Skip to main content

Collection notices

NOTICE – change of controller

On 4 October 2022 the Higher Education Statistics Agency (HESA) merged with Jisc. HESA is now part of Jisc, a not-for-profit company limited by guarantee, registered in England (company number: 05747339; charity number: 1149740).

Any personal data processed by HESA as Controller has now transferred to Jisc under the purposes set out in this collection notice and Jisc is now the Controller of this personal data. References to ‘HESA Information’ in this privacy notice means data controlled by Jisc.

Jisc is the Controller of the HESA website and of any processing described on HESA’s website, unless otherwise indicated. This means it is Jisc who determines the manner and purpose of processing.

Under UK data protection laws, we are required to provide you with certain information about who we are, how we process your personal data and for what purposes and your rights in relation to your personal data. This information is provided in this collection notice. It is important that you read this information.

Details of how to exercise your data protection rights can be found in this collection notice. If you have any queries about how your personal data is processed, please contact [email protected].

In July 2021, the decision was taken to move to a single collection notice for student and staff data subjects to cover all academic years. These notices are available both in English and Welsh.

These changes were made to make the notices more accessible and transparent to data subjects. The notices link to specific records across various collection years of HESA Information. If you need any assistance in identifying which record your HESA Information may be included in, please contact [email protected] for guidance.

Copies of the historic notices continue to be made available on the Historical Collection Notices page.

We welcome any feedback on these published notices.

Student collection notice

Student_Collection_Notice.pdf

Hysbysiad_Casglu_i_Fyfyrwyr.pdf

Jisc is the body responsible for collecting and disseminating information about higher education in the UK and the designated data body for England (see www.hesa.ac.uk/about for more information). Jisc is a Controller of your information.

Reference to “your provider” refers to the higher education provider which you attend. This notice relates to information about you which will be collected by your provider and passed to Jisc and to other organisations as described below.

This notice is applicable to the 2023/24 academic year. It is also applicable to data collected in previous academic years and retained by Jisc. See Categories of information submitted to Jisc, including Special Categories of data, below, for more information about the categories of data that will be collected in 2023/24 and that have been collected by HESA in previous years and have been transferred to Jisc.

How to read this privacy notice: Most sections have key information included in the blue boxes. Please click on the '+' at the top of each blue box for more detail.

This notice sets out information about Jisc and other Controllers of your data, how and why they process your data, the legal bases for this processing, and your rights under data protection legislation.

This notice is regularly reviewed and updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time, and you will always find the most up to date version at www.hesa.ac.uk/fpn.

Throughout this privacy notice we will link to the privacy documentation of the organisations with whom we share your information.

We will hyperlink the relevant privacy notices throughout to enable you to see how each recipient organisation processes your information. To access an organisation’s privacy page, simply click on the name of the organisation within each section.

Every year your provider, or the government department that collected it originally, will send some of the information it holds about you to Jisc (“your HESA Information”). Jisc is an official source of data about UK higher education. Jisc is a registered charity and operates on a not-for-profit basis.

Your HESA Information is used for a variety of purposes by Jisc and by third parties as described below. Jisc may charge other organisations to whom it provides services and data. Uses of your HESA Information may include linking parts of it to other information, as described below. Information provided to Jisc is retained indefinitely for statistical research purposes. Your HESA Information will not be used to make automated decisions about you. The extent to which your HESA Information will be used for purposes 4-5 and 8 will vary.

Jisc processes information about UK and other nationals, including EU nationals. Accordingly, all uses of HESA Information must comply with the General Data Protection Regulation (“GDPR”) (including UK and EU versions) and the Data Protection Act 2018.

Data submitted to Jisc by your provider includes details about the course you are studying, and any qualifications awarded to you during the academic year. It also includes personal data - such as your name and date of birth, your prior qualifications, and where you lived before and during your course.

Information about your health, disability status, ethnicity, sexual orientation, gender reassignment or religion are classed as ‘Special Categories of data’ under the GDPR. Any special category data supplied to Jisc by your provider as part of their submission will be included in your HESA Information.

This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998 or equivalent subsequent legislation, or for other research purposes falling within GDPR Article 9(2)(j). This information will also be processed for statistics and statistical research.

