Skip to main content

Collection notices

Student collection notice

HESA_Student_Collection_Notice_2017-18.pdf

Note: Reference in this notice to “we” and “us” refers to the Higher Education Statistics Agency Limited (www.hesa.ac.uk/about) and its wholly-owned subsidiary company HESA Services Limited. HESA is the official body responsible for collecting and disseminating information about higher education in the UK. Both HESA and HESA Services Ltd process personal data as ‘Data Controllers’. HESA Services Ltd also acts as a ‘Data Processor’ to do work on behalf of HESA and other organisations described in the notice below.

Reference to "your provider" refers to the higher education provider which you attend. This notice relates to information about you which will be collected by your provider and passed to HESA and to other organisations as described below.

This notice is regularly reviewed and sometimes updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time and you will always find the most up to date version at www.hesa.ac.uk/fpn.

The boxes below summarise the key information you need to know. Click on each box for more detail.

Submission of your information to HESA
Data about you will be supplied to HESA for the purposes set out below. All information is used in compliance with the Data Protection Act 1998, and from 25 May 2018 with the General Data Protection Regulation (GDPR).

Every year your provider will send some of the information it holds about you to HESA (“your HESA information”). HESA is the official source of data about UK universities, higher education colleges, alternative HE providers, and recognised higher education courses taught at further education institutions in Wales. HESA is a registered charity and operates on a not-for-profit basis.

Your HESA information is used for a variety of purposes by HESA and by third parties as described below. HESA may charge other organisations to whom it provides services and data. Uses of your HESA information may include linking parts of it to other information, as described below. Information provided to HESA is retained indefinitely for statistical research purposes. Your HESA information will not be used to make automated decisions about you.

All uses of HESA information must comply with the Data Protection Act 1998 (DPA): www.legislation.gov.uk/ukpga/1998/29/contents. From 25 May 2018, the DPA will be replaced by the EU General Data Protection Regulation (GDPR): eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN. All uses of HESA information will comply with the GDPR from that date onwards.

HESA is developing a new system for collecting student information called the HESA Data Platform that will go live from the 2019/20 academic year. More information about this programme of work can be found here: www.hesa.ac.uk/innovation/data-futures. If personal data about you is sent to HESA as part of any pilot of the new HESA Data Platform, it will only be used by HESA, your provider, and higher education funding and regulatory bodies to evaluate system functionality and will be deleted at the end of the Data Platform development programme in 2020.

Categories of information submitted to HESA, including special categories of data
HESA collects data about the personal characteristics of students and information about their studies and qualifications. This might include sensitive details about students’ personal lives used for equality and diversity monitoring.

Data submitted to us by your provider includes details about the course you are studying and any qualifications awarded to you during the academic year. It also includes personal details about you such as your name and date of birth, your prior qualifications, and where you lived before starting your course.

Information about your disability status, ethnicity, sexual orientation, gender reassignment or religion is classed as ‘Sensitive personal data’ under the DPA, and ‘Special categories of data’ under the GDPR. If your Provider provides this information to us it will be included in your HESA information. This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010. Your sensitive information will be used for research purposes and will not be used to make decisions about you.

Some other information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver. If your provider is in England your HESA information may include details of any financial support you may receive from your higher education provider.

A full list of data items that may be included in your HESA information for the 2017/18 academic year can be found here: www.hesa.ac.uk/collection/c17051/. Please note that not all data items are collected for all students.

Purpose 1 – Named data used for public functions
Your HESA information is used by public authorities for their statutory and/or public functions including funding, regulation and policy-making purposes. Your information is provided by reference to your name, but your information will not be used to make decisions about you.

Education statistics and data
HESA shares your HESA information with public authorities who require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in HESA and the public authorities. Your HESA information will be shared with these organisations as part of a large dataset which contains similar information about other people who have followed higher education courses in the UK.

These organisations are data controllers in common of your HESA information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses that they make of your HESA information will be within the purposes set out in this collection notice and covered by data sharing agreements with HESA. These organisations will not use the data for the purposes of identifying you as an individual or to take decisions about you, except as described in Purpose 2 below. These organisations may retain HESA information indefinitely for statistical and research purposes, or for fixed terms depending on the terms of their data sharing agreements with HESA.

