Data protection guidance for the HESA records
(Version 8.1, June 2017)
We have drawn together this guidance to provide more information about the effect of Data Protection legislation on the processing of student and staff data by HESA. This guidance has been updated to refer to the General Data Protection Regulation (GDPR) which will apply from 25 May 2018. It is not intended as a guide to the Data Protection Act 1998 (DPA) or the GDPR.
New subscriber to HESA?
If you are submitting an Alternative provider student record please read this.
If you are submitting student data from a Further Education Institution in Wales funded by HEFCW please read this.
- About HESA
- Personal Data in the HESA records
- Sensitive personal data/Special categories of personal data
- Collection Notices
- Graduate outcomes survey
- Obligations of HE providers to provide data to HESA
- Frequently Asked Questions
HESA is the official agency for the collection, analysis and dissemination of quantitative information about higher education (HE) in the UK.
HESA collects information from higher education institutions and alternative providers (APs) in the UK at the request of its Statutory Customers. HE institutions and alternative providers are collectively described as higher education providers.
HESA and its Statutory Customers are data controllers in common under the Data Protection Act 1998. HESA's ICO registration number is Z7475057. HESA’s wholly-owned subsidiary company HESA Services Ltd is also a data controller in common of the data and provides anonymous or pseudonymised data extracts for research purposes. HESA Services Ltd’s ICO registration number is Z7899462. All uses of personal data collected by HESA are described in the Collection Notices at www.hesa.ac.uk/about/regulation/data-protection/notices.
The following HESA Records include personal data as defined in the DPA and GDPR:
- Student record
- Alternative provider student record
- Initial Teacher Training In-Year collection (HE providers in England only)
- Destinations of Leavers from Higher Education (DLHE) survey (final data collection 2016/17)
- DLHE Longitudinal survey (final data collection 2012/13)
- The Graduate Outcomes survey (first collection 2017/18)
- Staff record.
A full list of data fields collected in each data collection can be found via the Data collection section of the HESA website.
The lawful basis under GDPR for collecting personal data and for each processing purpose is described in the relevant Collection Notice as required by GDPR Article 13.
Certain categories of data are categorised as ‘Sensitive personal data' under the DPA and ‘Special categories’ under GDPR. These are subject to stricter conditions of processing. The following data fields in the HESA record capture sensitive or special categories of personal data:
- Gender Identity
- Religion or belief
- Sexual orientation
Collection of these sensitive or special categories of data is necessary for statistical research purposes to help public authority data controllers to meet their public-sector equality duties under the Equality Act 2010. This processing is lawful under the Data Protection (Processing of Sensitive Personal Data) Order 2000 (Schedule (9)) and GDPR Article 9(2)(j).
Principle 1 of the DPA and Article 13 of the GDPR require data controllers to provide information to data subjects that identifies data controllers and describes their purposes for processing personal data, including transfers and disclosures to other data controllers. HESA’s Collection Notices provide this information for students, staff and graduates on behalf of HESA, HESA Services Ltd, and the other organisations who are data controllers in common of HESA datasets.
The Collection Notices are published at www.hesa.ac.uk/about/regulation/data-protection/notices.
HE providers must inform students and staff that their personal data will be submitted to HESA, and must make the HESA Collection Notices available to all relevant data subjects. HESA recommend that HE providers include a link from their own privacy notices to the HESA Collection Notices.
The Student Collection Notice informs students that their contact details will be used to undertake surveys of graduate outcomes. Further information about the use of survey responses is provided before the survey starts.
Specific data protection guidance in relation to the Graduate Outcomes survey can be found here: www.hesa.ac.uk/innovation/outcomes/providers/data-protection.
Various pieces of legislation include obligations on HE providers to provide information to government departments, funding and regulatory bodies, and other public authorities. Organisations with a statutory requirement to receive data from HE providers are referred to as HESA's 'Statutory Customers'.
