Skip to main content

Privacy information

NOTICE – change of controller

On 4 October 2022 the Higher Education Statistics Agency (HESA) merged with Jisc. HESA is now part of Jisc.

Any personal data processed by HESA as controller has now transferred to Jisc under the purposes set out in this collection notice and Jisc is now the controller of this personal data.

Jisc is the controller of the HESA website and of any processing described on HESA’s website, unless otherwise indicated. This means it is Jisc who determines the manner and purpose of processing. Please see the Controllers and contact details section of this notice below for further information about Jisc.

Under UK data protection laws, we are required to provide you with certain information about who we are, how we process your personal data and for what purposes and your rights in relation to your personal data. This information is provided in this collection notice. It is important that you read this information.

Details of how to exercise your data protection rights can be found in this collection notice. If you have any queries about how your personal data is processed, please contact [email protected].

This page describes how Jisc processes personal data, and how Jisc complies with data protection legislation in connection with the activities of its Data Collection and Statistics Directorate.

The job of the Data Collection and Statistics Directorate at Jisc is to collect, process and share data relating to higher education. Some of this data is personal data about students, graduates, and staff of higher education providers. Jisc also processes personal data in the course of its day-to-day business like any other company. If you wish to know more about Jisc’s processing activities relating to its other business functions and services, please see Jisc’s general Privacy Notice.

The sections below describe the different categories and types of personal data that Jisc processes. These include the purposes and legal basis for each type of processing, any transfers or third party recipients of personal data, and the timescales for storing and processing data. Legal basis information relates to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 (and has been retained as part of the UK’s data protection laws following its exit from the EU). More information can be found via our data protection pages.

Some sections link to other pages or documents where more detailed information can be found. The boxes below summarise the key information you need to know. Click on each box for more detail.

Controllers and contact details
Jisc is the controller for the processing described on this page unless otherwise indicated.

On this page “Jisc” (or "we" or "us") refers to Jisc, a not-for-profit company limited by guarantee, registered in England (company number: 05747339; charity number: 1149740).

Jisc is the controller for the data processing described on this page. This means it is Jisc who determines the manner and purpose of processing.

If you have any questions about Jisc and data protection please contact our Data Protection Officer:

Your rights
Data protection legislation gives you rights over your personal data. These include rights to know what information is processed about you and how it is processed.

You have the right to be informed about how your personal data is used. This Privacy Information is regularly reviewed to ensure that it accurately describes how personal data is used by Jisc. This information may be updated from time to time, for example when new legislation is enacted, or when new purposes or systems are added.

You have the right to request access to your information held by Jisc.

You have the right to request rectification of incorrect information.

You may have the right to object to some processing. If your concern relates to the Graduate Outcomes survey, please see Information for students/graduates.

To exercise your data protection rights please contact our Data Protection Officer:

You have the right to complain to the Information Commissioner’s Office – please see the ICO website.

Data transfers to other countries
Some Jisc systems use cloud data storage and your information may be transferred to countries outside the European Union.

Our CRM, payment, and booking systems use cloud data storage. By default, data is stored at data centres located in the UK or the EU. In exceptional circumstances data may be processed at data centres in the USA or elsewhere.

Emails to some generic team addresses are processed by Help Scout. These emails may be processed outside the UK and European Economic Area. Team email addresses that use Help Scout include [email protected], [email protected], [email protected] and [email protected].

When transferring your personal data outside the UK, appropriate measures are implemented to protect your personal data by:

  • Ensuring that there is an adequacy decision by the Information Commissioner’s Office in respect of the countries data is transferred to; and/or
  • Ensuring appropriate safeguards, such as the Standard Contractual Clauses are in place and by undertaking adequate risk assessments.

Decisions on the adequacy of the protection of personal data in third countries are granted by the Secretary of State and published on the UK Government’s website.

Website privacy policy and cookies
The HESA website uses cookies and logs IP addresses.

