Skip to main content

Statistical confidentiality policy

Principle T6 of the Code of Practice for Statistics states that organisations publishing Official Statistics should look after people’s information securely and manage data in ways that are consistent with relevant legislation and serve the public good. 
Read the full Code of Practice


The Higher Education Statistics Agency (HESA) is committed to preserving the confidentiality of the data it collects, processes and disseminates. HESA complies with data protection and privacy legislation, and Principle T6 of the Code of Practice for Statistics, and works to maintain the trust and cooperation of those individuals who supply information for onward transmission to HESA.

Arrangements for preserving confidentiality are as follows:

ISO 27001 accreditation

HESA is accredited under the ISO 27001 Information Security standard. A suite of Information Security Policies is issued to HESA staff covering a wide range of areas from information handling through use, development and maintenance of IT infrastructure to mobile computing and cryptography. Adherence to these policies is subject to a regular internal and external audit programme.

HESA Staff

All HESA staff receive appropriate training and guidance in the protection of personal information encountered during the course of their work. This training is updated every two years.

A Data Protection Policy is published on the staff intranet which details the obligations of staff in this respect. A confidentiality statement is included within the employment  handbook, to which all staff must agree compliance as part of their contract of employment.

HESA employs a qualified Data Protection Officer who monitors compliance with Data Protection Policy on a day-to-day basis.

All staff are issued with lists of ISO 27001 policies that relate to their work and are required to confirm in writing that they have read and understood the requirements placed upon them.


All personal data used for statistical purposes is held on secure computer systems which are subject to stringent physical and electronic access control mechanisms. Staff access to personal data is only granted to those staff who require access for the execution of their duties. Access to personal identifiers such as names of data subjects is subject to further access restrictions and is only provided to a named subset of data analysts who require access for specific purposes. The list of staff with access to personally identifiable data is reviewed regularly. 

All data transfers are made electronically using secure transfer mechanisms which use encrypted channels and may require password and/or PIN code submission. Physical transfer media such as CD, memory sticks etc. are not used to transfer personal data.

All external organisations or individuals receiving statistical data, at a level of detail at which there is risk to confidentiality of individuals, are placed under legal contracts which stipulate confidentiality requirements.

Data subjects are issued with notices which explain why data are being collected and how data will be used.

Statistical disclosure control

HESA operates a strategy in published and released tabulations designed to prevent the disclosure of personal information about any individual. This strategy involves rounding all counts of students or staff to the nearest multiple of 5. Percentages based on populations of 22.5 or fewer are suppressed, as are averages based on 7 or fewer individuals.