Some other information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver. If your provider is in England or Wales, your HESA Information may include details of any financial support you may receive from your higher education provider.

A full list of data items that may be included in your HESA Information for the 2023/24 academic year will be available from October 2023 here: https://codingmanual.hesa.ac.uk/23056/.

- Please note that not all data items are collected for all students.

If you were a student in a previous academic year, a full list of data items that may be included in your HESA Information can be found below. Please note that multiple academic years are likely to apply to your HESA Information depending on the length of your initial course(s) and of any further study.

Student Record data items

Student (Legacy) Student Record (Legacy) Student Alternative Record Initial Teacher Training Record (ITT)

If you need any assistance in identifying which records your HESA Information may be included in, please contact [email protected] for guidance.

In addition to the table above, The Universities and Colleges Admissions Service (‘UCAS’) will send some information it holds about you to us to support our UK-wide public functions, to collect and disseminate higher education information.

It may be necessary to share data we receive from UCAS with your higher education provider to assist with validation and additional quality assurance steps.

For more information on uses of your UCAS data see https://www.hesa.ac.uk/about/regulation/data-protection/ucas-data.

Jisc shares your HESA Information with the HE funding and regulatory body(s) who request Jisc to collect it and require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in Jisc and the funding and regulatory bodies. Jisc has been appointed as the designated data body for England under the Higher Education and Research Act 2017. The HE funding and regulatory bodies are:

England - Office for Students (who take into account what would be helpful to collect for sharing with UK Research and Innovation and the Secretary of State)
Wales - Higher Education Funding Council for Wales (or any successor body following the passing of the Tertiary Education and Research (Wales) Act 2022)
Scotland - Scottish Funding Council
Northern Ireland - Department for the Economy

Your HESA Information will be shared with these organisations as part of a large dataset which contains similar information about other people who have followed higher education courses in the UK. These organisations are also Controllers of your HESA Information. This means that they make their own decisions about how to use it, and this may include publishing statistics, carrying out quality assurance, and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses of your HESA Information are within the purposes set out in this collection notice and covered by data sharing agreements with Jisc.

These organisations may retain HESA Information indefinitely for statistical and research purposes.

Legal basis for processing your information for Purpose 1

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (see GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Education statistics and data

Jisc also acts as an information hub to provide information on higher education. In England, this is undertaken outside of Jisc’s designated data body activities. Jisc shares your HESA Information with public authorities who require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in Jisc and the public authorities. Your HESA Information will be shared with these organisations as part of a large dataset which contains similar information about other people who have followed higher education courses in the UK.

These organisations become Controllers upon receipt of your HESA Information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses that they make of your HESA Information will be within the purposes set out in this collection notice and covered by data sharing agreements with Jisc. These organisations will not use the data for the purposes of distinguishing your individual record or to take decisions about you, except as described in Purpose 3 below. These organisations may retain HESA Information indefinitely for statistical and research purposes, or for fixed terms depending on the terms of their data sharing agreements with Jisc or their own retention policies.

The HE funding and regulatory bodies who receive information not collected under their relevant power, but who need it for their functions, are:

Education departments in England and the devolved administrations:

Other bodies with public functions connected to education:

and any successor bodies. Further Controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn.

Other uses of named data
Your HESA Information may also be used by some organisations who are also Controllers who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education. Such uses may include the following:

The above list of organisations who may receive your HESA Information will be subject to change over time. For example, Jisc is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information about students direct from higher education providers to collect and receive information through Jisc. The above list will be updated from time to time and can be found at www.hesa.ac.uk/fpn. You will need to monitor this link yourself if you wish to be aware of changes.

Legal basis for processing your information for Purpose 2

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc Administrative Uses

Changing provider during your higher education studies – If during your study with a higher education provider, you transfer to another higher education provider or your course is delivered in collaboration with another higher education provider, it may be necessary for Jisc to share information about you with your new provider to ensure you are correctly included in their relevant data submission to Jisc. Jisc may also be required to inform your previous provider that you are now studying elsewhere.

External Administrative Uses

In the exercise of their official authority, it may be necessary for the UK higher education funding and regulatory bodies listed in Purposes 1 and 2 to use your HESA Information which is passed to them for Purposes 1 and 2 to identify you and take decisions about you as an individual for the following purposes only:

Medical Qualification checking – It may be necessary for the GMC to use your HESA Information which is passed to them for Purpose 2 to identify you for the purpose of checking your Advanced Knowledge Test qualification.

Fraud detection and prevention - Your HESA Information may be used to audit claims to public funding and student finance, and to detect and prevent fraud. This may include sharing your Information with other Controllers (for example the Student Loans Company, Pearson Education).

Previous study - If your higher education provider is in England: The Office for Students may share your previous education records with this provider, including HESA Information submitted by other higher education providers, to determine the nature of any prior higher education study, including your current qualifications. This may be used to make decisions about the fees you are required to pay, the support available to you or the availability of a place for you to study with a higher education provider. The Office for Students may also share the fact you are studying with a new provider with your previous provider.

For these purposes your HESA Information may be held separately by the OfS (in addition to being held within datasets for Purpose 1) and retained for as long as necessary for the purposes of detection or prosecution of fraud and any associated legal or audit purposes.

Legal basis for processing your information for Purpose 3
Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Part of Jisc’s role is to produce and publish information about higher education in the public interest. This includes Official and National Statistics publications (https://uksa.statisticsauthority.gov.uk/about-the-authority/uk-statistical-system/types-of-official-statistics/) and online business intelligence and research services.

When producing this material for publication, Jisc applies a disclosure control, the HESA Standard Rounding Methodology, to ensure that no Personal Data is included and that individuals cannot be identified from published  material.

Legal basis for processing your information for Purpose 4

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc and the other Controllers (see Purposes 1 & 2) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:

  • Provision of information to students and prospective students
  • Equal opportunities monitoring
  • Research - This may be academic research, commercial research or other statistical research where this is in the public interest
  • Journalism - Where the relevant publication would be in the public interest e.g. league tables
  • Creation and operation of analysis tools, for example, Heidi Plus

Users to whom information may be supplied for Purpose 5 include:

  • Higher education sector bodies
  • Higher education providers
  • Academic researchers and students
  • Commercial organisations (e.g. recruitment firms, housing providers, graduate employers)
  • Unions
  • Non-governmental organisations and charities
  • Local, regional and national government bodies
  • Journalists

Information supplied by Jisc to third parties within Purpose 5 is supplied under contracts which require that individuals shall not be identified from the supplied information, and this means that they also cannot use it to make decisions about you.

A copy of Jisc’s current agreement for the supply of tailored information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer, if necessary, for the specific research purpose. Each request for HESA Information under Purpose 5 is assessed for its compliance with data protection legislation and its compatibility with this collection notice. Jisc ensures that only the minimum amount of HESA Information necessary for the specified research purpose is supplied to users. If the supplied information is to be published the HESA Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material. This means that the rounded data does not constitute Personal Data.

A copy of Jisc’s current agreement for access to Heidi Plus is available here. Each agreement specifies the purpose for which the data may be processed.

DfE Data Sharing Service

If you are a student at a provider in England, HESA Information may be linked to school and/or further education college information and supplied or linked to researchers' data through the Office for National Statistics Secure Research Service ('ONS SRS'). In some cases, HESA Information may be shared with researchers directly following this linking activity. This onward sharing to researchers is provided by the DfE Data Sharing Service. DfE are the Controller of the data processed as part of the provision of this service. Copies of the ‘Agreement for the Supply of Linked Data’ and of the ‘Agreement for Making Linked Data available in ONS SRS’ can be requested from [email protected].

DfE Longitudinal Education Outcomes (LEO)

Your HESA Information may be linked to school, college, employment, tax and benefits data by the DfE and may be supplied to researchers by the DfE through the Office for National Statistics Secure Research Service. More information is available from https://www.gov.uk/government/publications/longitudinal-education-outcomes-study-how-we-use-and-share-data.

Other Controllers (listed under Purpose 1 above) may also process data for this purpose where this is necessary to fulfil their public functions.