Such organisations may include:

  • Department for Education
  • Department for Business, Energy and Industrial Strategy
  • Welsh Government
  • Scottish Government
  • Department for the Economy, Northern Ireland
  • Higher Education Funding Council for England
  • The Office for Students
  • Higher Education Funding Council for Wales
  • Scottish Further and Higher Education Funding Council
  • Research Councils
  • Education and Skills Funding Agency
  • National College for Teaching and Leadership
  • National Health Service bodies and organisations working with them e.g. Health Education England
  • General Medical Council
  • Office for Fair Access
  • Quality Assurance Agency for Higher Education
  • UCAS

and any successor bodies. Further data controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn

.

Other uses of named data
Your HESA information may also be used by some organisations who are also data controllers in common who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education. Such uses may include the following:

  • Measurement of population levels and migration by the Office for National Statistics, National Records of Scotland and the Northern Ireland Statistics and Research Agency
  • Monitoring of public expenditure by the National Audit Office
  • Monitoring of the accuracy of electoral registers by Electoral Registration Officials

The above list of organisations who may receive your HESA information will be subject to change over time. For example, HESA is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information about students direct from higher education providers to collect and receive information through HESA. The above list will be updated on the HESA website at www.hesa.ac.uk/fpn from time to time, and you will need to monitor this link yourself if you wish to be aware of changes

Legal basis for processing your information for Purpose 1
Processing of your HESA information for Purpose 1 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).
Processing of Special Categories of data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (See GDPR Article 9(2)(j))

Purpose 2 - Administrative uses
Your named data may be processed by public authorities for the detection or prosecution of fraud. These uses of your HESA information may result in decisions being made about you.

In the exercise of their official authority it may be necessary for the four UK higher education funding bodies listed in Purpose 1 to use your HESA information which is passed to them for Purpose 1 to identify you and take decisions about you as an individual for the following purposes only:

Fraud detection and prevention - Your HESA information may be used to audit claims to public funding and student finance, and to detect and prevent fraud.

Previous study - If your higher education provider is in England: The Higher Education Funding Council for England (HEFCE) may share your previous education records with this provider, including HESA information submitted by other higher education providers, to determine the nature of any prior higher education study, including your current qualifications. This may be used to make decisions about the fees you are required to pay, the support available to you or the availability of a place for you to study with a higher education provider.

For these purposes your HESA information may be held separately (in addition to being held within datasets for Purpose 1) and retained for as long as necessary for the purposes of detection or prosecution of fraud and any associated legal or audit purposes.

Legal basis for processing your information for Purpose 2
Processing of your HESA information for Purpose 2 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)).

Purpose 3 - HESA publications
HESA publishes statistics about students in higher education.

Part of HESA’s role is to produce and publish information about higher education in the public interest. This includes some National Statistics publications (www.statisticsauthority.gov.uk/national-statistician/types-of-official-statistics) and online business intelligence and research services.

When producing this material for publication, HESA applies its disclosure control, the HESA Standard Rounding Methodology, to ensure that no Personal Data is included and that individuals cannot be identified from published material.

Processing within this Purpose 3 may also be carried out by HESA Services Limited, HESA's wholly-owned subsidiary company.

Legal basis for processing your information for Purpose 3
Processing of your HESA information for Purpose 3 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).
Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the Equality Act 2010 (See GDPR Article 9(2)(j))

Purpose 4 - Equal opportunity, research, journalism and other processing for statistical and research purposes
HESA information is used for research into higher education and the student population. This research can be academic, commercial, journalistic or for personal reasons. HESA prohibits the identification of individual students by those carrying out this research and information is not shared on a named basis.

HESA and the other data controllers in common (see Purpose 1) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:

  • Equal opportunities monitoring
  • Research - This may be academic research, commercial research or other statistical research where this is in the public interest
  • Journalism - Where the relevant publication would be in the public interest e.g. league tables
  • Provision of information to students and prospective students

Users to whom information may be supplied for Purpose 4 include:

  • Higher education sector bodies
  • Higher education providers
  • Academic researchers and students
  • Commercial organisations (e.g. recruitment firms, housing providers, graduate employers)
  • Unions
  • Non-governmental organisations and charities
  • Local, regional and national government bodies
  • Journalists

Information supplied by HESA to third parties within Purpose 4 is supplied under contracts which require that individuals shall not be identified from the supplied information and this means that they also cannot use it to take decisions about you. A copy of HESA’s current agreement for the supply of information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer if necessary for the specific research purpose. Each request for HESA information under Purpose 4 is assessed for its compliance with data protection legislation and its compatibility with this Collection Notice. HESA ensures that only the minimum amount of HESA information necessary for the specified research purpose is supplied to users. If the supplied information is to be published HESA's Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material and it does not constitute Personal Data.

