HESA Student Collection Notice

The Higher Education Statistics Agency Limited (HESA) is the body responsible for collecting and disseminating information about higher education in the UK and the Designated Data Body for England (www.hesa.ac.uk/about). HESA is a Controller of your information. HESA’s wholly-owned subsidiary company HESA Services Limited acts as a Processor to do work on behalf of HESA and other organisations described in the notice below, but may also act as a Controller.

Reference to “your provider” refers to the higher education provider which you attend. This notice relates to information about you which will be collected by your provider and passed to HESA and to other organisations as described below.

This notice sets out information about HESA and other controllers of your data, how and why they process your data, the legal bases for this processing, and your rights under data protection legislation. This notice is regularly reviewed and sometimes updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time and you will always find the most up to date version at www.hesa.ac.uk/fpn.

Submission of your information to HESA

Data about you will be supplied to HESA for the purposes set out below. All information is used in compliance with data protection legislation.

Every year your provider will send some of the information it holds about you to HESA (“your HESA information”). HESA is the official source of data about UK universities, higher education colleges, alternative HE providers, and recognised higher education courses taught at further education institutions in Wales. HESA is a registered charity and operates on a not-for-profit basis.

Your HESA information is used for a variety of purposes by HESA and by third parties as described below. HESA may charge other organisations to whom it provides services and data. Uses of your HESA information may include linking parts of it to other information, as described below. Some information provided to HESA is retained indefinitely for statistical research purposes. Your HESA information will not be used to make automated decisions about you.

All uses of HESA information must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

HESA is developing a new system for collecting student information called the HESA Data Platform that will go live from the 2019/20 academic year. More information about this programme of work can be found here: www.hesa.ac.uk/innovation/data-futures.

If personal data about you is sent to HESA as part of any pilot of the new HESA Data Platform, it will only be used by HESA, your provider, and higher education funding and regulatory bodies to

Categories of information submitted to HESA, including special categories of data

HESA collects data about the personal characteristics of students and information about their studies and qualifications. This might include sensitive details about students’ personal lives used for equality and diversity monitoring.

Data submitted to HESA by your provider includes details about the course you are studying and any qualifications awarded to you during the academic year. It also includes personal details about you such as your name and date of birth, your prior qualifications, and where you lived before starting your course.

Information about your disability status, ethnicity, sexual orientation, gender reassignment or religion is classed as ‘Special categories of data’ under the GDPR. If your Provider provides this information to HESA it will be included in your HESA information. This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998. This information will also be processed for statistics and statistical research where this is necessary and in the public interest. Your sensitive information will not be used to make decisions about you.

Some other information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver. If your provider is in England your HESA information may include details of any financial support you may receive from your higher education provider.

A full list of data items that may be included in your HESA information for the 2018/19 academic year can be found here: www.hesa.ac.uk/collection/c18051/. Please note that not all data items are collected for all students.

Purpose 1 – Named data used for public functions

Your HESA information is used by public authorities for their statutory and/or public functions including funding, regulation and policy-making purposes. Your information is provided by reference to your name, but your information will not be used to make decisions about you.

Education statistics and data

HESA shares your HESA information with public authorities who require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in HESA and the public authorities. Your HESA information will be shared with these organisations as part of a large dataset which contains similar information about other people who have followed higher education courses in the UK.

These organisations are also controllers of your HESA information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses that they make of your HESA information will be within the purposes set out in this collection notice and covered by data sharing agreements with HESA. These organisations will not use the data for the purposes of identifying you as an individual or to take decisions about you, except as described in Purpose 2 below. These organisations may retain HESA information indefinitely for statistical and research purposes, or for fixed terms depending on the terms of their data-sharing agreements with HESA.

Such Organisations may include:

Department for Education
Department for Business, Energy and Industrial Strategy
Welsh Government
Scottish Government
Department for the Economy
Office for Students
Higher Education Funding Council for Wales
Scottish Further and Higher Education Funding Council
UK Research and Innovation
Education and Skills Funding Agency
Teaching Regulation Agency
National Health Service bodies and organisations working with them e.g. Health Education England
General Medical Council
Quality Assurance Agency for Higher Education
UCAS

and any successor bodies. Further controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn. Other uses of named data Your HESA information may also be used by some organisations who are also controllers who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education. Such uses may include the following:

Production of statistics in relation to the population of the UK and for statistical research, undertaken by the Office for National Statistics. Further information can be found on the ONS website.
Production of statistics and statistical research undertaken by National Records of Scotland and the Northern Ireland Statistics and Research Agency
Monitoring of public expenditure by the National Audit Office

The above list of organisations who may receive your HESA information will be subject to change over time. For example, HESA is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information about students direct from higher education providers to collect and receive information through HESA. The above list will be updated on the HESA website at www.hesa.ac.uk/fpn from time to time, and you will need to monitor this link yourself if you wish to be aware of changes.