Legal basis for processing your information for Purpose 5

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing may also be necessary for the purposes of the legitimate interests of Jisc in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

The GMC is a body with statutory responsibilities for the education, training, and regulation of medical practitioners in the UK. These responsibilities are set out in the Medical Act 1983.

The GMC will use data for the purposes of:

  • Promoting, maintaining and improving high standards of medical education and training in the UK.
  • Undertaking research that will allow the GMC to co-ordinate policy across all stages of medical education, including selection to medical school, undergraduate education, postgraduate education, and medical practice. This research is only possible with high quality measures of school performance. More information about how GMC use your data in research projects can be found here: https://www.ukmed.ac.uk/faq#for_doctors_and_medical_students.
  • The GMC will not use the data collected by Jisc to make decisions about individual students or doctors.

Legal basis for processing your information for Purpose 6

Legal basis for processing your information for Purpose 6 is determined by GMC as Controller. More information about how the GMC uses personal data, and its lawful basis for doing so, can be found here https://www.gmc-uk.org/privacy-and-cookies.

Sometimes an HE provider’s circumstances change so that it isn’t compulsory for it to submit student data to Jisc. In this case, the HE provider and Jisc (following consultation with relevant Statutory Customers) might agree to continue to allow the return of data by the provider for their students where this is considered to be in the public interest. Should the status of the provider change so that it becomes compulsory to submit student data to Jisc, this will be collected under Purpose 1.

Legal basis for processing your information for Purpose 7

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (see GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc processes your HESA Information as part of a larger statistical dataset for the above purposes to:

  • Create derived fields to enrich data utility and insights of Jisc data.
  • Contextualise the use of Jisc data.
  • Research and understand progression through higher education. This may include linking to survey responses provided in the future as part of the Graduate Outcomes survey: https://www.graduateoutcomes.ac.uk/ and to other datasets for example college data.
  • Quality assure data and to remove anomalies and improve data accuracy. This may include processing personal data in the context of providing bespoke training to higher education providers to provide analysis and improve data quality.
  • Research into data quality and the sector’s reliance on time series data.
  • Check it against information submitted to UCAS to improve data accuracy.
  • Check it against information submitted to National Student Survey (NSS) to improve data accuracy.
  • To review how changes and improvements can be made to Jisc’s processing including systems and software and the implications that this would have on the data it produces.

Legal basis for processing your information for Purpose 8

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

As indicated above, where Jisc and organisations covered by Purposes 1 & 2 use HESA Information this may include linking named or pseudonymised HESA Information to other information for research and data validation purposes. Examples include linking to:

  • National Student Survey data – to place the results of this survey in context.
  • School and Further Education data – to research progression to higher education.
  • Student Loans Company data – to research the use of student finance and to create/validate fields relating to socioeconomic disadvantage.
  • Student Awards Agency Scotland data - The creation/validity of data fields relating to socioeconomic disadvantage.
  • Qualification awarding bodies data – to research the value and outcomes of qualifications.
  • Employment, tax, and benefits data – to research the earnings of graduates and to better understand the outcomes of education (Guidance on the use of HESA records matched to tax, benefits and employment data is available at: www.gov.uk/government/publications/longitudinal-education-outcomes-study-how-we- use-and-share-data).
  • UCAS data – to understand entry rates to higher education.
  • UCAS and Higher Education Career Services Unit (HECSU) data – to deliver an information service to support students and prospective students make informed and effective study and career choices.

Medical students - If you are a medical student your HESA Information may be included in the UKMED research database (www.ukmed.ac.uk). The General Medical Council is the Controller for this database used for researching doctors’ progression through their education and training.

Widening Participation Programmes - If you have participated in programmes designed to widen participation in higher education, your HESA Information may be linked to data held by these programmes for research purposes. This may include Higher Education Access Tracker (HEAT), East Midlands Widening Participation Research and Evaluation Partnership (EMWPREP) and Aimhigher West Midlands (AHWM).

Destinations information for schools and colleges – If you attended a school or college in England or Wales linked data may be disclosed by organisations covered by Purposes 1 & 2 to the last school or college you attended (or its successor body) and to Ofsted or Estyn in the exercise of their official authority to enable them to assess the outcomes of secondary education.