HESA is now part of Jisc. Jisc is the controller for the HESA website and for any processing described on HESA’s website unless otherwise indicated.

Browsing the HESA website will generate a log of your IP address. The website will also save cookies to your computer. Cookies make the website work properly for users and collect anonymous web metrics - find out more about how we use cookies.

Our HESA website contains links to other websites. We are not responsible for the privacy practices or content of other sites. We encourage our visitors to be aware when they leave our website and to read the privacy policy of other sites that collect or use personal data.

This policy applies only to this website, https://www.hesa.ac.uk. This policy does not cover any other website operated by Jisc.

Legal basis:
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in providing a website that functions effectively for all users.

Students, graduates and staff of higher education providers
Jisc collects data from HE providers. Full information for data subjects is provided in the following Collection Notices.

Detailed information for students and staff can be found in the Student and Staff Collection Notices.

Information about the latest Destinations of Leavers from Higher Education (DLHE) survey can be found in the 2016/17 DLHE Collection Notice.

Information for students about the Graduate Outcomes survey (starting December 2018) can be found here: Information for students/graduates.

HE provider contacts
Jisc holds personal data about staff at HE providers to administer the data collection process, including administering Jisc subscriptions, and to ensure security of its collections and systems. Access to Jisc’s collection systems is administered through the Identity System (IDS).

If you are involved in the submission or review of 'HESA data returns' you will need an account with the Identity System (IDS). You will need to provide personal data to create an account and accept an IDS role. Each IDS role has its own specific terms of use which give further information about how Jisc uses this data.

The personal data provided to set up the account is used for administration of Jisc’s data collection and sharing process. This may include processing of your data in Jisc data collection systems (e.g. Aardvark, Issue Management System (IMS), the Data Platform, email) and sharing your information with statutory data users if this is necessary for the administration of the data collection process.

Jisc may share HE provider contact details with the appropriate primary regulatory/funder for the purpose of administering "HESA subscriptions", including sharing contact information in connection with HE provider debt.

If you are the nominated data protection contact for an HE provider, your personal data will be shared with Jisc and stored in Jisc’s CRM for the purpose of contacting relevant HE providers about data protection-related issues.

Personal data relating to a User’s interactions with Jisc systems, including the creation of activity logs, is processed for auditing, security, performance monitoring, error reporting and investigation purposes. Jisc may process your personal data to provide you with technical assistance to access Jisc’s systems.

It is the responsibility of HE providers to ensure that individuals hold appropriate IDS roles. Information about the IDS roles you have held will be retained for audit purposes.

Data held in IDS will also be stored in Jisc’s Customer relationship management (CRM) system – see CRM section below.

Graduate Outcomes case studies

If you submit case studies to Jisc for the purpose of promoting the Graduate Outcomes survey your personal data including name, role, business email address will be published on HESA’s website, social media channels, at events or for training. Jisc will process the personal data of individuals contained in any case study materials, such as promotional videos or still images of individuals, under either consent or legitimate interest. Where consent is relied upon to process such personal data, Jisc relies upon a valid consent to have been obtained by the Higher Education Provider from the featured individual(s).

HESA is now part of Jisc. Jisc is the controller for the HESA website and for any processing described on HESA’s website unless otherwise indicated.

Legal basis:
GDPR Article 6(1)(a)
The data subject has given consent to the processing of his or her personal data.

GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in maintaining security of its collections, information and security monitoring of its collections and systems and performance monitoring and for the purpose of promoting the Graduate Outcomes survey.

Email lists
If you choose to sign up for emails about 'HESA' services we will send you the messages you’ve chosen until you unsubscribe. If you are an HE provider contact we may send you messages that are necessary to administer the data collection process.

We will hold your information in our Customer relationship management (CRM) system and send emails to the address you’ve specified. You can unsubscribe from an email list by clicking the ‘unsubscribe’ link at the bottom of an email.

Exception: If you hold a relevant IDS role we may send you our Weekly update email where this contains information necessary for the administration of the data collection process. The ‘unsubscribe’ link will not cancel emails that are necessary for these purposes.