Legal basis for processing your information for Purpose 1

Processing of your HESA information for Purpose 1 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89). Processing of Special Categories of data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 (See GDPR Article 9(2)(j))

Purpose 2 - Administrative uses

Your named data may be processed by public authorities for the detection or prosecution of fraud. These uses of your HESA information may result in decisions being made about you.

In the exercise of their official authority it may be necessary for the UK higher education funding and regulatory bodies listed in Purpose 1 to use your HESA information which is passed to them for Purpose 1 to identify you and take decisions about you as an individual for the following purposes only:

Fraud detection and prevention – Your HESA information may be used to audit claims to public funding and student finance, and to detect and prevent fraud. This may include sharing your information with other controllers (for example the Student Loans Company, Pearson Education).

Previous study – If your higher education provider is in England: The Office for Students may share your previous education records with this provider, including HESA information submitted by other higher education providers, to determine the nature of any prior higher education study, including your current qualifications. This may be used to make decisions about the fees you are required to pay, the support available to you or the availability of a place for you to study with a higher education provider.

For these purposes your HESA information may be held separately (in addition to being held within datasets for Purpose 1) and retained for as long as necessary for the purposes of detection or prosecution of fraud and any associated legal or audit purposes.

Legal basis for processing your information for Purpose 2

Processing of your HESA information for Purpose 2 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)).

Purpose 3 - HESA publications

HESA publishes statistics about students in higher education.

Part of HESA’s role is to produce and publish information about higher education in the public interest. This includes some National Statistics publications (www.statisticsauthority.gov.uk/national-statistician/types-of-officialstatistics) and online business intelligence and research services. When producing this material for publication, HESA applies its disclosure control, the HESA Standard Rounding Methodology, to ensure that no Personal Data is included and that individuals cannot be identified from published material. Processing within this Purpose 3 may also be carried out by HESA Services Limited, HESA’s wholly-owned subsidiary company.

Legal basis for processing your information for Purpose 3

Processing of your HESA information for Purpose 3 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89). Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998 (See GDPR Article 9(2)(j))

Purpose 4 - Equal opportunity, research, journalism and other processing for statistical and research purposes

HESA information is used for research into higher education and the student population. This research can be academic, commercial, journalistic or for personal reasons. HESA prohibits the identification of individual students by those carrying out this research and information is not shared on a named basis.

HESA and the other controllers (see Purpose 1) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:

Provision of information to students and prospective students
Equal opportunities monitoring
Research – This may be academic research, commercial research or other statistical research where this is in the public interest
Journalism – Where the relevant publication would be in the public interest e.g. league tables

Users to whom information may be supplied for Purpose 4 include:

Higher education sector bodies
Higher education providers
Academic researchers and students
Commercial organisations (e.g. recruitment firms, housing providers, graduate employers)
Unions
Non-governmental organisations and charities
Local, regional and national government bodies
Journalists

Information supplied by HESA to third parties within Purpose 4 is supplied under contracts which require that individuals shall not be identified from the supplied information and this means that they also cannot use it to take decisions about you. A copy of HESA’s current agreement for the supply of information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer if necessary for the specific research purpose. Each request for HESA information under Purpose 4 is assessed for its compliance with data protection legislation and its compatibility with this Collection Notice.

HESA ensures that only the minimum amount of HESA information necessary for the specified research purpose is supplied to users. If the supplied information is to be published HESA’s Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material and it does not constitute Personal Data. HESA student information may be linked to school and/or further education college information and supplied to researchers. A copy of the Agreement for the supply of linked data about pupils from schools in England is available at www.gov.uk/government/collections/national-pupil-database. Processing within this Purpose 4 is carried out by HESA, HESA Services Limited, HESA’s wholly-owned subsidiary company. Other controllers (listed under Purpose 1 above) may also process data for this purpose where this is necessary to fulfil their public functions.

Legal basis for processing your information for Purpose 4

Processing of your HESA information for Purpose 4 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR Article 6(1)(e)). Processing may also be necessary for the purposes of the legitimate interests of HESA in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)). In either case processing of your HESA information is necessary for statistical and research purposes in accordance withGDPR Article 89(1). Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998 (See GDPR Article 9(2)(j))

Linking of your HESA information to other information

HESA information is sometimes linked to other data sources to enable more detailed research and analysis.

As indicated above, where HESA and organisations covered by Purpose 1 use HESA information this may include linking named or pseudonymised HESA information to other information for research purposes. Examples include linking to:

National Student Survey data – to place the results of this survey in context
School and Further Education data – to research progression to higher education
Student Loans Company data – to research the use of student finance
Qualification awarding bodies data – to research the value and outcomes of qualifications
Employment, tax, and benefits data – to research the earnings of graduates and to better understand the outcomes of education (Guidance on the use of HESA records matched to tax, benefits and employment data is available at: www.gov.uk/government/publications/longitudinal-education-outcomes-study-how-weuse-and-share-data)
UCAS data – to understand entry rates to higher education
If you are a medical student your HESA information may be included in the UKMED research database (www.ukmed.ac.uk). The General Medical Council is the controller for this database used for researching doctors’ progression through their education and training.

Where HESA provides information from your HESA information to third parties under Purpose 4, the permitted uses of the information by a third party may include linking HESA information to other information held by the third party. Permission for such use is considered on a case by case basis. It is only given where the linking is for the purposes outlined in Purpose 4 and subject to the requirement not to carry out linking to identify individuals.

Destinations information for schools and colleges – If you attended a school or college in England or Wales linked data may be disclosed to the last school or college you attended (or its successor body) and to Ofsted orEstyn in the exercise of their official authority to enable them to assess the outcomes of secondary education.

The HESA Initial Teacher Training record (“ITT”)

Information about teacher training students in England is submitted to the Department for Education (DfE) and the Teaching Regulation Agency (TRA) via HESA.

If you are on an ITT course at a higher education provider in England, HESA will collect additional information about you and provide this to the DfE and TRA. ITT courses are those that lead to Qualified Teacher Status (QTS) or Early Years Teacher Status (EYTS).

The TRA is an executive agency of the Department for Education (DfE) and, for the purposes of the GDPR, DfE and HESA are separate controllers of the ITT record.

DfE will process your personal data in exercise of its official authority, namely the funding, administration and monitoring of ITT schemes in England. DfE will use your data to establish a record on the Initial Teacher Training Data Management System (ITTDMS) and register your course details and subsequent completion.

TRA will process your personal data in the exercise of its official authority, namely the award of QTS and EYTS and the maintenance of the list of teachers in England. TRA will use your data to establish a record on the database of teachers and allocate to you a teacher reference number (TRN). TRA will contact you to provide confirmation of your TRN and any subsequent award of QTS.

DfE and TRA may share personal data with your provider, and where the law allows it or there is a legal requirement for sharing to take place, its partners and contractors for this purpose and may link it to other sourcesof information about you. Partners include employers of teachers, teacher employment agencies, Ofsted, Capita Teachers’ Pensions and other executive agencies of the DfE.

Student and leaver surveys

You may be asked to provide information about your experience as a student and your activities after you graduate as part of national surveys.

Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS), other surveys of students’ views about their study, and surveys of student finances, on behalf of some of the organisations listed under Purpose 1 above.

After you graduate you may be contacted and asked to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys are used to create statistics to meet the public interest in the outcomes of higher education. Information from third parties (such as your parent, or your provider if you’re in further study) might be used to complete sections of the surveys if you can’t be contacted. The surveys may be undertaken by your provider or by an organisation contracted for that purpose.

Your provider will hold your contact details after you graduate in order for you to be contacted to complete the Graduate Outcomes survey. Your contact details will be passed to HESA and the organisation(s) contracted by HESA to assist it to undertake the Graduate Outcomes survey. HESA’s contractors will only use your contact details for the survey and will delete them when the survey is closed. HESA may hold your contact details for further graduate outcomes surveys where these are in the public interest. Your responses to the Graduate Outcomes survey will be made available to your provider, and your provider may choose to add additional questions to the survey for their own use.

Further privacy and data protection information will be provided if you are contacted for any of these surveys. You might also be contacted as part of an audit to check that the survey has been undertaken properly.

Legal basis for processing your information to conduct national surveys

Processing of your information to conduct the student and graduate surveys is necessary for the performance of a
task carried out in the public interest or in the exercise of official authority vested in the Controller (See GDPR
Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

Your rights

Data protection legislation gives you rights over your personal data. These include rights to know what information is processed about you and how it is processed. These rights have to be met by HESA and any other organisation which takes decisions about how or why your information is processed.

You have the right to be informed about how your personal data is used. This Student Collection Notice is regularly reviewed to ensure that it accurately describes how your HESA information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purpose 1. The most up to date version can always be found at www.hesa.ac.uk/fpn.

For further information about data protection, including contact details for HESA and HESA Services’ Data Protection Officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA information is used, please contact data.protection@hesa.ac.uk.

Under the GDPR you have the right of access to your personal information and rights to rectify inaccurate information; restrict processing; and object to processing. These rights are limited in certain circumstances by the GDPR and the Data Protection Act 2018 where data is only processed for research or statistical purposes. If you think there is a problem with the way HESA is handling your data, you have the right to complain to the Information Commissioner’s Office: ico.org.uk/.

Data transfers to other countries

Your HESA information may be transferred to countries outside the European Union for the purposes described above.

Your HESA information will only be transferred to countries whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place to protect your HESA information. European Commission decisions on the adequacy of the protection of personal data in third countries are published here: ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm