NB This is the third page of the online version of the SDT Guidance Note Disability disclosure, confidentiality and evidence in a Higher Education context, published in July 2004.

3: Confidentiality, privacy and data protection

In broad outline, there are three aspects of the law which need to be considered where a student discloses to an institution that s/he has an impairment:

  1. The Disability Discrimination Act 1995 (DDA) provides that, where a student discloses to an institution that s/he has an impairment the institution will be deemed to have knowledge of this and will have a duty not to discriminate against the student. Where the student requests that the nature or extent of an impairment or of their disability-related requirements be kept confidential, this can have consequences for both the institution and the student.
  2. The Data Protection Act 1998 (DPA) is concerned with "personal data". This is defined as any information about an identifiable, living individual. The DPA also identifies "sensitive personal data" as a sub-set of "personal data". The DPA lists the types of information that are considered "sensitive personal data" which includes information about "physical and mental health". Information regarding disability is therefore likely to be regarded as sensitive personal data.
  3. The law of confidentiality protects confidential information against disclosure and misuse. Traditionally, the law of confidentiality protected information disclosed within a relationship of trust and confidence such as that between doctor and patient. By contrast, recent developments in the law have laid more emphasis on the nature of the information concerned and rather less upon the pre-existence of a relationship of trust or confidence.

3.1. What are the duties of the institution in the area of confidentiality?

Disability-related information is likely to be by its nature confidential information in the sense that it ought not to be freely divulged without cause. Collected by staff in the course of interactions with the student, such information may be protected by the unspoken expectation that the information will be confidential.

In addition, if a member of staff agrees to a student's request to keep disability-related information confidential, and subsequently discloses such information then, in some circumstances, s/he, or his/her employer, may have to pay damages to the person whose confidence has been broken. It is recommended that, rather than agreeing to keep disability-related information strictly confidential, staff members should make it clear at the beginning of the conversation with an applicant/student that, while they will do their best to hold the information as confidential and deal with it sensitively, they may, in certain circumstances, require to discuss the matter with the head of department or other members of staff. This does not prevent the tutor from agreeing to keep something confidential in a more limited sense. Thus it would be perfectly in order for a student to request, and for the tutor to agree, that some arrangement be made so that fellow-students or other staff are not made unnecessarily aware of the nature of the student's impairment or of specific elements of his or her requirements.

The DDA mentions that confidentiality requests by applicants and students will be taken into account in determining reasonable adjustments. This implies that complying with such a request for confidentiality may sometimes involve making an adjustment which is less satisfactory in some sense than would otherwise be possible. Prudence dictates that the institution should record that discussions took place and perhaps get a confirmation from the student that the adjustment made, if any, was acceptable.

Recommendation for practice (8): Institutional policies should be clear on the confidentiality of student disclosure.

The institution ought to have a well-thought out policy on the confidentiality of disclosures of a sensitive nature made by students to staff, and staff who are likely to discuss such sensitive matters with students ought to be well-versed in their obligations. Such a policy is likely to stress the following points:

  1. Sensitive disclosures should be treated as confidential in the sense that they are not to be discussed or disclosed to anyone without good reason;
  2. If a student makes a disclosure of sensitive information to a member of staff and requests that the member of staff keeps this information confidential, the member of staff should only agree to keep the information confidential to the extent that s/he will not tell anyone else unless s/he has a good reason to do so;
  3. Requests for a strict degree of confidentiality, such that the member of staff is not allowed to discuss the matter with a superior, should be declined. Should a student seek one-sidedly to impose such a requirement on a member of staff, by first making a disclosure and then declaring that she regards what she has disclosed as confidential, the member of staff should point out that s/he will not tell anyone else without good reason but that does not mean that consultation with a superior and further disclosure if necessary is ruled out;
  4. It should be explained to the student that, if information regarding their disability-related requirements is only known by one or a few members of staff as a result of the student's request for confidentiality, certain adjustments which would otherwise be available may not be able to be made;
  5. In any case, all verbal discussions in which a student discloses that s/he has an impairment as well as requests for confidentiality should be noted in writing by staff members and, if at all possible, signed by the student so that a written record exists that the disclosure was made, that the student requested that the disclosure remain confidential and a discussion took place regarding reasonable adjustments - see Section 4 for further information regarding evidence.

3.2. What are the relevant duties of an institution under the Data Protection Act 1998?

The DPA applies only to dealings with recorded personal data (i.e. personal data which is written down). It forbids the improper recording, storage and use of personal data and in particular of sensitive personal data which is at issue in the context of disability. Infringements of the DPA can give rise to civil actions for compensation, in cases where the student has suffered damage.

An institution is expected to take additional precautions when dealing with sensitive personal data because of the nature of such information.

The DPA requires institutions to process personal data and sensitive personal data "fairly and lawfully". In order to process data fairly, the individual must be aware of what information the institution holds about them, what the institution intends to do with such information, and to whom the institution will disclose it to. Therefore, it is essential that, when information about disability is disclosed, the disabled person is told at the time that the information is collected what will be done with this information and to whom it will be passed. If this is not possible at the time of collection, it should be done as soon as is reasonably practicable after receiving the information.

In order to process information about disability fairly and lawfully, certain conditions set out in the DPA require to be met. The most straightforward ground which allows the processing of sensitive personal data is to get the explicit and informed consent of the student. If it is not possible to obtain the explicit and informed consent of the student, there may be other grounds for processing sensitive personal data. These include:

  1. that the institution is processing such information necessary for the exercise of any functions conferred on it under any enactment - i.e. the DDA;
  2. that it is being processed for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings). This will only be valid where there is a strong possibility of a claim against the institution under the DDA.

Explicit and informed consent is the most straightforward way for an institution to process disability information fairly and lawfully and therefore is the route that institutions should take. If this is not possible and a member of staff feels that they may be processing disability information under one of the other grounds under the DPA, specialist advice should be sought.

Recommendation for practice (9): Institutions should check that their institutions existing DPA Notification is sufficient to cover processing activities. As a requirement of the DPA, an institution has to supply a general description of the nature of the data it holds, the processing taking place and details of the technical and organisational measures taken against (among other things) unlawful processing of personal data to a government office known as the Office of the Information Commissioner. This is known as "Notification". If an institution is processing data which is not covered by its Notification, such processing is likely to contravene the DPA. In most institutions, the systems for meeting the DPA obligations and reporting requirements are administered by specialist staff, and a good deal of thought will already have gone into the matter of how staff should be instructed to deal with sensitive personal information. For present purposes, it is worth checking that academic staff and other staff who work with disabled students are aware of what types of processing are covered in the Notification of their institution.

Recommendation for practice (10): Institutions should review documentation on which the personal information of students is collected. Staff should be aware that sensitive personal data, including data concerning students' impairments, should normally be gathered, stored and used only in such a way as the student has explicitly consented to; such consent needs to be well-informed and should, wherever possible, be secured in writing. Staff should be aware that processing of such data without explicit consent may incur liability for the institution. Therefore, all documentation in which the personal information of a student is collected, such as matriculation forms, applications for accommodation services etc, should be reviewed to ensure they contain a data protection statement explaining what data is being collected, why it is being collected, what it will be used for and whether it will be disclosed to any third parties. Ideally, the documentation should be signed and dated by the student to show his or her consent to such processing.

Document Navigation:

Next page - 4: Evidence.

Previous page - 2: Disclosure.

Start - 1: Introduction.