Where Jisc provides information from your HESA Information to third parties under Purpose 5, the permitted processing of the information by a third party may include linking HESA Information to other information held by the third party. Permission is considered on a case-by-case basis. It is only given where the linking is for the purposes outlined in Purpose 5 and subject to the requirement not to carry out linking to identify individuals.

If you are on an ITT course at a higher education provider in England, Jisc will collect additional information about you and provide this to the DfE and TRA. ITT courses are those that lead to Qualified Teacher Status (QTS) or Early Years Teacher Status (EYTS).

The TRA is an executive agency of the DfE and for the purposes of the GDPR, DfE and Jisc are separate Controllers of the ITT record.

DfE will process your personal data in the exercise of its official authority, namely the funding, administration and monitoring of ITT schemes in England. DfE will use your data to establish a record on the Database of Trainee Teachers and Providers (DTTP) and register your course details and subsequent completion.

TRA will process your personal data in the exercise of its official authority, namely the award of QTS and EYTS and the maintenance of the list of teachers in England. TRA will use your data to establish a record on the database of teachers and allocate to you a teacher reference number (TRN). TRA will contact you to provide confirmation of your TRN and any subsequent award of QTS and as part of your statutory induction year.

DfE and TRA may share personal data with your provider, and where the law allows it, or there is a legal requirement for sharing to take place, its partners and contractors for this purpose and may link it to other sources of information about you. Partners include employers of teachers, teacher employment agencies, Ofsted, Capita Teachers’ Pensions and other executive agencies of the DfE.

Legal basis for processing your HESA Information for ITT purposes

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS), other surveys of students’ views about their study, and surveys of student finances, on behalf of some of the organisations listed under Purposes 1 & 2 above.

Your provider will hold your contact details after you graduate in order for you to be contacted to complete the Graduate Outcomes survey. Your contact details will be passed to Jisc and the organisation(s) contracted by Jisc to assist it to undertake the Graduate Outcomes survey. Jisc’s contractors will only use your contact details for the survey and will delete them when the survey is closed. Jisc may hold your contact details for further Graduate Outcomes surveys or administration of the survey data where these are in the public interest. Your responses to the Graduate Outcomes survey will be made available to your provider, and your provider may choose to add additional questions to the survey for their own use.

Further privacy and data protection information will be provided if you are contacted for any of these surveys. The privacy information for Graduate Outcomes is available on the Graduate Outcomes website. You might also be contacted as part of an audit to check that a survey has been undertaken properly.

Legal basis for processing your information to conduct national surveys

Processing of your information to conduct the student and graduate surveys is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc publishes a register containing information relating to the recipients to whom we disclose data for statistical purposes. The live register can be found here: https://www.hesa.ac.uk/about/regulation/data-protection/register.

You have the right to be informed about how your personal data is used. This Student collection notice is regularly reviewed to ensure that it accurately describes how your HESA Information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purposes 1 & 2. The most up to date version can always be found at www.hesa.ac.uk/fpn.

For further information about data protection, including contact details for Jisc’s Data Protection Officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA Information is used, please contact [email protected].

Under the GDPR you have the right of access to your personal information and the right to rectify inaccurate information; the right to erasure; restrict processing; and object to processing. These rights are limited in certain circumstances. If you think there is a problem with the way Jisc is handling your data, you have the right to complain to the Information Commissioner's Office: ico.org.uk.

Your HESA Information will only be transferred to countries whose data protection laws have been assessed as adequate, or where adequate safeguards (in almost all cases, standard data protection clauses), are in place to protect your HESA Information. To obtain a copy of these safeguards or if you have any questions about how your HESA Information is used, please contact [email protected].


Staff collection notice

NOTICE – change of Controller

On 4 October 2022 the Higher Education Statistics Agency (HESA) merged with Jisc. HESA is now part of Jisc, a not-for-profit company limited by guarantee, registered in England (company number: 05747339; charity number: 1149740).

Any personal data processed by HESA as Controller has now transferred to Jisc under the purposes set out in this collection notice and Jisc is now the Controller of this personal data. References to ‘HESA Information’ in this privacy notice means data controlled by Jisc.

