(Version 5.0, April 2012)
This guidance has been drawn together by HESA and aims to provide more information about the effect of Data Protection legislation on the processing of Student and Staff data by HESA. It is not intended as a guide to the Data Protection Act 1998 (DPA1998).
HESA is the official agency for the collection, analysis and dissemination of quantitative information about higher education in the UK.
HESA collects information from higher education institutions (HEIs) in the UK at the request of its Statutory Customers
HESA and its statutory customers are data controllers in common under the Data Protection Act 1998. HESA's registration number is Z7475057.See the About HESA section of the website for more details about HESA and its statutory customers: http://www.hesa.ac.uk/about
The Further and Higher Education Act 1992 and the Further and Higher Education Act (Scotland) 1992 (FHE Act 1992) established an integrated higher education system throughout the United Kingdom through the formation of the Higher Education Funding Councils for England, Wales and Scotland (HEFCE, HEFCW, and SFC).
Section 79 of the FHE Act 1992 requires HEIs to give a Council such information as they may require for the purposes of the exercise of any of their functions under the Education Acts. Schedule 1, Paragraph 1 also states the Council may do anything which appears to them to be necessary or expedient for the purpose of or in connection with the discharge of their functions.
Section 82 of the FHE Act 1992 says that any two or more Councils may exercise jointly any of their functions where it appears appropriate for them to do so, i.e. is more efficient, or enables more effective discharge of their functions.
HESA was set up by agreement between the relevant government departments, the higher education funding councils and the universities and colleges in 1993. HESA is the central point of collection and dissemination of statistical information to meet the requirements of the Education Acts and minimise the burden of compliance on HEIs.
Each HEI enters into a ‘financial memorandum' with the relevant Funding Council. These financial memoranda place a number of mandatory requirements on HEIs that are conditions of funding. One of these requirements is that each HEI pays a subscription, and supplies timely and accurate data, to HESA.
Schedule 12 of the Education Act 2002 additionally requires that all Initial Teacher Training (ITT) students at HEIs in England are provisionally registered with the General Teaching Council for England (GTCE). The ITT in-year collection, administered by HESA, is the centralised mechanism for HEIs to submit details of ITT students to the GTCE for this purpose. On 1 April 2012 the GTCE closed and its functions conferred on a new body - The Teaching Agency.
3.1 The following HESA Records include personal data as defined in the DPA 1998:
3.2 Sensitive personal data
Under the DPA 1998, certain categories of data are categorised as ‘sensitive personal data' and are subject to stricter conditions of processing. The categories of sensitive personal data held within the HESA Records up to 2011/12 are ethnicity, disability, and religion (Northern Ireland only). Collection of this data is required by Statutory Customers for monitoring equal opportunities. HEIs are required to ask their staff and students for this information. From 2012/13 the HESA record may also contain data on sexual orientation, gender identity and religion (for all administrations). It will be optional for HEIs to return this information to HESA.
3.3 Collection Notices
Principle 1 of the DPA 1998 requires information to be provided, or made readily available, to data subjects so that they are not deceived or misled as to the purposes for which their data is to be processed. In order to satisfy this principle, the statutory bodies and HESA supply text for use by HEIs. Accordingly, collection notices are put together by a working group comprising representatives of HESA and each of its Statutory Customers and are reviewed periodically.
The text of these notices can be found on the HESA website at http://www.hesa.ac.uk/fpn.
The collection notices must be made available to all relevant data subjects by HEIs.
For students this might include:
For staff this might include:
Destinations of Leavers from Higher Education Survey (DLHE):
The DLHE collection notice is included in the standard DLHE documentation. HEIs must provide both the HESA collection notice and their own fair processing notice to DLHE survey participants.The DLHE Longitudinal Survey and National Student Survey are each conducted by central organisations. The student collection notice provides information on how contact details will used in conducting these surveys. Further details are provided to the student at the time of data collection.
The HESA record is used for three broad purposes:
4.1 Public functions
The HESA record is used by HESA's Statutory Customers, or agents acting on their behalf, to carry out their public functions connected with education in the UK.
The list of HESA's Statutory Customers is as follows:
The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.
4.2 HESA publications
HESA use the HESA record to produce anonymised data in annual statistical publications. These include some Official Statistics and National Statistics publications and online management information services.
