Most Universities receive thousands of applications throughout the year for postgraduate courses. In most
cases, these applications are made directly by the individual concerned. However, there are cases when
applications are sent to UK institutions by agents, usually based overseas, who are acting on behalf of
Applications contain personal data and may contain certain items of sensitive personal data (disability
statements and, according to local institutional policy, criminal record ‘markers’). Applications also
include references that are provided by a third parties – typically academics in other institutions (home
and overseas)and may also include paperwork from potential sponsors.
Application paperwork will often be distributed between academic departments and central offices, and
multiple copies may be disseminated to ease the decision-making process. Inevitably, emails relating to
applications are routinely sent and received between admissions tutors, admissions officers and the
Postgraduate admissions operations do not face the rush of activity following exam results that affects
undergraduate admissions operations, when applicants’ places are confirmed or denied. However, there is
still a lot of last-minute business, and admissions offices do face telephone and email enquiries made by
third parties (for example, overseas agents or new students’ parents).
Admissions offices also assist in applications for funding for postgraduate applicants, e.g. completing
forms for career development loans.
After applications have been processed for a given academic year they are usually retained for some time
both to check against future applications from the same data subject and for research/statistical analysis to
monitor admissions performance. Some Universities also retain applications paperwork provided by
admitted students as the basis for their student files.
Due to the nature of the postgraduate market, most Universities participate in promotional events at which
their representatives can meet with potential postgraduate students. A good number of these events are
held abroad, frequently outside the EU. Many institutions keep detailed enquiry logs that are maintained to
allow them to market their courses to potential students.
Items of particular relevance from the 1998 Data Protection Act
Schedule 1 Part 1. Principle 1 (fair processing)
Principle 3 (data to be adequate, relevant, not excessive)
Principle 4 (data to be accurate and up to date).
Principle 7 (security).
Principle 8 (data transfer overseas)
Section 28. Exemption relating to data processed for the prevention of crime
Section 33. Exemption for research data from subject information and non-disclosure provisions
1. Institutions should ensure that:
i) All incoming applications and associated personal data are securely held within the receiving Formatted: Bullets and Numbering
department / admissions office, and are also distributed and processed with appropriate security
throughout the institution. There is particular concern to avoid potential damage and distress in cases of
loss of personal data – which may occur particularly when large volumes of applications are received and
processed in a short space of time. Whilst keeping back-up copies of all applications in a secure location
may be practically impossible, it is recommended that a log be kept of which tutor/department is currently
in possession of an individual admissions form.
ii) Paperand email-based discussions concerning applications should be kept as formal as possible and
distributed on a need to know basis. Those dealing with applications should be aware that any information
retained in connection with the application form could be subject to an access request. ‘Confidential’ notes
on application files should be avoided, and all staff should be made aware that such notes would be
available to the applicant should a subject access request be made.
iii) When staff are dealing with enquiries from potential students those enquirers should be informed of
any further processing that may take place. For example, that the enquiry will be retained on file, that the
enquirer’s details will be passed to relevant academic department(s) and, where applicable, that the data
will be used for marketing purposes (to which the enquirer has a right to object- see Recruitment &
Marketing). Institutions are advised to include a statement to this effect in any advertising literature they
produce. This includes material handed out at recruitment fairs, as well as prospectuses and websites
(particularly those that allow enquirers to log their details directly with an institution). Where staff
respond to specific requests or questions raised by enquirers, their responses should include a standard
institutional statement as to any likely processing.
iv) Where applicants’records are retained for the purposes of statistical research, then these records should
be anonymised as a security measure (see ‘Research’ guidelines).
v)If application papers are used as the basis of new entrants’ paper files, the papers that are included in the
new file are genuinely relevant (for example, incidental correspondence about accommodation, etc are
unlikely to be ‘relevant’ to the purpose of keeping the record and arguably would contravene Principle 3).
vi)Information is only disclosed to new entrants’ sponsors in cases where they have clear documentary
evidence of a contractual relationship between the new entrant and the sponsor (see also ‘Sponsors’
discussion paper and ‘Third Party Disclosure’ guidelines).
2. Agencies exist that can provide significant assistance to overseas applicants (arranging VISAs, advising
on course options etc). Whatever benefits such agencies offer to potential students, institutions cannot
release applicants’ details to them unless they have the explicit consent of those applicants. Consent is
required in these cases to answer the requirements of Principle 8 (which constraints the circumstances in
which data may be transferred ouside the EEA), and Principle 1, as it may be regarded as unfair to release
to third parties in this way without consent.
Where overseas agents send in personal data on behalf of applicants they should ensure that they have the
explicit consent of the data subject to do so. Without this the institution must not process the data
3. Most application forms contain references from a third party. Institutions should consider ways in
which they can alert referees to the fact that, in the event of a subject access request being made by an
applicant to the institution, references may be released (see References). One way to achieve this would be
to utilise standard reference forms (including a DP statement aimed at the referee) in all application packs.
4. Some institutions require applicants to state whether they have a criminal record. Where a criminal
record is indicated on the application form, a follow-up letter may be sent out requesting further details of
the conviction and nature of the offence. The applicant should be informed of how this data will be
processed and the types of people to whom it will be disclosed (including any disclosures arising after
confirmation that the application has been successful).
NB Information on spent convictions should only be requested where satisfactory completion of the
degree programme applied for would give automatic right to practice a profession exempted by the
Rehabilitation of Offenders Act 1974 (e.g. teaching, social work) or where the course involves
unsupervised contact with vulnerable persons.
The institution may wish to consider whether any data relating to the criminal record need be retained if
the applicant is deemed ‘not a risk’. If these data are retained they should be subject to appropriately strict
security and access measures and should not be part of a student’s general file.
Admissions staff should note that an applicant may object to this requirement under the terms of the
Human Rights Act. In such cases, institutions are advised to seek legal advice before insisting that the
applicant answer the request.
5. Where institutions complete Career Development Loan applications on behalf on new entrants, this
paperwork should be given back to the entrant for release to the appropriate Bank. Institutions should not
deal directly with banks unless they have the explicit consent of the entrant concerned.
6. Whilst the vast majority of data relating to undergraduate entrants is controlled and released by UCAS,
institutions are nearly always in charge of their own data entry and computer processing for postgraduate
applications. Given that details can change quickly, and that mistakes may be made during the inputting
and maintenance of millions of data items during busy periods of the year, it is recommended that
institutions provide new entrants with printed details of their record on arrival. This provides entrants with
the opportunity to correct any data that may have been input incorrectly or which is now out of date (thus
satisfying Principles 3 & 4). Pre-printed registration forms are often a very effective method of providing
entrants with immediate, effective access to their computer record.
7. Certain institutions participate in a voluntary vetting service managed by the Foreign and
Commonwealth Office (on behalf of MI6), which requires them to release to the FCO the details of
applications from students on certain nationalities to certain academic subjects. Institutions may wish to
claim that such releases are permitted under the exemptions pertaining to data processed for the purposes
of National security (Section 28). However, in such instances this processing must be certified by a
Minister and should not proceed without such certification.
It could also be argued that such processing is carried out for the prevention of crime (Section 29).
However, without evidence of the likelihood of the data subject being involved in crime, justification for
this, and hence participation in the scheme, is highly questionable.