Jisc is the Controller of the HESA website and of any processing described on HESA’s website, unless otherwise indicated. This means it is Jisc who determines the manner and purpose of processing.

Under UK data protection laws, we are required to provide you with certain information about who we are, how we process your personal data and for what purposes and your rights in relation to your personal data. This information is provided in this collection notice. It is important that you read this information.

Details of how to exercise your data protection rights can be found in this collection notice. If you have any queries about how your personal data is processed, please contact [email protected].

Staff_Collection_Notice.pdf

Hysbysiad_Casglu_i_Staff.pdf

Jisc is the body responsible for collecting and disseminating information about higher education in the UK and the designated data body for England (see https://www.hesa.ac.uk/about for more information). Jisc is a Controller of your information.

Reference to "your provider" refers to the higher education provider where you work. This notice relates to information about you which will be collected by your provider and passed to Jisc and to other organisations as described below.

This notice is applicable to the 2023/24 academic year. It is also applicable to data collected in previous academic years and retained by Jisc. See Categories of information submitted to Jisc, including Special Categories of data, below, for more information about the categories of data that will be collected in 2023/24 and that have been collected in previous years.

How to read this privacy notice: Most sections have key information included in the blue boxes. Please click on the '+' at the top of each blue box for more detail.

This notice sets out information about Jisc and other Controllers of your data, how and why they process your data, legal bases for this processing, and your rights under data protection legislation. This notice is regularly reviewed and updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time, and you will always find the most up to date version at www.hesa.ac.uk/fpn.

Throughout this privacy notice we will link to the privacy documentation of the organisations with whom we share your information.

We will hyperlink the relevant privacy notices throughout to enable you to see how each recipient organisation processes your information. To access an organisation’s privacy page, simply click on the name of the organisation within each section.

Every year your provider will send some of the information it holds about you to Jisc (“your HESA Information”). 

Your HESA Information does not contain your name or contact details but may contain your Open Researcher and Contributor ID (ORCID.org) number if you have one.

Your HESA Information is used for a variety of purposes by Jisc and by third parties as described below. Jisc may charge other organisations to whom it provides services and data. Uses of your HESA Information may include linking parts of it to other information, as described below. Information provided to Jisc is retained indefinitely for statistical research purposes. Your HESA Information will not be used to make automated decisions about you. The extent to which your HESA Information will be used for purposes 3-4 and 7 will vary.

Jisc processes information about UK and other nationals, including EU nationals. Accordingly, all uses of HESA Information must comply with the General Data Protection Regulation (including UK and EU versions) and the Data Protection Act 2018.

Data submitted to Jisc by your provider includes details about your employment contract, the work that you do and your salary. It also includes personal data, such as your date of birth and your nationality.

Information about your health, disability status, ethnicity, sexual orientation, gender reassignment or religion is classed as ‘Special Categories of data’ under the GDPR. Any special category data supplied to Jisc by your provider as part of their submission will be included in your HESA Information. This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010 and Section 75 of the Northern Ireland Act 1998 or equivalent subsequent legislation, or for other research purposes falling within GDPR Article 9(2)(j). This information will also be processed for statistics and statistical research where this is necessary and in the public interest.

A full list of data items that may be included in your HESA Information for the 2023/24 academic year will be available from October 2023 here: https://www.hesa.ac.uk/collection/c23025. Please note that not all data items are collected for all staff – the exact set of variables relating to you will depend on your role and contract.

If you were a staff member in a previous academic year, a full list of data items that may be included in your HESA Information can be found below. Please note that multiple academic years are likely to apply to your HESA Information depending on the length of employment.

Staff Record data items

Staff Record Finance Record (see Purpose 6)

If you need any assistance in identifying which record your HESA Information may be included in, please contact [email protected] for guidance.

Jisc shares your HESA Information with the HE funding and regulatory body(s) who request Jisc to collect it and require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in Jisc and the funding and regulatory bodies. Jisc has been appointed as the designated data body for England under the Higher Education and Research Act 2017. The HE funding and regulatory bodies are:

Your HESA Information will be shared with these organisations as part of a large dataset which contains similar information about other people who work at higher education providers in the UK. These organisations are also Controllers of your HESA Information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses of your HESA Information will be within the purposes set out in this collection notice and covered by data sharing agreements with Jisc.