HESA student information may be linked to school and/or further education college information and supplied to researchers. A copy of the Agreement for the supply of linked data about pupils from schools in England is available at www.gov.uk/government/collections/national-pupil-database.

Processing within this Purpose 4 is carried out by HESA, HESA Services Limited, HESA's wholly-owned subsidiary company. Other data controllers (listed under Purpose 1 above) may also process data for this purpose where this is necessary to fulfil their public functions.

Legal basis for processing your information for Purpose 4
Processing of your HESA information for Purpose 4 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)).
Processing may also be necessary for the purposes of the legitimate interests of HESA in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)).
In either case processing of your HESA information is necessary for statistical and research purposes in accordance with GDPR Article 89(1).
Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (See GDPR Article 9(2)(j))

Linking of your HESA information to other information
HESA information is sometimes linked to other data sources to enable more detailed research and analysis.

As indicated above, where HESA and organisations covered by Purpose 1 use HESA information this may include linking named or pseudonymised HESA information to other information for research purposes. Examples include linking to:

  • UCAS data – to understand entry rates to higher education
  • National Student Survey data – to place the results of this survey in context
  • School and Further Education data – to research progression to higher education
  • Student Loans Company data – to research the use of student finance
  • Qualification Awarding Bodies data – to research the value and outcomes of qualifications
  • Tax, Benefits, and Employment data – to research the salaries of graduates and to better understand the outcomes of education (Guidance on the use of HESA records matched to Tax, Benefits and Employment data is available at: www.gov.uk/government/publications/longitudinal-education-outcomes-study-how-we-use-and-share-data)
  • If you are a medical student your HESA information may be included in the UKMED research database (www.ukmed.ac.uk). The General Medical Council is the data controller for this database used for researching doctors’ progression through their education and training.

Where HESA provides information from your HESA information to third parties under Purpose 4, the permitted uses of the information by a third party may include linking HESA information to other information held by the third party. Permission for such use is considered on a case by case basis. It is only given where the linking is for the purposes outlined in Purpose 4 and subject to the requirement not to carry out linking to identify individuals.

Destinations information for schools and colleges – If you attended a school or college in England or Wales linked data may be disclosed to the last school or college you attended (or its successor body) and to Ofsted or Estyn in the exercise of their official authority to enable them to assess the outcomes of secondary education.

 

The HESA Initial Teacher Training record (“ITT”)
Information about teacher training students in England is submitted to the National College of Teaching and Leadership via HESA.

If you are on an ITT course at a higher education provider in England, HESA will collect additional information about you and provide this to The National College for Teaching and Leadership (NCTL). ITT courses are those that lead to Qualified Teacher Status (QTS).

NCTL is an executive agency of the Department for Education (DfE) and for the purposes of the Data Protection Act 1998 and the GDPR DfE and HESA are data controllers in common of the ITT record. NCTL will process your personal data in the exercise of its official authority, namely the award of qualified teacher status (QTS) and the funding, administration and monitoring of initial teacher training schemes, including the allocation of teacher reference numbers (TRNs). NCTL will contact you to provide confirmation of your TRN and any subsequent award of QTS.

NCTL may share personal data with your provider, and where the law allows it or there is a legal requirement for sharing to take place, its partners and contractors, including employers of teachers, teacher employment agencies, Ofsted, Capita Teachers’ Pensions and the Department for Education (DfE) and its Executive Agencies, for this purpose and may link it to other sources of information about you.

Student and leaver surveys
You may be asked to provide information about your experience as a student and your activities after you graduate as part of national surveys.

Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS), other surveys of students’ views about their study, and surveys of student finances, on behalf of some of the organisations listed under Purpose 1 above.

After you graduate you may be contacted and asked to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys are used to create statistics to meet the public interest in the outcomes of higher education. Information from third parties (such as your parent, or your provider if you’re in further study) might be used to complete sections of the surveys if you can’t be contacted. The surveys may be undertaken by your provider or by an organisation contracted for that purpose. Your provider will hold your contact details after you graduate in order for you to be contacted to complete a graduate outcomes survey.

