Skip to content

Here are some examples of work-related situations and how the data protection principles apply.

View all Close all
Scenario 1

You take a call from the mother of a student who is due to graduate the following summer. She asks:

  • whether her daughter will be graduating this year

  • when and where the ceremony is taking place

  • if her daughter’s name is ‘on the list’.


You should not disclose information about a student’s status at the university to anyone, even their parents. A suitable reply would be: “Due to the provisions of the Data Protection Act we can’t disclose any personal data relating to students”. This should also protect the student from, for example, unwanted contact with an estranged parent.

However, if details of the graduation ceremony itself are in the public domain, eg if they are available on the web, then you can refer the mother to the relevant information.

Scenario 2

You receive an unsolicited email/telephone call from an external party asking about sending information to a colleague.


An individual’s status as a member of St George’s, University of London (staff or student) is personal data. Hence you should always be careful to avoid disclosing such information accidentally.

Where there is unsolicited contact from an external party enquiring about a colleague, it is important to neither confirm nor deny that that person works or studies at the university. Instead any information should be forwarded to the intended recipient and it will be their choice whether they then reply or not.

Only in cases where university records indicate that the intended recipient is not, and never has been, a member of staff here is it legitimate to confirm their status. This can be done by returning mail to the sender.
Scenario 3

As a researcher, you have (legitimately) collected a large amount of sensitive personal data. A colleague in a partner institution in the US has shown an interest in your work and has requested a copy of your data on which they wish to base their research proposal.


Unless you explicitly indicated your intention to share the data with this colleague/their institution when the data was originally obtained, you should not provide a copy to anyone else or use it for any other unrelated projects. Data should only be used for the specified purpose(s) for which it was collected in the first place. If you intend to reanalyse the data for a separate but related project you should always inform the data subjects that you will be doing so.

You also need to be careful when transferring data to another country. Information can be sent to countries within the European Economic Area or EEA (the European Union plus Iceland, Lichtenstein and Norway). But it should only be sent outside the EEA if that territory offers adequate safeguards for the protection the data. In the case of the United States it may only be sent to a company or organisation which has signed up to the ‘Safe Harbor’ agreement.
Scenario 4

An unsuccessful candidate for a job requests to see a copy of their references.


Firstly this would most likely constitute a ‘subject access request’ and should be passed to the Data Protection Officer to deal with.

The issue of providing access to references is a tricky one and often involves making a judgement based on the specific situation. Under the Data Protection Act an individual is entitled to request a copy of references given for employment or education purposes. You may need to consider certain issues before releasing part or all of the personal reference, but best practice dictates you should disclose information in a reference to the person it is about if they request it.

NB under the Data Protection Act an individual can only submit this kind of request to the organisation who is in receipt of the reference – they can’t ask the person who wrote the reference in the first place.
Scenario 5

You are contacted by someone who claims to be a stationery supplier to the university. They request a list of all members of staff and their email addresses so they can send them a ‘personalised’ mailshot.


Refuse. Disclosing this information would contravene the Data Protection Act.

If relevant you could suggest that the supplier directs the relevant information to Procurement and asks them to circulate it to all staff on their behalf.
Scenario 6

As part of her part-time MA studies, a member of staff wants to conduct research into past student performance using data collected in previous years by the academic registry.


Members of staff are not entitled to make ‘private’ use of data controlled by the institution.

However, if the information is already in the public domain, eg statistics provided to HESA, then use of certain data may be allowed. Permission should always be sought from the university first.

If you need further help or advice with a data protection query please email data protection.


Find a profileSearch by A-Z