HESA is now part of Jisc. Jisc is now the data controller of personal data previously controlled by HESA. Pages on the HESA website are being updated to reflect this change. Please see updated Privacy information.
This page links to information for individuals and organisations about HESA's compliance with the General Data Protection Regulation (GDPR) and other data protection legislation.
Personal data held by HESA
HESA holds information on students and staff in universities, higher education (HE) colleges and specialist providers in the UK. The Collection Notices describe the purposes for which this data is collected. The data collection coding manuals for each academic year 1994/95 show the full lists of data fields collected each year.
We also hold information on customers and other people who have contact with HESA where it is necessary to allow HESA to carry out its functions. The Privacy Information page describes how and why we process personal data, the legal bases for this processing, and individuals' rights under data protection legislation.
The Data Futures Data Protection and Information Security White Paper provides an overview of the Data Futures programme and its approach to Data Protection and Information Security by design.
From December 2018 graduates from the 2017/18 academic year will receive the new Graduate Outcomes survey. The following data protection information for HE providers can found via the main Graduate Outcomes section:
- Data protection guidance
- Data protection: Action and implications for providers
- Data protection: Operational support for the collection and use of contact details
Guidance for higher education providers
Our Data Protection Guidance for the HESA Records aims to provide supporting information for those in HE providers dealing with data protection issues, with additional guidance for Alternative Providers new to the HESA data collection process.
HE providers must make the HESA Collection Notices available to students and staff whose data they send to HESA, usually by including a link from their own privacy information.
Disclosure control in statistical publications
Please see Rounding and suppression to anonymise statistics for information on how we protect personal data from being re-identified from statistical data tables.
HESA maintains the ISO 27001 International Standards certification for Information Security. This means that the security of HESA's systems and processes are regularly and independently audited.
Data Protection Register
- Higher Education Statistics Agency Limited - Registration Number Z7475057
- HESA Services Limited - Registration Number Z7899462
Contact details for more information
If you have any questions about HESA and data protection please contact our Data Protection Officer:
- Email: [email protected]
- Tel: +44 (0)1242 388 513 [option 5]
- Address: HESA, 95 Promenade, Cheltenham, GL50 1HZ