Your contact details may be passed to HESA and/or an organisation contracted to undertake a graduate outcomes survey. The survey contractor will only use your contact details for the survey and will delete them when the survey is closed. HESA may hold your contact details for further graduate outcomes surveys where these are in the public interest.

Your responses to the survey of graduate outcomes will be made available to your provider, and your provider may choose to add additional questions to the survey for their own use.

Further privacy and data protection information will be provided if you are contacted for any of these surveys. You might also be contacted as part of an audit to check that the survey has been undertaken properly.

Legal basis for processing your information to conduct national surveys
Processing of your information to conduct the student and graduate surveys is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

Your rights
Data protection legislation gives you rights over your personal data. These include rights to know what information is processed about you and how it is processed. These rights have to be met by HESA and any other organisation which takes decisions about how or why your information is processed.

You have the right to be informed about how your personal data is used. This Student Collection Notice is regularly reviewed to ensure that it accurately describes how your HESA information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purpose 1. The most up to date version can always be found at www.hesa.ac.uk/fpn.

For further information about data protection and HESA’s data protection officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA information is used, please contact [email protected].

Under the Data Protection Act 1998 you have rights of access to the information HESA holds about you. You will have to pay a small fee for this. If you think there is a problem with the way HESA are handling your data, you have the right to complain to the Information Commissioner's Office: ico.org.uk.

Under the General Data Protection Regulation you will have the right of access to your personal information. You will also have additional rights i.e. the right to rectify inaccurate information; restrict processing; and object to processing. These rights are limited in certain circumstances by the GDPR, and may be limited further by future UK legislation where data is only processed for research or statistical purposes.

Data transfers to other countries
Your HESA information may be transferred to countries outside the European Union for the purposes described above.

Your HESA information will only be transferred to countries whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place to protect your HESA information. European Commission decisions on the adequacy of the protection of personal data in third countries are published here: ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.

 


 

Staff collection notice

Note: Reference in this notice to “we” and “us” refers to the Higher Education Statistics Agency Limited (www.hesa.ac.uk/about) and its wholly-owned subsidiary company HESA Services Limited. HESA is the official body responsible for collecting and disseminating information about higher education in the UK. Both HESA and HESA Services Ltd process personal data as ‘Data Controllers’. HESA Services Ltd also acts as a ‘Data Processor’ to do work on behalf of HESA and other organisations described in the notice below.

Reference to "your provider" refers to the higher education provider where you work. This notice relates to information about you which will be collected by your provider and passed to HESA and to other organisations as described below.

This notice is regularly reviewed and sometimes updated, for example when organisations change their name, or to clarify how your information is used. Updates may be made at any time and you will always find the most up to date version at www.hesa.ac.uk/fpn.

Submission of your information to HESA
Data about you will be supplied to HESA for the purposes set out below. This data does not include your name and is not intended to be used to make decisions about you. All information is used in compliance with the Data Protection Act 1998, and from 25 May 2018 with the General Data Protection Regulation (GDPR).

Every year your provider will send some of the information it holds about you to HESA (“your HESA information”). HESA is the official source of data about UK universities, higher education colleges, alternative HE providers, and recognised higher education courses taught at further education institutions in Wales. HESA is a registered charity and operates on a not-for-profit basis.

Your HESA information does not contain your name or contact details, but may contain your Open Researcher and Contributor ID (ORCID.org) number if you have one

Your HESA information is used for a variety of purposes by HESA and by third parties as described below. HESA may charge other organisations to whom it provides services and data. Uses of your HESA information may include linking parts of it to other information, as described below. Information provided to HESA is retained indefinitely for statistical research purposes. Your HESA information will not be used to make automated decisions about you.

All uses of HESA information must comply with the Data Protection Act 1998 (DPA): www.legislation.gov.uk/ukpga/1998/29/contents. From 25 May 2018, the DPA will be replaced by the EU General Data Protection Regulation (GDPR): eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN. All uses of HESA information will comply with the GDPR from that date onwards.

Categories of information submitted to HESA, including special categories of data
HESA collects data about the personal characteristics of staff and governors at higher education providers and information about their jobs and contracts. This might include sensitive details about staff members’ and governors’ personal lives used for equality and diversity monitoring.

