The Higher Education Statistics Agency Limited (HESA) is the body responsible for collecting and disseminating information about higher education in the UK and the Designated Data Body for England (www.hesa.ac.uk/about). HESA is a Controller of your information. HESA’s wholly-owned subsidiary company HESA Services Limited acts as a Processor to do work on behalf of HESA and other organisations described in the notice below, but may also act as a Controller.
Reference to “your provider” refers to the higher education provider which you attend. This notice relates to information about you which will be collected by your provider and passed to HESA and to other organisations as described below.
This notice sets out information about HESA and other controllers of your data, how and why they process your data, the legal bases for this processing, and your rights under data protection legislation. This notice is regularly reviewed and sometimes updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time and you will always find the most up to date version at www.hesa.ac.uk/fpn.
Every year your provider will send some of the information it holds about you to HESA (“your HESA information”). HESA is the official source of data about UK universities, higher education colleges, alternative HE providers, and recognised higher education courses taught at further education institutions in Wales. HESA is a registered charity and operates on a not-for-profit basis.
Your HESA information is used for a variety of purposes by HESA and by third parties as described below. HESA may charge other organisations to whom it provides services and data. Uses of your HESA information may include linking parts of it to other information, as described below. Some information provided to HESA is retained indefinitely for statistical research purposes. Your HESA information will not be used to make automated decisions about you.
All uses of HESA information must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
HESA is developing a new system for collecting student information called the HESA Data Platform that will go live from the 2019/20 academic year. More information about this programme of work can be found here: www.hesa.ac.uk/innovation/data-futures.
If personal data about you is sent to HESA as part of any pilot of the new HESA Data Platform, it will only be used by HESA, your provider, and higher education funding and regulatory bodies to
Data submitted to HESA by your provider includes details about the course you are studying and any qualifications awarded to you during the academic year. It also includes personal details about you such as your name and date of birth, your prior qualifications, and where you lived before starting your course.
Information about your disability status, ethnicity, sexual orientation, gender reassignment or religion is classed as ‘Special categories of data’ under the GDPR. If your Provider provides this information to HESA it will be included in your HESA information. This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998. This information will also be processed for statistics and statistical research where this is necessary and in the public interest. Your sensitive information will not be used to make decisions about you.
Some other information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver. If your provider is in England your HESA information may include details of any financial support you may receive from your higher education provider.
A full list of data items that may be included in your HESA information for the 2018/19 academic year can be found here: www.hesa.ac.uk/collection/c18051/. Please note that not all data items are collected for all students.
Such Organisations may include:
and any successor bodies. Further controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn. Other uses of named data Your HESA information may also be used by some organisations who are also controllers who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education. Such uses may include the following:
The above list of organisations who may receive your HESA information will be subject to change over time. For example, HESA is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information about students direct from higher education providers to collect and receive information through HESA. The above list will be updated on the HESA website at www.hesa.ac.uk/fpn from time to time, and you will need to monitor this link yourself if you wish to be aware of changes.
Legal basis for processing your information for Purpose 1
Processing of your HESA information for Purpose 1 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89). Processing of Special Categories of data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 (See GDPR Article 9(2)(j))
In the exercise of their official authority it may be necessary for the UK higher education funding and regulatory bodies listed in Purpose 1 to use your HESA information which is passed to them for Purpose 1 to identify you and take decisions about you as an individual for the following purposes only:
Fraud detection and prevention – Your HESA information may be used to audit claims to public funding and student finance, and to detect and prevent fraud. This may include sharing your information with other controllers (for example the Student Loans Company, Pearson Education).
Previous study – If your higher education provider is in England: The Office for Students may share your previous education records with this provider, including HESA information submitted by other higher education providers, to determine the nature of any prior higher education study, including your current qualifications. This may be used to make decisions about the fees you are required to pay, the support available to you or the availability of a place for you to study with a higher education provider.
For these purposes your HESA information may be held separately (in addition to being held within datasets for Purpose 1) and retained for as long as necessary for the purposes of detection or prosecution of fraud and any associated legal or audit purposes.
Legal basis for processing your information for Purpose 2Processing of your HESA information for Purpose 2 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)).
