principles should apply, where appropriate, where the data subject is a member of staff.

Data Protection Guidance on International SchemesPage1

June 2016