Data submitted to us by your provider includes details about your employment contract, the work that you do and your salary. It also includes personal details about you such as your date of birth and your nationality.

Information about your disability status, ethnicity, sexual orientation, gender reassignment or religion is classed as ‘Sensitive personal data’ under the DPA, and ‘Special categories of data’ under the GDPR. If your Provider provides this information to us it will be included in your HESA information. This information is necessary for monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010. Your sensitive information will be used for research purposes and will not be used to make decisions about you.

A full list of data items that may be included in your HESA information for the 2017/18 academic year will be available from October 2017 here: www.hesa.ac.uk/collection/c17025/. Please note that not all data items are collected for all staff – the exact set of variables relating to you will depend on your role and contract.

Purpose 1 – Individual level data used for public functions
Your HESA information is used by public authorities for their statutory and/or public functions including funding, regulation and policy-making purposes. Your information will not be used to make decisions about you.

Education statistics and data HESA shares your HESA information with public authorities who require it to carry out their statutory and/or public functions. This data sharing is carried out in the public interest or in the exercise of official authority vested in HESA and the public authorities. Your HESA information will be shared with these organisations as part of a large dataset which contains similar information about other people who work at higher education providers in the UK.

These organisations are data controllers in common of your HESA information. This means that they make their own decisions about how to use it, and this may include publishing statistics and sharing the information with third parties, such as other government or public bodies or other organisations of the type listed elsewhere in this collection notice. However, all uses that they make of your HESA information will be within the purposes set out in this collection notice and covered by data sharing agreements with HESA. These organisations will not use the data for the purposes of identifying you as an individual or to take decisions about you. These organisations may retain HESA information indefinitely for statistical and research purposes, or for fixed terms depending on the terms of their data sharing agreements with HESA.

Such organisations may include:

  • Department for Education
  • Department for Business, Energy and Industrial Strategy
  • Welsh Government
  • Scottish Government
  • Department for the Economy, Northern Ireland
  • Higher Education Funding Council for England
  • The Office for Students
  • Higher Education Funding Council for Wales
  • Scottish Further and Higher Education Funding Council
  • Research Councils
  • National Health Service bodies and organisations working with them e.g. Health Education England
  • Medical Schools Council
  • Quality Assurance Agency for Higher Education

and any successor bodies. Further data controllers may be added to the list from time to time – please see the online version of this notice at www.hesa.ac.uk/fpn.

Your HESA information may also be used by some organisations who are also data controllers in common who carry out statistical and research tasks in the public interest or in the exercise of official authority that are not connected with education such as monitoring of public expenditure by the National Audit Office.

HEFCE will link information about academic staff to Research Excellence Framework submissions in order to monitor equal opportunities in relation to that exercise.

The above list of organisations who may receive your HESA information will be subject to change over time. For example, HESA is seeking to reduce the burden on higher education providers by encouraging other organisations who currently collect information directly from higher education providers to collect and receive information through HESA. The above list will be updated on the HESA website at www.hesa.ac.uk/fpn from time to time, and you will need to monitor this link yourself if you wish to be aware of changes.

Legal basis for processing your information for Purpose 1
Processing of your HESA information for Purpose 1 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

Processing of Special Categories of data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (See GDPR Article 9(2)(j))

Purpose 2 - HESA publications
HESA publishes statistics about staff in higher education.

Part of HESA’s role is to produce and publish information about higher education in the public interest. This includes some National Statistics publications (www.statisticsauthority.gov.uk/national-statistician/types-of-official-statistics) and online business intelligence and research services.

When producing this material for publication, HESA applies its disclosure control, the HESA Standard Rounding Methodology, to ensure that no Personal Data is included and that individuals cannot be identified from published material.

Processing within this Purpose 2 may also be carried out by HESA Services Limited, HESA's wholly-owned subsidiary company.

Legal basis for processing your information for Purpose 2
Processing of your HESA information for Purpose 2 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the Equality Act 2010 (See GDPR Article 9(2)(j))

Purpose 3 - Equal opportunity, research, journalism and other processing for statistical and research purposes
HESA information is used for research into higher education and the staff population. This research can be academic, commercial, journalistic or for personal reasons. HESA prohibits the identification of individual staff members by those carrying out this research.