HESA and the other controllers (see Purpose 1) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:
Users to whom information may be supplied for Purpose 4 include:
Information supplied by HESA to third parties within Purpose 4 is supplied under contracts which require that individuals shall not be identified from the supplied information and this means that they also cannot use it to take decisions about you. A copy of HESA’s current agreement for the supply of information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer if necessary for the specific research purpose. Each request for HESA information under Purpose 4 is assessed for its compliance with data protection legislation and its compatibility with this Collection Notice.
HESA ensures that only the minimum amount of HESA information necessary for the specified research purpose is supplied to users. If the supplied information is to be published HESA’s Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material and it does not constitute Personal Data. HESA student information may be linked to school and/or further education college information and supplied to researchers. A copy of the Agreement for the supply of linked data about pupils from schools in England is available at www.gov.uk/government/collections/national-pupil-database. Processing within this Purpose 4 is carried out by HESA, HESA Services Limited, HESA’s wholly-owned subsidiary company. Other controllers (listed under Purpose 1 above) may also process data for this purpose where this is necessary to fulfil their public functions.
Information about teacher training students in England is submitted to the Department for Education (DfE) and the Teaching Regulation Agency (TRA) via HESA.
If you are on an ITT course at a higher education provider in England, HESA will collect additional information about you and provide this to the DfE and TRA. ITT courses are those that lead to Qualified Teacher Status (QTS) or Early Years Teacher Status (EYTS).
The TRA is an executive agency of the Department for Education (DfE) and, for the purposes of the GDPR, DfE and HESA are separate controllers of the ITT record.
DfE will process your personal data in exercise of its official authority, namely the funding, administration and monitoring of ITT schemes in England. DfE will use your data to establish a record on the Initial Teacher Training Data Management System (ITTDMS) and register your course details and subsequent completion.
TRA will process your personal data in the exercise of its official authority, namely the award of QTS and EYTS and the maintenance of the list of teachers in England. TRA will use your data to establish a record on the database of teachers and allocate to you a teacher reference number (TRN). TRA will contact you to provide confirmation of your TRN and any subsequent award of QTS.
DfE and TRA may share personal data with your provider, and where the law allows it or there is a legal requirement for sharing to take place, its partners and contractors for this purpose and may link it to other sourcesof information about you. Partners include employers of teachers, teacher employment agencies, Ofsted, Capita Teachers’ Pensions and other executive agencies of the DfE.
Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS), other surveys of students’ views about their study, and surveys of student finances, on behalf of some of the organisations listed under Purpose 1 above.
After you graduate you may be contacted and asked to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys are used to create statistics to meet the public interest in the outcomes of higher education. Information from third parties (such as your parent, or your provider if you’re in further study) might be used to complete sections of the surveys if you can’t be contacted. The surveys may be undertaken by your provider or by an organisation contracted for that purpose.
Your provider will hold your contact details after you graduate in order for you to be contacted to complete the Graduate Outcomes survey. Your contact details will be passed to HESA and the organisation(s) contracted by HESA to assist it to undertake the Graduate Outcomes survey. HESA’s contractors will only use your contact details for the survey and will delete them when the survey is closed. HESA may hold your contact details for further graduate outcomes surveys where these are in the public interest. Your responses to the Graduate Outcomes survey will be made available to your provider, and your provider may choose to add additional questions to the survey for their own use.
Further privacy and data protection information will be provided if you are contacted for any of these surveys. You might also be contacted as part of an audit to check that the survey has been undertaken properly.
Legal basis for processing your information to conduct national surveys
Processing of your information to conduct the student and graduate surveys is necessary for the performance of a
task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR
Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).
You have the right to be informed about how your personal data is used. This Student Collection Notice is regularly reviewed to ensure that it accurately describes how your HESA information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purpose 1. The most up to date version can always be found at www.hesa.ac.uk/fpn.
For further information about data protection, including contact details for HESA and HESA Services’ Data Protection Officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA information is used, please contact data.protection@hesa.ac.uk.
Under the GDPR you have the right of access to your personal information and rights to rectify inaccurate information; restrict processing; and object to processing. These rights are limited in certain circumstances by the GDPR and the Data Protection Act 2018 where data is only processed for research or statistical purposes. If you think there is a problem with the way HESA is handling your data, you have the right to complain to the Information Commissioner’s Office: ico.org.uk/.
Your HESA information will only be transferred to countries whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place to protect your HESA information. European Commission decisions on the adequacy of the protection of personal data in third countries are published here: ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm