** indicates significant changes made 26/07/02
Most Universities receive thousands of applications throughout the year for courses that they provide.
These applications may come direct from the individuals concerned or, more usually via a third party in
the form of UCAS.
Applications contain personal data and certain items of sensitive personal data (disability statements and
criminal record ‘markers’). References are provided by a third party, usually the head of the applicant’s
school or college. Consent for the institution to process these data is explicitly indicated on the signed
UCAS form.**Accompanying guidance gives details of purposes for data processing: “To enable
application to be considered by the institutions to which you have applied…. To enable an institution to
which you are admitted to compile its initial student record about you” and details of third parties whom
data may be disclosed including referee and school/college .
Applications are distributed to appropriate admissions tutors across campus for assessment and offers are
then made, or not, to the candidate, usually based on outcome of A-levels (conditional offers).
Emails relating to applications are routinely sent and received to/from departments, to/from UCAS and
to/from applicants. Sometimes ‘confidential’ notes are added to applications by admissions tutors.
Following exam results (clearing) huge volumes of enquiries are received, relating to acceptance of
conditional offers and enquiries from those that did not ‘make the grade’, both from those that had
applied to Lancaster and those that had previously applied elsewhere. Often these enquiries are made by
third parties (commonly parents or teachers). Following offers made via clearing ‘Clearing Entry Forms’
are sent in which must be accepted/rejected by admissions tutors within a short space of time.
After applications have been processed for a given academic year they are usually retained for some time
both to check against future applications from the same data subject and for research/statistical analysis
to monitor various admissions criteria.
Admissions departments also routinely receive thousands of enquiries during the year. A log of such
enquiries may be kept and some department may follow-up enquiries by marketing their courses.
Items of particular relevance from the 1998 Data Protection Act
Schedule 1 Part 1. Principle 1 (fair processing),
Principle 7 (security).
Section 33. Exemption for research data from subject information and non-disclosure provisions
1. Institutions should ensure that:
(i) All incoming applications and associated personal data are securely held within the admissions
department and are also distributed and processed with appropriate security throughout the
institution. There is particular concern to avoid potential damage and distress in cases of loss of
personal data – which may occur particularly when large volumes of applications are received
and processed in a short space of time.
Back-up copies of applications are usually available via UCAS. However, some application
forms may have associated correspondence attached. If it is not feasible for admissions
departments to copy all such data, due to its high volume, it is suggested that, as the minimum-
security requirement, a log be kept of which tutor/department is currently in possession of an
individual admissions form.
(ii) Increased security is required where sensitive data is processed, in particular special needs and
criminal record information (see below).
(iii) Discussions of applications (including via email) should be kept as formal as possible and on a
need to know basis. Those dealing with applications should be aware that any information
retained in connection with the application form could be subject to an access request.
‘Confidential’ notes on application files should be avoided.
2. Application enquiries.
When dealing with enquiries about applications (especially at clearing) suitable checks should be made
to verify that the caller is, or is speaking on behalf of, the applicant concerned:
Suggested confirmation would be full name, date of birth and UCAS Application number (or home
address). It should be made clear to candidates that their personal data cannot be disclosed without this
evidence, and that any person to whom they give these details will be able to make enquiries on their
behalf. These criteria should ideally be notified to applicants by UCAS.
3. General enquiries.
When dealing with general enquiries received throughout the year the data subject should be informed of
any further processing that may take place, e.g. the enquiry is retained on file and/or further information
may be sent out by relevant departments (as the enquirer has a right to object to this).
4. Criminal record information.
Where a criminal record is indicated on the application form, a follow-up letter is often sent out
requesting further details of the conviction and nature of the offence. The applicant should be informed
of how this data will be processed and the types of people to whom it will be disclosed (including if
application is successful).
Information on spent convictions is only required where satisfactory completion of the degree
programme applied for would give automatic right to practice a profession exempted by the
Rehabilitation of Offenders Act 1974 (e.g. teaching, social work). Or where the course involves
unsupervised contact with vulnerable persons and should not be requested otherwise.
