Skip to main content

Data protection guidance for the HESA records


(Version 7.0, March 2015)

We have drawn together this guidance to provide more information about the effect of Data Protection legislation on the processing of student and staff data by HESA. It is not intended as a guide to the Data Protection Act 1998 (DPA1998).

New subscriber to HESA?

If you are submitting an Alternative provider student record please read this.

If you are submitting student data from a Further Education Institution in Wales funded by HEFCW please read this.


  1. About HESA
  2. Requirement of HEPs to provide data
  3. Personal data processed by HESA
  4. Uses of HESA data
  5. Frequently Asked Questions

1. About HESA

HESA is the official agency for the collection, analysis and dissemination of quantitative information about higher education (HE) in the UK.

HESA collects information from higher education institutions and alternative providers (APs) in the UK at the request of its Statutory Customers. HE institutions and alternative providers are collectively described as higher education providers.

HESA and its statutory customers are data controllers in common under the Data Protection Act 1998. HESA's ICO registration number is Z7475057.

2. Requirement of HE institutions and alternative providers to provide data

The Further and Higher Education Act 1992 (FHE Act 1992) established an integrated higher education system throughout the United Kingdom through the formation of the higher education funding councils for England, Wales and Scotland (HEFCE, HEFCW and SFC).

Section 79 of the FHE Act 1992 and the Further and Higher Education Act (Scotland) 2005 require HE institutions to give a council such information as they may require for the purposes of the exercise of any of their functions. Schedule 1, Paragraph 1 of the FHE Act 1992 also states the council may do anything which appears to them to be necessary or expedient for the purpose of or in connection with the discharge of their functions.

Section 82 of the FHE Act 1992 says that any two or more councils may exercise jointly any of their functions where it appears appropriate for them to do so, i.e. is more efficient, or enables more effective discharge of their functions.

HESA was set up by agreement between the relevant government departments, the higher education funding councils and the universities and colleges in 1993. HESA is the central point of collection and dissemination of statistical information to meet the requirements of the Education Acts and minimise the burden of compliance on HE institutions.

Each HE institution enters into a ‘financial memorandum' with the relevant funding council. These financial memoranda place a number of mandatory requirements on institutions that are conditions of funding. One of these requirements is that each institution pays a subscription to HESA, and supplies timely and accurate data.

Schedule 12 of the Education Act 2002 additionally requires that all Initial Teacher Training (ITT) students at HE institutions in England are provisionally registered with the General Teaching Council for England (GTCE). The ITT in-year collection, administered by HESA, is the centralised mechanism for institutions to submit details of ITT students to the GTCE for this purpose. On 1 April 2012 the GTCE closed and its functions were conferred  The Teaching Agency and subsequently the National College for Teaching and Leadership (NCTL)

It is a condition of course designation that alternative providers subscribe to HESA.

Organisations with a statutory requirement to receive data from HE providers are referred to as HESA's 'Statutory Customers'.

3. Personal Data in the HESA records

3.1 The following HESA Records include personal data as defined in the DPA 1998:

  • Student record
  • Alternative provider student record
  • Initial Teacher Training In-Year collection (HE providers in England only)
  • Destinations of Leavers from Higher Education (DLHE) survey
  • DLHE Longitudinal survey
  • Staff record.

3.2 Sensitive personal data

Under the DPA 1998, certain categories of data are categorised as ‘sensitive personal data' and are subject to stricter conditions of processing. The categories of sensitive personal data held within the HESA records up to 2011/12 are ethnicity, disability and religion (Northern Ireland only). HE providers are required to ask their staff and students for this information. From 2012/13, the HESA record also contains data on sexual orientation, gender identity and religion (for all administrations). It is optional for providers to return this information to HESA. Collection of this data is required by statutory customers for monitoring equal opportunities.

3.3 Collection Notices

Principle 1 of the DPA 1998 requires information to be provided, or made readily available, to data subjects so that they are not deceived or misled as to the purposes for which their data is to be processed. In order to satisfy this principle, the statutory bodies and HESA supply text for use by HE providers. Accordingly, collection notices are put together by a working group comprising representatives of HESA and each of its statutory customers and are reviewed periodically.

The text of these notices can be found on the HESA website.

HE providers must make collection notices available to all relevant data subjects.

For students this might include:

  • Including the above link in the HE providers own privacy statement
  • Providing the text with the enrolment form and the provider’s own data protection statement
  • Including the text on a website with the provider’s own data protection information
  • Including the text in a student handbook or other reference source for students.