Section 79 of the Further and Higher Education Act 1992 requires HEIs to give Funding Councils such information as they may require for the purposes of the exercise of any of their functions under the Education Acts. Schedule 1, Paragraph 1 also states the Council may do anything which appears to them to be necessary or expedient for the purpose of or in connection with the discharge of their functions.
Section 82 of the Further and Higher Education Act 1992 says that any two or more Funding Councils may exercise jointly any of their functions where it appears appropriate for them to do so, i.e. is more efficient, or enables more effective discharge of their functions.
Section 69 of the Further and Higher Education Act 1992 requires the funding councils to provide the Secretary of State with such information relating to the provision for their area of higher education as he requires and also gives a power to provide such information about that provision as they think fit.
The Higher Education and Research Act 2017 establishes the Office for Students (OfS) and requires it to establish and maintain a register of English higher education providers. Section 8 of the Act requires that the ongoing registration conditions include -
(b) a condition that requires the governing body of the provider to provide the OfS, or a person nominated by the OfS, with such information for the purposes of the performance of the OfS’s functions as the OfS may require it to provide, and
(c) a condition that requires the governing body of the provider to provide a designated body with such information for the purposes of the performance of its duties under sections 64(1) and 65(1) (compiling, making available and publishing higher education information) as the designated body may require it to provide.
Section 22 of the Further and Higher Education (Scotland) Act 2005 requires required HE providers in Scotland to provide the Scottish Further and Higher Education Funding Council with “such information as it may reasonably require for the purposes of or in connection with the exercise of any of its functions.”
Section 27 of the Higher Education (Wales) Act 2015 obliges the Higher Education Funding Council for Wales (HEFCW) to “publish a code relating to the organisation and management of the financial affairs of regulated institutions”. This Financial Management Code in turn requires HE providers in Wales to provide information to HEFCW as it reasonably requires.
Section 30 of the Education and Libraries (Northern Ireland) Order 1993 permits the Department of higher education (currently the Department for the Economy) to “obtain such advice and other services as it considers necessary or desirable from any other body or person on such terms and conditions as may be agreed between the Department and that other body or person.”
Schedule 12 of the Education Act 2002 requires that all Initial Teacher Training (ITT) students at HEIs in England are provisionally registered with the General Teaching Council for England (GTCE). The ITT in-year collection, administered by HESA, is the centralised mechanism for HEIs to submit details of ITT students to the National College for Teaching and Leadership (NCTL - the successor body to GTCE) for this purpose.
Agreements, codes or memoranda between funding or regulatory bodies and HE providers specify that information requirements are fulfilled through submission of data to HESA.
It is a condition of course designation that alternative providers subscribe to HESA.
What happens to data after it reaches HESA?
Once data has been submitted by HE providers, it is processed into a form suitable for each Statutory Customer. Population indicators and other fields are derived from the core data to aid analysis. Each Statutory Customer receives the data necessary for their statutory functions, which in some cases is a subset of fields or records from the total submission. HESA also retains the full dataset for the uses described in the Collection Notices.
How are records decided?
Each HESA record is subject to a regular review, and may be further amended to satisfy Statutory Customer initiatives in between planned reviews. Changes to records are mostly prompted by the needs of Statutory Customers or the desire to improve data quality, and are subject to extensive consultation with all parties concerned including the HE providers. All the data protection principles are borne in mind during the record review process.
Is the collection of all the data necessary?
Every item of data collected by HESA is needed either by a Statutory Customer or to aid the collection process. Some data items are used in the derivation of datasets for Statutory Customers and then not processed further. The requirement for individual items of data is regularly reviewed as part of the record review process.
Why collect unique individual identifiers if records are never looked at individually?
Collection of individual identifiers is essential both to aid the collection process and to allow the Statutory Customers to carry out their functions effectively. These include the tracking of students and staff in HE providers to produce accurate progression and participation statistics.
Why are student names collected?
Student names are needed to ensure the data collection process runs smoothly. Actual names are supplied to Statutory Customers for record linking and in support of audit processes. Names within HESA data are not used to make direct contact with students. Access to names within HESA and its Statutory Customers is restricted only to essential staff who have received appropriate training in data protection.