These organisations will not use the data for the purposes of identifying you as an individual or to make decisions about you. These organisations may retain HESA Information indefinitely for statistical and research purposes.

Non-academic staff at higher education providers in England and Northern Ireland

If you are a non-academic staff member at a provider in England regulated by the Office for Students or at a higher education provider in Northern Ireland then the submission of your HESA Information by your provider to Jisc is not required by the Office for Students and may not be required by the Department for Economy (NI) as part of the Staff Record. This information may be submitted by your provider on a voluntary basis in order to assist your provider in meeting its statutory reporting obligations (e.g. equality and diversity reporting, responding to FOIs) and for other legitimate interests such as benchmarking or internal reporting. If it is submitted on a voluntary basis then it may also be used for purposes 2 to 4 and 7.

Click here for more information on the categories of staff that are included in the Staff Record and the categories that will be collected on a voluntary basis.

Legal basis for processing your information for Purpose 1

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of non-academic staff information may also be necessary for the purposes of the legitimate interests pursued by the Controller or by a third party (See GDPR Article 6(1)(f)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Education statistics and data

Jisc also acts as an information hub to provide information on higher education. In England, this is undertaken outside of Jisc’s designated data body activities. Jisc shares your HESA Information with public authorities who require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in Jisc and the public authorities. Your HESA Information will be shared with these organisations as part of a large dataset which contains similar information about other people who work at higher education providers in the UK.

These organisations are also Controllers of your HESA Information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice.

However, all uses that they make of your HESA Information will be within the purposes set out in this collection notice and covered by data sharing agreements with Jisc. These organisations will not use the data for the purposes of identifying you as an individual or to take decisions about you. These organisations may retain HESA Information indefinitely for statistical and research purposes, or for fixed terms depending on the terms of their data sharing agreements with Jisc or their own retention policies.

The HE funding and regulatory bodies who receive information not collected under their relevant power but need it for their functions are:

Education departments in England and the devolved administrations:

Other bodies with public functions connected to education:

and any successor bodies. Further Controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn.

Your HESA Information may also be used by other Controllers who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education such as monitoring of public expenditure by the National Audit Office.

UKRI will link information about academic staff to Research Excellence Framework submissions in order to monitor equal opportunities in relation to that exercise, provide contextual information for that exercise, and gain assurance on the quality of data submitted to that exercise.

Other uses of data
Your HESA Information may also be used by some organisations who are also Controllers who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education. Such uses may include the following:

The above list of organisations who may receive your HESA Information will be subject to change over time. For example, Jisc is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information directly from higher education providers to collect and receive information through Jisc. The above list will be updated from time to time and can be found at www.hesa.ac.uk/fpn. You will need to monitor this link yourself if you wish to be aware of changes.

Legal basis for processing your information for Purpose 2

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Part of Jisc’s role is to produce and publish information about higher education in the public interest. This includes Official and National Statistics publications (https://uksa.statisticsauthority.gov.uk/about-the-authority/uk-statistical-system/types-of-official-statistics/) and online business intelligence and research services.

When producing this material for publication, Jisc applies a disclosure control, the HESA Standard Rounding Methodology, to ensure that no Personal Data is included and that individuals cannot be identified from published material.

Legal basis for processing your information for Purpose 3

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc and the other Controllers (see Purposes 1 & 2) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:

  • Provision of information to students and prospective students
  • Equal opportunities monitoring
  • Research - This may be academic research, commercial research or other statistical research where this is in the public interest
  • Journalism - Where the relevant publication would be in the public interest e.g. league tables
  • Creation and operation of analysis tools, for example, Heidi Plus

Users to whom information may be supplied for Purpose 4 include:

  • Higher education sector bodies
  • Higher education providers
  • Academic researchers and students
  • Commercial organisations
  • Unions
  • Non-governmental organisations and charities
  • Local, regional and national government bodies
  • Journalists

Information supplied by Jisc to third parties within Purpose 4 is supplied under contracts which require that individuals shall not be identified from the supplied information and this means that they also cannot use it to make decisions about you.