Legal basis:
GDPR Article 6(1)(a)
The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Jisc statutory customers
Jisc processes personal data about Statutory Customers to facilitate the collection, dissemination and publication of data from higher education providers, collaborative working, and monitoring of Jisc's systems access to Jisc’s collection systems administered through the Identity System (IDS).

If you are involved in the review and delivery of data returns you will need an account with the Identity System (IDS). You will need to provide personal data to create an account and accept an IDS role. Each IDS role has its own specific terms of use which give further information about how Jisc uses this data.

The personal data provided to set up the account is used for administration of Jisc’s data collection and sharing process. This may include processing of your data in data collection systems (e.g. Aardvark, Issue Management System (IMS), the Data Platform, email) and sharing your information with other users of these systems (including higher education providers and other Statutory Customers) if this is necessary for the administration of the data collection process.

It is the responsibility of your organisation to ensure that individuals hold appropriate IDS roles. Information about the IDS roles you have held will be retained for audit purposes.

Data held in IDS will also be stored in Jisc’s Customer relationship management (CRM) system – see CRM section below.

Personal data relating to a User’s interactions with Jisc systems, including the creation of activity logs, is processed for auditing, security, performance monitoring, error reporting and investigation purposes. Jisc may process your personal data to provide you with technical assistance to access Jisc’s systems.

We may record meetings via Microsoft Teams which may include the processing of visual and audio webcam footage and opinions expressed about yourself or others. The recordings may be shared:

  • Within Jisc for the purpose of enabling minute-takers to fulfil their tasks, or to enable meeting participants or non-attendees to access a recording of a meeting.
  • With other stakeholders, including key suppliers and other Statutory Customers, for the purpose of enabling collaboration with Jisc.

The recordings may form part of Jisc’s business records.

Legal basis:
GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc's legitimate interests in maintaining information and security monitoring of its collections and systems and performance monitoring.

Processing is necessary for the purposes of Jisc's legitimate interests in facilitating collaborative working and maintaining its business records.

Enquiry forms and emails
If you enquire about Jisc services using a form or email we will process your data in order to deal with your enquiry.

We will hold your information in our Customer relationship management (CRM) system so that we can respond to your query effectively. If you or your organisation do not enter into a contract with us this information will be retained for 12 months, and then deleted.

If you or your organisation go on to enter a contract (e.g. purchase a custom data licence) then we may hold your personal data for longer – see Custom data and reports.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in responding to enquiries from third parties and recording these responses.

Custom data and reports
If you buy a custom data licence or a bespoke report we will hold your personal data to administer the licence terms and conditions and carry out compliance assessments.

Custom data extracts and reports are supplied under an Agreement for the Supply of Information Services (see sample agreement). If you or your organisation enter an agreement with Jisc your data will be processed for the purpose of administering this agreement. Your personal data will also be processed when you interact with our OneTrust information security and data protection compliance assessments associated with the custom data and reports requested.

Your personal data will be retained for seven years after the latest licence end date specified in any agreement with you.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in maintaining a record of data supplied to third parties.
GDPR Article 6(1)(c)
Processing is necessary for demonstrating accountability with data protection requirements.

Publications and online purchases
HESA is now part of Jisc. Jisc is the controller of the HESA website and any processing described on HESA’s website, unless otherwise indicated.
If you buy a product directly from the HESA website your personal data is processed for billing purposes.

When you or your organisation buy a publication or other product from the HESA website you will need to provide contact and billing details so that we can complete your order. Invoicing details are retained for accounting purposes.

If you wish to pay by credit card payments are processed by Stripe.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Training
We process data about training attendees and registrants in our event management system so that we can provide and administer the training.

We encourage individuals to only book training events for themselves, but when this is not possible, the attendee whose personal data is being provided to Jisc must be shown this privacy information.

We will hold the personal data of attendees and registrants for three years from the date of the last event attended/booked so that we have a record of the training we have supplied.

If you tell us about dietary or special requirements (including disabilities) we may use this information to make adjustments for attendees. We will request your explicit consent before processing your personal data relating to health and/or disability.

It may also be necessary to share information with third party venue providers so that they have a register of attendees and are able to make any appropriate adjustments for attendees. Where it is necessary for us to share your personal data relating to your dietary or special requirements, we will request your permission before doing so.

If you wish to withdraw your consent for the processing of information relating to your health and/or disability, you can do so by accessing your event booking using the email address you used for registration and your password (which you will be asked to create when you first access the booking system). Within the event booking you can change your consent preferences and remove any special category personal data provided.

We may contact you to tell you about relevant events in future or to seek your feedback to improve our future training offerings, but you can opt out of receiving this information by emailing [email protected] or managing your preferences in the footer section of any communication

Payments for training and seminars are processed by Stripe. Invoicing details are retained for accounting purposes.

For more details see the training terms and conditions.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in administering and maintaining records of training and seminars.
GDPR Article 9(2)(a)
The data subject has given explicit consent to the processing of personal data relating to health and disability.

E-Learning
If you undertake a HESA e-learning course or online webinar, our training systems will hold your name, email address, course results and a recording of your involvement in the session, where you have been notified. This information is only accessible to Jisc staff and only used to monitor use of the e-learning system or to enable meeting participants (or non-attendees) to access a recording of a meeting.

We process data about e-learning users and webinar attendees so that we can provide and administer the training.

We will hold the names and email addresses of users for 3 years so that we have a record of who has started and completed courses, and to allow users to continue courses that they have started.

Some e-learning data protection courses are provided to meet the data protection requirements of Heidi Plus user agreements. We may contact Heidi Plus users with reminders to undertake data protection refresher training based on records maintained in the Easygenerator system.

HESA Training webinars are recorded. This is primarily so that, if a delegate experiences technical issues during the webinar and misses content, we can share a recording with them at a later date. All delegates are notified on the event page that the webinar will be recorded and are reminded at the start of the session. Jisc takes steps to minimise the personal data that is collected through the recording of webinars.

For more information about e-learning please contact [email protected].

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in administering and maintaining records of training.

Heidi Plus
If you use Heidi Plus we will process personal data to administer your user agreement. We also log IP addresses to monitor and measure use of the Heidi Plus service. We will also use your personal data to carry out information security and compliance assessments.

Further details are available in the Heidi Plus privacy policy and user agreements. These can be found in the Heidi Plus Support centre project – workbook 7. Heidi Plus operational documentation. Your personal data will be processed when you interact with our OneTrust information security and data protection compliance assessments associated with your organisation’s Heidi Plus account.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in administering and monitoring use of the Heidi Plus business intelligence service.
GDPR Article 6(1)(c)
Processing is necessary for demonstrating accountability with data protection requirements.

Suppliers of goods and services
If you supply goods or services to Jisc we may process personal data about you in order to enter into agreements, make orders, pay your invoices, facilitate collaborative working, and monitor use of Jisc's systems.

Details of any personal data processing should be included in any agreement to supply goods and services to Jisc.

Personal data relating to a User’s interactions with Jisc systems, including the creation of activity logs, is processed for auditing, security, performance monitoring, error reporting and investigation purposes.

We may record meetings via Microsoft Teams which may include the processing of visual and audio webcam footage and opinions expressed about yourself or others. The recordings may be shared:

  • Within Jisc for the purpose of enabling minute-takers to fulfil their tasks, or to enable meeting participants or non-attendees to access a recording of a meeting.
  • With other stakeholders, including Statutory Customers, for the purpose of enabling collaboration with Jisc.

The recordings may form part of Jisc’s business records.

Invoicing and payment details are retained for seven years.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in obtaining goods and services necessary to its business.
Processing is necessary for the purposes of Jisc's legitimate interests in maintaining information and security monitoring of its collections and systems and performance monitoring.
Processing is necessary for the purposes of Jisc's legitimate interests in facilitating collaborative working and maintaining its business records.