4.3 Equal opportunity, research, journalism and other processing in which there is a legitimate interest
HESA also supply anonymised data to third parties for the following purposes:
Anonymised data for the above purposes is supplied by HESA to the following types of user:
4.4 Other effects of the DPA 1998
All data published by HESA is rounded to prevent disclosure of information from which individuals may be identified. Averages and percentages based on small populations are also suppressed for the same reason. A full description of the HESA rounding strategy can be found here: http://www.hesa.ac.uk/rounding
All external data supplies to non-statutory customers (see 4.3 above) are supplied subject to a data protection risk assessment. Data is supplied under strict contractual terms and conditions which prohibit clients from using HESA data to identify individuals, and require the HESA rounding strategy to be applied to published statistics. A copy of HESA's standard agreement for the supply of data is available at http://www.hesa.ac.uk/dox/informationprovision/IP5_Terms_and_conditions_V1_7.pdf. Student names and individual identifier codes (such as HUSID) are never supplied to such clients.
5.1 What happens to data after it reaches HESA?
Once data has been submitted by HEIs it is processed into a form suitable for each Statutory Customer. Population indicators and other fields are derived from the core data to aid analysis. Each Statutory Customer receives the data necessary for their statutory functions, which in some cases is a subset of fields or records of the total submission. HESA also retains the full dataset for the uses described in the collection notices and in sections 4.2 and 4.3 above.
5.2 How are Records decided?
Each HESA Record is subject to a regular review, and may be further amended to satisfy Statutory Customer initiatives in between planned reviews. Changes to Records are mostly prompted by the needs of Statutory Customers or the desire to improve data quality, and are subject to extensive consultation with all parties concerned including the HEIs. All the data protection principles are borne in mind during the Record review process.
5.3 Is the collection of all the data necessary?
Every item of data collected by HESA is needed either by a Statutory Customer or to aid the collection process. Some data items are used in the derivation of datasets for Statutory Customers and then not further processed. The requirement for individual items of data is regularly reviewed as part of the Record review process.
5.4 Why collect unique individual identifiers if records are never looked at individually?
Collection of individual identifiers is essential both to aid the collection process and to allow the Statutory Customers to carry out their functions effectively. These include the tracking of students and staff in HEIs to produce accurate progression and participation statistics.
5.5 Why are student names collected?
Student names are needed to ensure the data collection process runs smoothly. Actual names are supplied to Statutory Customers for record linking and in support of audit processes. Names within HESA data are not used to make direct contact with students. Access to names within HESA and its Statutory Customers is restricted only to essential staff who have received appropriate training in data protection.
5.6 Is staff data personal data?
The definition of ‘personal data' is data which relate to a living individual who can be identified from those data, or from those data and other information which is in possession of or is likely to come into the possession of the data controller. Although no information is held by HESA that assigns STAFFID to staff names, many individual staff records contain enough fields, such as date of birth, HEI and cost centre, as to make each record distinguishable and in some cases allows identification from information already in the public domain. Acting on legal advice, HESA has therefore decided to treat individualised staff records as personal data.
HEIs are obliged to make sure that all staff are informed that data about them is sent to HESA, ideally using the staff collection notice.
5.7 Why are ethnicity and disability data collected and are they given special treatment?
Ethnicity and disability information is classified as ‘sensitive personal data' under the DPA 1998. This means that processing of this data is subject to stricter conditions than other data in the HESA Records. Collection of this data is essential for equal opportunities monitoring required by Statutory Customers.
HEIs are therefore required to ask their staff and students for this information.
5.8 Are all HEIs required to use the Collection Notices?
All HEIs are required to inform their students and staff of the uses to which their data is put by HESA and its statutory customers. The HESA collection notices are provided for this purpose and their use by HEIs is recommended by the HE funding councils.
5.9 How does data protection affect the DLHE and DLHE Longitudinal Surveys?
Data protection procedures are an integral part of the DLHE collection. Please see the guidance within the relevant year's data collection page for full details:
For the DLHE Longitudinal survey two additional
pages of FAQs are provided:
Frequently asked questions for HE institutions 2008/09 survey
Frequently asked questions for HE leavers 2008/09 survey