Data protection guidance for the HESA records
HESA is now part of Jisc. Jisc is now the data controller of personal data previously controlled by HESA. Pages on the HESA website are being updated to reflect this change. Please see updated Privacy information.
(Version 8.3, June 2019)
We have drawn together this guidance to provide more information about the effect of Data Protection legislation on the processing of student and staff data by HESA. It is not intended as a guide to the GDPR or the Data Protection Act 2018.
New subscriber to HESA?
If you are submitting student data from a Further Education Institution in Wales funded by HEFCW please read this.
- About HESA
- Personal Data in the HESA records
- Sensitive personal data/Special categories of personal data
- Collection Notices
- Graduate outcomes survey
- Obligations of HE providers to provide data to HESA
- Frequently Asked Questions
HESA (Higher Education Statistics Agency Limited) is the official agency for the collection, analysis and dissemination of quantitative information about higher education (HE) in the UK, and the Designated Data Body for England.
HESA collects information from higher education providers in the UK at the request of its Statutory Customers.
HESA and its Statutory Customers are Controllers of the HESA records under GDPR. HESA's ICO registration number is Z7475057. HESA’s wholly-owned subsidiary company HESA Services Limited may also act as a Controller of the data and provides anonymous or pseudonymised data extracts for research purposes. HESA Services Limited’s ICO registration number is Z7899462. All uses of personal data collected by HESA are described in the Collection Notices at www.hesa.ac.uk/about/regulation/data-protection/notices.
The following HESA Records include personal data as defined in the GDPR:
- Student record
- Student Alternative record
- Initial Teacher Training In-Year collection (HE providers in England only)
- Destinations of Leavers from Higher Education (DLHE) survey (final data collection 2016/17)
- DLHE Longitudinal survey (final data collection 2012/13)
- The Graduate Outcomes survey (first collection 2017/18)
- Staff record.
A full list of data fields collected in each data collection can be found via the Data collection section of the HESA website.
The lawful basis under GDPR for collecting personal data and for each processing purpose is described in the relevant Collection Notice as required by GDPR Article 13.
Certain categories of data are specified as ‘Special categories of personal data' under GDPR. These are subject to stricter conditions of processing. The following data fields in the HESA record capture sensitive or special categories of personal data:
- Gender Identity
- Religion or belief
- Sexual orientation
Collection of these sensitive or special categories of data is necessary for statistical research purposes to help public authority data controllers to meet their public-sector equality duties under the Equality Act 2010. This processing is lawful under GDPR Article 9(2)(j).
Articles 13 and 14 of the GDPR require data controllers to provide information to data subjects that identifies data controllers and describes their purposes for processing personal data, including transfers and disclosures to other data controllers. HESA’s Collection Notices provide this information for students, staff and graduates on behalf of HESA, HESA Services Limited, and the other organisations who are Controllers of HESA datasets.
The Collection Notices are published at www.hesa.ac.uk/about/regulation/data-protection/notices.
HE providers must inform students and staff that their personal data will be submitted to HESA and must make the HESA Collection Notices available to all relevant data subjects. HESA recommend that HE providers include a link from their own privacy notices to the HESA Collection Notices.
The Student Collection Notice informs students that their contact details will be used to undertake surveys of graduate outcomes. Further information about the use of survey responses is provided before the survey starts.
Specific data protection guidance in relation to the Graduate Outcomes survey can be found here: www.hesa.ac.uk/innovation/outcomes/providers/data-protection.
Various pieces of legislation include obligations on HE providers to provide information to government departments, funding and regulatory bodies, and other public authorities. Organisations with a statutory requirement to receive data from HE providers are referred to as HESA's 'Statutory Customers'.
In England The Higher Education and Research Act 2017 (HERA) establishes the Office for Students (OfS) and requires it to establish and maintain a register of English higher education providers. HE Providers are required by OfS to provide information to HESA under section 79(c) of the Further and Higher Education Act 1992 and the Education (Prescribed Courses of Education) (Information Requirements) (England) Regulations 2015, SI 2015/225.
From 1 August 2019 these obligations will be replaced by Section 8 of HERA which requires that the ongoing registration conditions include -
(b) a condition that requires the governing body of the provider to provide the OfS, or a person nominated by the OfS, with such information for the purposes of the performance of the OfS’s functions as the OfS may require it to provide, and
(c) a condition that requires the governing body of the provider to provide a designated body with such information for the purposes of the performance of its duties under sections 64(1) and 65(1) (compiling, making available and publishing higher education information) as the designated body may require it to provide.
Section 22 of the Further and Higher Education (Scotland) Act 2005 requires HE providers in Scotland to provide the Scottish Further and Higher Education Funding Council with “such information as it may reasonably require for the purposes of or in connection with the exercise of any of its functions.”
Section 27 of the Higher Education (Wales) Act 2015 obliges the Higher Education Funding Council for Wales (HEFCW) to “publish a code relating to the organisation and management of the financial affairs of regulated institutions”. This Financial Management Code in turn requires HE providers in Wales to provide information to HEFCW as it reasonably requires.
Section 30 of the Education and Libraries (Northern Ireland) Order 1993 permits the Department of higher education (currently the Department for the Economy) to “obtain such advice and other services as it considers necessary or desirable from any other body or person on such terms and conditions as may be agreed between the Department and that other body or person.”
Schedule 12 of the Education Act 2002 requires that all Initial Teacher Training (ITT) students at HEIs in England are provisionally registered with the General Teaching Council for England (GTCE). The ITT in-year collection, administered by HESA, is the centralised mechanism for HEIs to submit details of ITT students to the Teaching Regulation Agency (TRA - the successor body to GTCE) for this purpose.
Agreements, codes or memoranda between funding or regulatory bodies and HE providers specify that information requirements are fulfilled through submission of data to HESA.
It is a condition of Designation for Teach Out from the OfS, or Limited Designation from the OfS, that providers must provide HESA with such information as HESA specifies at the time and in the manner and form specified by HESA, and meet the costs of such submission, including any associated subscription costs that HESA may determine.
What happens to data after it reaches HESA?
Once data has been submitted by HE providers, it is processed into a form suitable for each Statutory Customer. Population indicators and other fields are derived from the core data to aid analysis. Each Statutory Customer receives the data necessary for their statutory functions, which in some cases is a subset of fields or records from the total submission. HESA also retains the full dataset for the uses described in the Collection Notices.
How are records decided?
Each HESA record is subject to a regular review, and may be further amended to satisfy Statutory Customer initiatives in between planned reviews. Changes to records are mostly prompted by the needs of Statutory Customers or the desire to improve data quality, and are subject to extensive consultation with all parties concerned including the HE providers. All the data protection principles are borne in mind during the record review process.
Is the collection of all the data necessary?
Every item of data collected by HESA is needed either by a Statutory Customer or to aid the collection process. Some data items are used in the derivation of datasets for Statutory Customers and then not processed further. The requirement for individual items of data is regularly reviewed as part of the record review process.
Why collect unique individual identifiers if records are never looked at individually?
Collection of individual identifiers is essential both to aid the collection process and to allow the Statutory Customers to carry out their functions effectively. These include the tracking of students and staff in HE providers to produce accurate progression and participation statistics.
Why are student names collected?
Student names are needed to ensure the data collection process runs smoothly. Actual names are supplied to Statutory Customers for record linking and in support of audit processes. Names within the HESA Student record are not used to make direct contact with students. Access to names within HESA and its Statutory Customers is restricted only to essential staff who have received appropriate training in data protection.
For the Graduate Outcomes survey HE providers will provide the names and contact details of graduates to HESA in order to perform the survey.