Job applications
Personal data provided through unsuccessful job applications is held for two years and then deleted.

Information provided to HESA prior to it merging with Jisc in support of job applications is processed via People HR for the purpose of selecting suitable candidates for job vacancies. You may have submitted a written assessment, which will be reviewed as part of your application. Your CV and any assessments have been transferred to Jisc, which is now the controller of this data. Your personal information may be shared with Jisc's third party partners who may be involved in the interviewing process.

If your application was not successful, your application form, any written assessment, CV, and covering letter will be held for one year from the date at which someone is appointed to the advertised position. Data is held for the purpose of monitoring the level of repeated applications and maintaining a talent pool of candidates who may be interested in other vacancies.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing including sharing with third party partners is necessary for the purposes of Jisc’s legitimate interests in recruiting qualified staff.

Customer relationship management (CRM) system and marketing information
As HESA is now part of Jisc, if you previously used HESA products or services your personal information has transferred to Jisc and may be held in our CRM system. We will only send you marketing information if you have given your permission, or if you were a customer of HESA or a current customer of Jisc.

The CRM enables us to keep track of our communications with you. We hold records on the CRM for as long as necessary for the reason we collected them – see the sections above for the different reasons we collect data.

We like to keep people informed about the products and services that we offer, but we will only use your CRM record to send you marketing information if you are an individual and you consented to this, or to tell you about updates to something you’ve recently bought. If you are a business then Jisc will market to you as it is in our legitimate interests to communicate with customers, stakeholders, and business contacts. Any marketing communication will give you the opportunity to unsubscribe from these messages.   

Legal basis for using CRM:
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in communicating with customers, stakeholders and business contact necessary to run its business.

Legal basis for marketing:
If a business customer:
GDPR Article 6(1)(f)
Processing is necessary for the purposes of Jisc’s legitimate interests in communicating with customers, stakeholders and business contact necessary to run its business.

If an individual customer:
GDPR Article 6(1)(a)
The data subject has given consent to the processing of those personal data for one or more specified purposes.

Consultations

Jisc carries out various consultations that include readiness surveys, sector Consultations, Graduate Outcomes brand research, recording reviews relating to proposed changes to collection fields, and training feedback surveys.

If you take part in a consultation led by Jisc, Jisc will process your personal information via Citizen Space.

When you submit information to us using this service, it is treated sensitively in accordance with data protection principles. Your personal information will be used for:

  • The purpose of conducting the surveys
  • Contacting you to engage further with the consultation process or survey

Email addresses are used to send an acknowledgement of response following submission. They may also be used to contact you in the future in relation to the consultation you have responded to.

Where permission is given, we publish responses. We include personal data where permission has been given to do so. Email or postal addresses are never published.

Your personal data will be held until one year after the closure of the consultation on the Hub. We will retain survey responses but will ensure that name or email address assigned to them will be removed. Please note retention periods may be extended where there is a statutory, regulatory, legal, operational, or security requirement to do so.

We may share your survey responses with statutory customers, sector bodies or other organisations involved within the consultation. We will provide additional information on how responses will be used within each consultation. We will not disclose your name or email address to organisations we share responses with.

On occasion, personal data may be shared with a third-party consultant, or independent chairperson who has been appointed to support the consultation process.

If you share your personal information with us for the purpose of taking part in the Graduate Outcomes brand research, HESA will share your personal information with psLondon, a third party brand research consultancy. The consultancy will contact you directly to undertake brand research and will be joint controllers with Jisc of your personal information. Jisc is the lead controller for responding to rights requests and data protection queries. If you wish to exercise your data subject rights or make a complaint about the way your personal data is processed for the Graduate Outcomes brand research purposes, please contact [email protected]

Legal basis:
GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests to gain insights and feedback about the services HESA provides.