HEI Subscription Agreement FAQ Guidance Note
We have produced this guidance note to provide answers and re-assurance in response to questions that we have been asked in relation to the transitional Subscription Agreement for submitting data to HESA as an HEI Full Subscriber. A new longer-term Subscription Agreement is being developed to take effect from 1 August 2019 and it is HESA’s intention to run a consultation with its subscribers on the terms of the new agreement next year.
Clause 4.5 states that interest is chargeable on the amount of any overdue invoice at the rate of 5% per annum over Barclays Bank base rate.
This is not new. As there was no previous express interest clause between HESA and its HEI Subscribers, the Late Payment of Commercial Debts (Interest) Act 1998 added an implied term giving at least 8% a year interest on the price of goods or services, plus a fixed sum and reasonable costs of recovering the debt. This Clause therefore introduces a decrease in the rate of interest payable by HEI Subscribers.
Whilst HESA has experienced HEI Subscribers making significantly late payments to date, we have never exercised this right to apply interest. However, we have retained such a clause to encourage prompt payment.
The timescales for notification in Clause 9 are reciprocal obligations, with which HESA also has to comply, and have been included to enable both parties to meet their statutory duties, in particular, to respond promptly to statutory deadlines. The timescales are to give both parties the ability to assess the situation and determine whether any steps need to be taken (including mitigating actions) or whether it is reportable breach scenario.
Please note that this obligation is limited in so far as it relates to the provision of data by the HEI Subscriber under the Agreement or the processing of such data by HESA.
An HEI Subscriber will be a Controller in its own right and guidance produced by both the ICO and Article 29 Working Party advise that the GDPR requires a Controller to implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place. Where required, a Controller will have to promptly inform the supervisory authority and the data subjects. This puts an obligation on the Controller to ensure that it will be “aware” of any breaches in a timely manner so that it can take appropriate action.
If circumstances were to arise as detailed in this Clause, we would of course seek to work constructively on a case by case basis with the relevant HEI Subscriber. For the avoidance of doubt, HESA would not normally expect to be notified of requests from data subjects to our HEI Subscribers. It is only where either party needed the help of the other party to respond in order to enable that party to respond within the relevant deadline.
Notwithstanding the above we will review this clause as part of the preparation of the longer-term agreement.
To maintain the integrity of the HESA database, intellectual property rights in all of the submissions are assigned to HESA to ensure there is a single point of ownership. HESA as creators of the database will automatically own the intellectual property rights in the format of the database itself. To ensure HESA is able to operate the database effectively, in light of the number of submissions from HEI Subscribers, HESA needs ownership of the data submissions. The intellectual property rights in the data submissions are then licensed back to each HEI Subscriber on sufficiently broad terms to enable it to use the data as it requires.
HESA and its HEI Subscribers have a Controller to Controller relationship. Controllers are individually responsible for their own activities. However, under this arrangement, HEI Subscribers are required to submit data to HESA by their Primary Regulatory Body and HESA does not have a direct relationship with Data Subjects. HESA therefore has to rely on assurances given by its HEI Subscribers in undertaking its activities as Controller. For example HEI Subscribers making available the HESA Collection Notices/fair processing notices. This is why HESA requires an indemnity from its HEI Subscribers.
The indemnity in Clause 9.17 is limited to only £50,000. This is particularly low when you consider the potential losses which HESA could suffer under the new penalty regime of the General Data Protection Regulation ("GDPR") and is significantly lower than the indemnity level recommended by HESA’s external lawyers. We have tried to draft the Agreement in a fair and balanced way and this is the same indemnity level that we have included in other Agreements which most HEI Subscribers are familiar with and to reflect the trusting relationship we have with our HEI Subscribers.
Please note that the cap in Clause 9.17 is intended to be in aggregate. This means that this is a total cap for the duration of the Agreement.
This specific indemnity was included for circumstances where HESA could end up spending a lot of money trying to rectify a potential breach of the data protection legislation. As stated above because HESA does not have a direct relationship with Data Subjects it relies on assurances given by its HEI Subscribers in undertaking its activities as Controller, a situation could arise where there is no "evidence" that the data protection legislation has actually been breached, but HESA being a small sector-controlled charity could end up being out of pocket. For example, where an HEI Subscriber has made available inadequate fair processing notices to data subjects, which do not permit HESA to undertake its activities as a Controller and HESA is required to take actions to rectify the situation.
Please note that this indemnity is limited in two crucial ways. Firstly, it is subject to "HESA having reasonable grounds" and secondly, it is subject to the cap of £50,000 explained in our answer to question 4.
As you may be aware, we are a sector-controlled charity and we have therefore taken steps to protect ourselves by limiting our liability. These are HESA's standard liability provisions. HESA does not exclude or limit liability to the HEI Subscriber for:
- death or personal injury caused by negligence;
- a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
- any matter for which it would be unlawful for the parties to exclude liability.
The purpose of this agreement is to enable HESA and its HEI Subscribers to demonstrate compliance and to mitigate the risk of non-compliance with the General Data Protection Regulation, but to also reflect the existing relationship between HESA and its HEI Subscribers.
Clause 4.8.3 states that the HEI Subscriber shall ensure that the Provider Data Submission contains only data which is true and correct. Data shall be regarded as breaching this obligation if it is inaccurate or otherwise than a true reflection of the factual position and not compiled in accordance with the definition of the relevant data fields and the coverage as specified in the HESA Operational Documentation.
Quality assurance has always been a key aspect of the HESA collection process and the HESA Sign Off Forms signed at the end of a collection by the Accountable Officer/Head of Provider already require confirmation and assurance to be provided that the data submitted has been verified and is correct.
The accuracy principle set out in Article 5(d) of the GDPR requires that Personal Data shall be accurate. An HEI Subscriber is a Controller in its own right so must take steps to ensure and demonstrate compliance with this principle, regardless of its relationship with HESA and this includes taking steps to ensure accuracy. Article 5(d) imposes the following obligation on a Controller: "every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”.
The GDPR does not distinguish between Personal Data that a Controller creates and Personal Data that someone else provides. Therefore, HESA is reliant on its HEI Subscribers to discharge their legal obligations as HESA does not have a direct relationship with data subjects and relies on assurances given by its HEI Subscribers in undertaking HESA’s activities as Controller. HESA must therefore take steps to ensure the accuracy of the information it is receiving. Furthermore, depending on the nature of the data error, HESA may be held to account by a Statutory Customer for inaccuracies in the data it provides to them.
Notwithstanding the above, HESA and its HEI Subscribers have a trusting and constructive relationship. If a situation were to arise where an inaccuracy was discovered, we would of course treat any breach on a case by case basis and seek to work constructively with the relevant HEI Subscriber. As you may be aware the current practice, is that where an HEI Subscriber has acted in accordance with the Supply Side Code of Practice for Higher Education Data Collections but made a genuine mistake and the HEI Subscriber and the Primary Regulator (i.e. their relevant regulatory/funding body) agree that the data needs to be amended HESA operates the Fixed Database which is referred at clauses 15.5.2 and 15.5.3 of the Agreement to enable the HEI Subscriber to make Fixed Database Submission to replace the Provider Data Submission. We have also included a similar amendment mechanism in the Data Futures Programme. In addition, HESA has a Rectification Policy to respond to requests by data subjects for their data to be amended.
The Provider Data Submission processed by HESA is stored both on our premises, and in a private cloud environment. The Cloud environment, its designated failover site, and our disaster recovery capabilities are all situated within the EEA.
Clause 9.19 was added on the advice of our external legal advisers and we confirm that we will review this clause as part of our preparation of the new long-term agreement.
The clause was added to restate the requirements which both HESA and its HEI Subscribers are separately required to comply with under Article 30 of the GDPR. The key issue that we were seeking to cover off/evidence by this clause is that if necessary we can obtain assurance that the relevant HESA collection notice has been made available to data subjects.
Clause 9.5 states that in order for the processing described in clause 9.4 to comply with Article 5 of GDPR it must be fair and lawful and at least one of the conditions in both Article 6 and Article 9 must be met. The conditions listed below were not intended to be exclusive and we apologise that in error Article 6(1)(c) legal obligation was omitted from the list of potential legal grounds for processing Personal Data. For the avoidance of doubt, we accept that it is for each Data Controller to determine the appropriate legal basis for processing and that which ground is selected by the Controller will be dependent on the identity of the Controller, the nature of the data and the relevant facts surrounding the proposed processing.