The institution may wish to consider whether any data relating to the criminal record need be retained if
the applicant is deemed ‘not a risk’. If this data is retained it should be subject to appropriate security and
access measures not part of a student’s general file.
Most application forms contain references from a third party. Admissions departments, tutors and
referees (via UCAS) should be aware that in the event of a subject access request being made by an
applicant to the institution such references must be released.
6. Retention of applications.
It is suggested that application forms may be reasonably kept in full for 2 years to check against
subsequent applications from the same data subject. If retained for longer for the purpose of statistical
analyses then the details should ideally be anonymised as a security measure. NB Any such future
processing for research/statistical analysis should not take place to support decisions with respect to
particular individuals (Section 33).
Frequently Asked Questions
1. Certain departments/institutions write to applicants to find out why not coming and to suggest
other courses they might like to apply for. Are these feedback questionnaires and marketing
exercises regarded as legitimate purposes of the university admissions process?
Yes this is acceptable on the basis that it could be argued as a legitimate use of personal data by the
institution. However to avoid use of continued direct marketing this should only be done once- unless
students opt-in to further marketing.
2. Admissions departments/tutors/institutions may contact the schools of applicants who have been
made offers in order to i) assist the application process, obtain references etc. and ii) to further
market the institution/departments courses to other students at the school. Is this practice
As applicants are notified by UCAS that schools may receive info regarding their application it could be
argued that this is again a legitimate purpose for such use of personal data by admissions tutors/
** 3. Given the pressure faced by admissions offices during the confirmation of places and clearing
during August/September, how may an institution secure dealings over the phone with admissions
candidates and their agents?
There are several distinct problems when dealing with telephone enquiries during the heat of the
admissions cycle. Firstly, pressure of work means that admissions office wish to keep security checks to
a simple minimum. Secondly, many calls are taken from enquirers who are not the admissions candidate
(i.e. parents and relatives, or head-teachers etc). Finally, as most undergraduate admissions business is
negotiated via UCAS, institutions may not be in a position to warn candidates of their security policy.
Hence, there is no perfect system for ensuring that disclosure is only made to properly authorised
enquirers. The minimum check should be that the enquirer can provide the candidate’s UCAS number,
full name and date of birth or, for non-UCAS candidates, whatever individual identity number has been
given them by the institution, their date of birth, and one other item of corroborating data (perhaps home
postcode or last place of study).
4. UCAS application forms used to indicate, by a tick-box, where a reference given was to be held
‘in confidence’. Though this is no longer an option for the referee some applications have been
received with a clause appended such as “This reference is provided on a personal and
confidential basis and should not be disclosed to the pupil. Clause 7(4) of the Data Protection Act
provides the recipient of the obligation to deny any access request because it would identify the
originator. Any access request should be referred to the above signatory for consideration.” Should
the reference be released in these circumstances?
In the event of a subject access request being made by that pupil/applicant the signatory should be
contacted for permission to release. However, at that time the referee should be informed that the
institutions data protection officer may release the reference without consent if this is deemed to be
‘reasonable in all the circumstances’ and in the majority of cases it would be hard to justify withholding
the whole of such a reference from the data subject.
Request for Criminal Conviction Information
Thank you for your application for admission to …………… University, which is now
receiving serious consideration. On your UCAS form you declared that you have a criminal
conviction and, in order to consider your application further, you are required to provide details
of the conviction and the nature of the offence.
I should, therefore, be grateful if you would send me the information about your offence and
conviction by 15 March 2001. You may be reassured that this information will be kept strictly
confidential and will only be revealed to the University staff directly involved in considering
your application. If your application is successful the data will be accessible only by restricted
members of staff in appropriate positions of authority. If unsuccessful the data will be processed
as in the same manner as other application details (see UCAS information).
Please contact me if you wish to discuss this matter further.