HESA and the other data controllers in common (see Purpose 1) may also supply information to third parties where there is a legitimate interest in doing so for statistical and research purposes. Examples of use for this purpose include:

  • Equal opportunities monitoring
  • Research - This may be academic research, commercial research or other statistical research where this is in the public interest
  • Journalism - Where the relevant publication would be in the public interest e.g. league tables
  • Provision of information to students and prospective students

Users to whom information may be supplied for Purpose 3 include:

  • Higher education sector bodies
  • Higher education providers
  • Academic researchers and students
  • Commercial organisations
  • Unions
  • Non-governmental organisations and charities
  • Local, regional and national government bodies
  • Journalists

Information supplied by HESA to third parties within Purpose 3 is supplied under contracts which require that individuals shall not be identified from the supplied information and this means that they also cannot use it to take decisions about you. A copy of HESA’s current agreement for the supply of information is available at www.hesa.ac.uk/services/custom/data/timescales-costs. Each agreement specifies the duration for which data may be processed. This is usually one year but may be longer if necessary for the specific research purpose. Each request for HESA information under Purpose 3 is assessed for its compliance with data protection legislation and its compatibility with this Collection Notice. HESA ensures that only the minimum amount of HESA information necessary for the specified research purpose is supplied to users. If the supplied information is to be published HESA's Rounding Methodology or an equivalent disclosure control must be applied to ensure that individuals cannot be identified from the published material and it does not constitute Personal Data.

Processing within this Purpose 3 is carried out by HESA and HESA Services Limited, HESA's wholly-owned subsidiary company. Other data controllers (listed under Purpose 1 above) may also process data for this purpose where this is necessary to fulfil their public functions.

Legal basis for processing your information for Purpose 3
Processing of your HESA information for Purpose 3 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)).

Processing may also be necessary for the purposes of the legitimate interests of HESA in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)).

In either case processing of your HESA information is necessary for statistical and research purposes in accordance with GDPR Article 89(1).

Processing of Special Categories of personal data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (See GDPR Article 9(2)(j))

Purpose 4 - Clinical academic staff and health professionals only
If you work in a clinical or health-related role or department the Medical Schools Council may use your HESA information for additional purposes.

The Medical Schools Council (MSC) and Universities UK through the activities of its Dental Schools Council (DSC) use HESA staff data for the purposes of:

  • Monitoring trends in clinical academic staffing as a basis for partnership between the NHS and universities.
  • Promoting, maintaining and improving high quality education, research and clinical practice in the UK.
  • Publishing results of research into clinical academic staffing at a detailed statistical level from which there may be a risk of identification of individuals through combinations of characteristics.

The MSC and DSC retain each year’s detailed data for one year from receipt of data from HESA. Research results are held indefinitely for statistical and research purposes.

Legal basis for processing your information for Purpose 4
Processing of your HESA information for Purpose 4 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

Processing of Special Categories of data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (See GDPR Article 9(2)(j))

Your rights
Data protection legislation gives you rights over your personal data. These include rights to know what information is processed about you and how it is processed. These rights have to be met by HESA and any other organisation which takes decisions about how or why your information is processed.

You have the right to be informed about how your personal data is used. This HESA Staff Collection Notice is regularly reviewed to ensure that it accurately describes how your HESA information is used. This notice may be updated from time to time, for example when new legislation is enacted, or when new policies are implemented by the public authorities listed under Purpose 1. The most up to date version can always be found at www.hesa.ac.uk/fpn.

For further information about data protection and HESA’s data protection officer please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA information is used, please contact [email protected].

Under the Data Protection Act 1998 you have rights of access to the information HESA holds about you. You will have to pay a small fee for this. If you think there is a problem with the way HESA are handling your data, you have the right to complain to the Information Commissioner's Office: ico.org.uk/.

Under the General Data Protection Regulation you will have the right of access to your personal information. You will also have additional rights i.e. the right to rectify inaccurate information; restrict processing; and object to processing. These rights are limited in certain circumstances by the GDPR, and may be limited further by future UK legislation where data is only processed for research or statistical purposes.

Data transfers to other countries
Your HESA information may be transferred to countries outside the European Union for the purposes described above.

Your HESA information will only be transferred to countries whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place to protect your HESA information. European Commission decisions on the adequacy of the protection of personal data in third countries are published here: ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm