Disability Services - Confidentiality Statement and Privacy Notice

Disability Services provides a confidential service for all service users. While the information shared with Disability Services is generally treated as confidential upon declaration or contact, there may be exceptional circumstances where confidentiality cannot be guaranteed. These exceptional circumstances for all service users and for Students are clearly outlined below.

In practice, our confidential service for all service users means that:

• Disability Services will disclose information about a service user when it is in their vital interests or when Disability Services are otherwise permitted or required to do so by law.
• When a third party makes a referral to Disability Services, no further information will be provided to the referrer without your knowledge and consent. Disability Services will acknowledge receipt of a referral if requested. Disability Services will process all personal and sensitive data in strict accordance with the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018).
• Disability Services will keep all service user records confidential and will not otherwise allow access without written consent, except in accordance with the limited exceptions described or where otherwise permitted or required to do so by law.
• Disability Services will take all reasonable steps to safeguard the security of any service user information that Disability Services holds in written or electronic form.
• Disability Services will ensure that all statistical information given to third parties (for example, for Service evaluation purposes) is produced in an anonymous format so that service users cannot be identified.
• Disability Services uses an external text messaging service to send out follow-up and appointment reminders based on the mobile number that you have provided to the University.
• Disability Services will destroy all written and electronic staff and external user records that Disability Services holds 6 years after the service user’s last contact with the Service. You can also exercise your right to erasure under the UK GDPR at any time.
• Disability Services records do not form part of staff personnel records.

In practice, our confidential service for University of Dundee students means that:

• Disability Services is committed to maintaining confidentiality while ensuring effective support for students with disabilities. Relevant academic departments and professional services will be notified where you have disclosed a disability or long-term condition as a student. Non-sensitive information related to your disability support needs, such as the date and type of contact (e.g., email, meeting, missed appointment, awaiting an appointment), status (registered, enquiry, ongoing support, awaiting response), and your support plan, will be shared as standard.
• Disability Services will contact Academic Schools, Professional Services, or other support external to the University, on your behalf, and will only provide the minimum information necessary to enable appropriate support to be put in place. This typically includes adjustments required, information to facilitate effective support, and contact details.
• Students can opt-out of sharing their information with relevant others at any point; however, choosing to do so will limit the support that can be provided.
• Disability Services will follow the University’s safeguarding process, sharing pertinent information to safeguard student wellbeing and fulfil the University’s duty of care responsibilities.
• Disability Services will refer students to the University’s safeguarding process to share information and discuss students of concern who are or may need to access multiple support departments to ensure wellbeing and fulfil the University’s duty of care responsibilities.
• Disability Services will destroy all written and electronic student records that Disability Services holds 6 years after the end of the Academic Year in which you leave the University. You can also exercise your right to erasure under the UK GDPR at any time. However, the erasure of your data whilst you are still an active student may prevent Disability Services from being able to offer any level of support.
• Disability Services records do not form part of a student’s academic record.

Personal data and sensitive (special categories) of personal data

The personal data and special categories of personal data processed by Disability Services will vary according to the service user and the support required. However, general biographical information such as your name, address, university ID number, date of birth, telephone numbers, address, email address(es), GP details etc. will form the basis of your record, as well as diagnostic evidence confirming the nature of your disability.

Special categories of personal data specific to your disability and support needs will also be required.

Data controller

The data controller for personal data used in this support service is normally the University of Dundee.

Data will be processed using the University’s business systems. The University has contracts with cloud service providers to safeguard your data.

Your data may be shared with other nominated support providers such as NHS Tayside, your GP or external agencies and individuals providing disability support services contracted by the University. This will be discussed with you on a case-by-case basis.

Information on adjustments required concerning your individual disability-related needs will normally be provided to University Schools and Services to enable the provision of support. This will be discussed with you on a case-by-case basis.

Lawful processing

The lawful grounds for processing personal data within this service are normally:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary to protect the vital interests of the data subject or of another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The lawful grounds for processing special categories of personal data within this service are normally:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in Article 9(1) UK GDPR may not be lifted by the data subject;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
• processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
• processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9(3) UK GDPR.

Where processing falls out-with the normal course of business the University may, from time to time, seek your consent to process special categories of personal data for one or more specific purposes.

The University may choose to identify one or more bases for lawful processing in relation to specific activities in this domain. Please see the University website for more information:

• Data protection at the University of Dundee

Your rights

The University respects your rights and preferences in relation to your data. If you wish to update, access, erase, limit or complain about the use of your information, please let us know by emailing dataprotection@dundee.ac.uk. You may also wish to contact the Information Commissioner’s Office.

Changes to our privacy notice

If you have any questions about our privacy notice, please contact the Data Protection Officer on dataprotection@dundee.ac.uk or by post at University of Dundee, Nethergate, Dundee, DD1 4HN.