Student Services Confidentiality Policy

Student Support Services at Oxford Brookes University is committed to the highest standards of ethical and professional practice. Staff adhere to:

• Relevant professional body frameworks (including BACP for counselling staff)
• University regulations and policies
• Statutory and legal obligations, including UK Data Protection Law and the Equality Act 2010

All staff complete mandatory training in confidentiality and data protection, and breaches may result in University or professional standards sanctions.

This unified policy covers all services within Student Services, including:

• Counselling
• Inclusive Support Advice (including disability, long-term physical and mental health condition, and SpLD support)
• Specialist Tutoring and Mentoring
• Student Welfare and Support Advice 
• Student Support Coordinators
• International Student Advice Team 
• Student Central Advice Team
• Financial Aid
• Attendance and Engagement Team
• Multifaith Chaplaincy
• Induction Team
• Sport Psychology and Welfare
• Complex Cases Team
• Any associated wellbeing or academic support roles

Individual services may provide adapted versions of this policy tailored to their professional requirements.

Student Services operates as a multi-disciplinary team to ensure that students receive coordinated, high-quality and effective support. We hold data about you in shared case management systems that staff in teams across Student Services have access to.

You may choose to limit internal information sharing; however, this may affect the level of support we can provide. Even if you restrict sharing, exceptions to confidentiality (see Section 6) will always apply.

Support Staff may discuss their work in professional supervision; supervisors are bound by the same confidentiality standards.

Information you share with Student Support Services is held confidentially. We will not disclose:

• that you have attended an appointment,
• details of your discussions,
• or special category (sensitive) data

to anyone outside Student Support Services without your consent, except in the exceptional circumstances listed in section 6 below.

Depending on the service and the situation, for each purpose we identify and document the relevant lawful basis under Article 6 UK GDPR. Where we process special category data, we also identify a condition under Article 9 UK GDPR (and, where required, a Data Protection Act 2018 Schedule 1 condition). 

Article 6 lawful bases:

• Consent – you have given specific permission for your data to be used (you can withdraw consent at any time).
• Contract – processing is necessary to fulfil our obligations under your student contract.
• Legitimate interests – we process data to pursue organisational interests and we carry out a legitimate interests assessment (purpose, necessity and balancing test).
• Vital interests – data may be shared to protect your life or someone else’s.
• Legal obligation – where required by law.

• Staff keep brief, secure notes as required for professional, ethical, and service-quality and service-delivery purposes.
• Records are stored securely in accordance with UK Data Protection Law.
• Data is stored on secure case management systems (Service Now and PCMIS), which have been quality assured by the University Information Security Team 
• No details of support interactions appear on your academic record.

We may share relevant information among the internal support listed above when:

• It helps coordinate your support
• It enhances the effectiveness of the service
• It prevents duplication of effort
• It ensures a safe, consistent, connected response

Sharing is always done on a need-to-know basis.

We may share information with other University teams where necessary to:

• Provide you with appropriate support
• Meet legal or safeguarding obligations.
• Deliver agreed adjustments (for example via your Inclusive Support Plan)
• Support you to engage with university processes such as conduct, Support to Study, etc.

We will never share data about Immigration advice outside of the International Student Advice Team.

Once your information has been shared with third parties in accordance with this notice, we cannot fully control how they use, manage or process it. However, we will take appropriate steps to ensure information is shared lawfully and with appropriate safeguards (for example, through internal governance arrangements and/or data sharing agreements where required).

We may disclose information without your permission if: we believe disclosure is necessary and proportionate, and one of the circumstances below applies.

Risk of Harm

If we believe you or someone else is at serious risk of harm, we may share information with:

• University staff
• Emergency services
• Your GP or external mental health teams
• Your emergency contact

Where possible, we will discuss this with you first, but in urgent cases, or in situations where we are unable to make contact with you, we may need to act without consent.

Legal Obligations

We must disclose information if withholding it could place the University or an individual staff member at risk of legal action for example, where:

• Criminal activity is disclosed
• Information relates to acts of terrorism
• We are required to comply with court instructions

All decisions to override confidentiality are authorised by a senior member of staff. Only essential information is shared, and all disclosures are documented within your record which you are entitled to view in accordance with UK  Data Protection Law, We share only the minimum necessary information.

We may collect:

• Personal data (for example your contact details, details of appointments, and records of interactions with Student Services).
• Special category data (where relevant), includes personal data revealing:
  • Racial/ethnic background
  • Religious or philosophical beliefs
  • Political opinions 
  • Trade union membership
  • Health or mental health information (including disability-related information and SpLD where relevant)
  • Sexual life or orientation

We may collect and process personal data about criminal allegations, proceedings, convictions or related security measures only where we have identified an Article 6 lawful basis and the processing meets the requirements of Article 10 UK GDPR (for example, because it is authorised by domestic law and we meet an applicable Data Protection Act 2018 Schedule 1 condition with appropriate safeguards).

Further information about the lawful bases and conditions we rely on is set out in the “Legal Basis for Processing Your Data” section above.

We may share data with external bodies when legally required, contractually necessary, or essential to providing support. Depending on your circumstances, this may include:

• NHS services, GPs and mental health teams
• Student Loans Company or other funding bodies
• Disabled Students' Allowances contractors such as providers of Needs Assessments, support and Assistive Technology (eg StudyTech)
• Government or statutory bodies (eg the Higher Education Statistics Agency)
• Software (including Assistive Technology) and system providers used by the University (e.g., ServiceNow)
• External welfare or emergency services
• Assessment providers (e.g., Dyslexia/SpLD assessors)
• Internal University Faculties and Directorates

Data is shared only on a need-to-know basis.

Data may be transferred outside the UK when:

• You access medical or wellbeing services abroad 
• You participate in placements, field trips or study abroad
• ServiceNow stores or processes data through international affiliates
• International data hosting is required for service provision

Where transfers outside the UK occur, the University will ensure an appropriate transfer safeguard is in place in line with UK data protection law.

Student Support Services do not transfer counselling records outside the UK.

You have the right to:

• be informed
• access your personal data
• correct inaccurate data
• request the deletion of your data
• restrict processing
• data portability
• object to processing
• rights relating to automated decision-making and profiling.

Your rights may depend on the legal basis used for processing.

You may withdraw consent for data processing at any time. However, doing so may limit the support services we can provide or delay reasonable adjustments. Freelance workers who withdraw consent may no longer be able to provide services to the  University.

Data will be retained in accordance with the University's Records Management Policy and service area schedules.

• Information Security Management Team (for GDPR queries):
  info.sec@brookes.ac.uk
• Data Protection Officer:
  BrookesDPO@brookes.ac.uk
• Information Commissioner’s Office:
  Visit the ICO website to report concerns about data protection.

If you have questions about this policy or wish to discuss confidentiality before using our services, please contact Student Support Services by email at studentsupportservices@brookes.ac.uk.