For staff this might include:

  • Including the above link in the HE provider’s own privacy statement
  • Including it in the employment handbook
  • Bringing it to their attention at the regular update of contact details
  • Making it available in the same location as the provider’s own data protection statement for staff.

Destinations of Leavers from Higher Education (DLHE) survey:

The DLHE collection notice is included in the standard DLHE documentation. HE providers must provide both the HESA collection notice and their own fair processing notice to DLHE survey participants.

The DLHE Longitudinal survey and National Student Survey are each conducted by central organisations. The student collection notice provides information on how contact details will be used in conducting these surveys. Further details are provided to the student at the time of data collection.

4. Uses of HESA data

The purposes for which the HESA records are used are described in detail in the Collection Notices.

Other effects of the DPA 1998

All data published by HESA is rounded to prevent disclosure of information from which individuals may be identified. Averages and percentages based on small populations are also suppressed for the same reason. A full description of the HESA rounding strategy can be found here.

All data offered externally are supplied subject to a data protection risk assessment. Data is supplied under strict contractual terms and conditions which prohibit clients from using HESA data to identify individuals, and require the HESA rounding strategy to be applied to published statistics. A copy of HESA's standard agreement for the supply of data is available here. Student names and individual identifier codes (such as HUSID) are not supplied in bespoke data extracts.

5. Frequently Asked Questions

5.1 What happens to data after it reaches HESA?

Once data has been submitted by HE providers, it is processed into a form suitable for each statutory customer. Population indicators and other fields are derived from the core data to aid analysis. Each statutory customer receives the data necessary for their statutory functions, which in some cases is a subset of fields or records from the total submission. HESA also retains the full dataset for the uses described in the collection.  

5.2 How are records decided?

Each HESA record is subject to a regular review, and may be further amended to satisfy statutory customer initiatives in between planned reviews. Changes to records are mostly prompted by the needs of statutory customers or the desire to improve data quality, and are subject to extensive consultation with all parties concerned including the HE providers. All the data protection principles are borne in mind during the record review process.

5.3 Is the collection of all the data necessary?

Every item of data collected by HESA is needed either by a statutory customer or to aid the collection process. Some data items are used in the derivation of datasets for statutory customers and then not processed further. The requirement for individual items of data is regularly reviewed as part of the record review process.

5.4 Why collect unique individual identifiers if records are never looked at individually?

Collection of individual identifiers is essential both to aid the collection process and to allow the statutory customers to carry out their functions effectively. These include the tracking of students and staff in HE providers to produce accurate progression and participation statistics.

5.5 Why are student names collected?

Student names are needed to ensure the data collection process runs smoothly. Actual names are supplied to statutory customers for record linking and in support of audit processes. Names within HESA data are not used to make direct contact with students. Access to names within HESA and its statutory customers is restricted only to essential staff who have received appropriate training in data protection.

5.6 Is staff data personal data?

The definition of ‘personal data' is data which relates to a living individual who can be identified either from that data, or from that data combined with other information which is in possession of, or is likely to come into the possession of, the data controller. Although no information is held by HESA that assigns STAFFID to staff names, many individual staff records contain enough fields, such as date of birth, HE provider and cost centre, as to make each record distinguishable. This in some cases allows identification from information already in the public domain. Acting on legal advice, HESA has therefore decided to treat individualised staff records as personal data.

HE providers are obliged to make sure that all staff are informed that data about them is sent to HESA. The HESA Staff Collection Notice is provided for this purpose.

5.7 Why is sensitive personal data collected and is it given special treatment?

Ethnicity, disability, sexual orientation, gender identity and religion are classified as ‘sensitive personal data' under the DPA 1998. This means that processing of this data is subject to stricter conditions than other data in the HESA records. Collection of this data is essential for equal opportunities monitoring required by statutory customers.

HE providers are therefore required to ask their staff and students for this information.

5.8 Are all HE providers required to use the Collection Notices?

All HE providers are required to inform their students and staff of the uses to which their data is put by HESA and its statutory customers. The HESA collection notices are provided for this purpose and their use by providers is recommended by the HE funding councils.

5.9 How does data protection affect the DLHE and DLHE Longitudinal surveys?

Data protection procedures are an integral part of the DLHE collection. Please see the guidance within the relevant year's data collection page for full details.

For the DLHE Longitudinal survey additional information is provided as FAQs for leavers and HE providers via the relevant year's data collection page.