A copy of Jisc’s current agreement for the supply of tailored information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer, if necessary, for the specific research purpose. Each request for HESA Information under Purpose 4 is assessed for its compliance with data protection legislation and its compatibility with this collection notice. Jisc ensures that only the minimum amount of HESA Information necessary for the specified research purpose is supplied to users. If the supplied information is to be published the HESA Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material and it does not constitute Personal Data.

A copy of Jisc’s current agreement for access to Heidi Plus is available here. Each agreement specifies the purpose for which the data may be processed.

Other Controllers (listed under Purposes 1 & 2 above) may also process data for this purpose where this is necessary to fulfil their public functions.

Legal basis for processing your information for Purpose 4 

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing may also be necessary for the purposes of the legitimate interests of Jisc in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

The Medical Schools Council (MSC) and Universities UK through the activities of its Dental Schools Council (DSC) use HESA Information for the purposes of:

  • Monitoring trends in clinical academic staffing as a basis for partnership between the NHS and universities.
  • Promoting, maintaining, and improving high quality education, research, and clinical practice in the UK.
  • Publishing results of research into clinical academic staffing at a detailed statistical level from which there may be a risk of identification of individuals through combinations of characteristics.

The MSC and DSC retain each year’s detailed data for one year from receipt of data from Jisc. Research results are held indefinitely for statistical and research purposes.

Legal basis for processing your information for Purpose 5

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Accounts directions from the Office for Students, the Higher Education Funding Council for Wales (or any successor body following the passing of the Tertiary Education and Research (Wales) Act 2022), the Scottish Funding Council and the Department for the Economy (NI) require higher education providers to publish the following details as part of their annual statements:

  • Head of Provider name, salary and benefits,
  • Numbers of staff paid over £100,000 per annum,
  • The number of staff paid compensation for loss of office (‘severance pay’).

This information is also collected by Jisc in the HESA Finance record for higher education providers in Wales, Scotland and Northern Ireland. For higher education providers in England this information is collected by the Office for Students and shared with Jisc who may use this information for all the purposes described in this notice.

Jisc publishes this information alongside other financial information about higher education providers as open data. The published data includes counts of staff which are not rounded or suppressed.

Data about heads of providers is personal data, and where other numbers are small for a provider these may also reveal information about individuals.

Legal basis for processing your information for Purpose 6

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Jisc processes your HESA Information as part of a larger statistical dataset for the above purposes to:

  • Create derived fields to enrich data utility and insights of HESA data.
  • Contextualise the use of HESA data.
  • Quality assure data and to remove anomalies and improve data accuracy.
  • Research into data quality and the sector’s reliance on time series data.
  • To review how changes and improvements can be made to Jisc’s processing including systems and software and the implications that this would have on the data it produces.

Legal basis for processing your information for Purpose 7

Processing of your HESA Information is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (See GDPR Article 6(1)(e)).

Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018).

Jisc publishes a register containing information relating to the recipients to whom we disclose data for statistical purposes. The live register can be found here: https://www.hesa.ac.uk/about/regulation/data-protection/register.

You have the right to be informed about how your personal data is used. This Staff collection notice is regularly reviewed to ensure that it accurately describes how your HESA Information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purposes 1 & 2. The most up to date version can always be found at www.hesa.ac.uk/fpn.

For further information about data protection, including contact details for Jisc’s Data Protection Officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA Information is used, please contact [email protected].

Under the GDPR you have the right of access to your personal information and the right to rectify inaccurate information; the right to erasure; restrict processing; and object to processing. These rights are limited in certain circumstances. If you think there is a problem with the way Jisc is handling your data, you have the right to complain to the Information Commissioner's Office: ico.org.uk.

Your HESA Information will only be transferred to countries whose data protection laws have been assessed as adequate, or where adequate safeguards (in almost all cases, standard data protection clauses), are in place to protect your HESA Information. To obtain a copy of these safeguards or if you have any questions about how your HESA Information is used, please contact [email protected].