Skip to main content

Privacy information

This page describes how HESA processes personal data, and how HESA complies with data protection legislation.

HESA’s job is to collect, process and share data relating to higher education. Some of this data is personal data about students, graduates, and staff of higher education providers. HESA also processes personal data in the course of its day-to-day business like any other company.

The sections below describe the different categories and types of personal data that HESA processes. These include the purposes and legal basis for each type of processing, any transfers or third party recipients of personal data, and the timescales for storing and processing data. Legal basis information relates to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. More information can be found via our data protection pages.

Some sections link to other pages or documents where more detailed information can be found.

The boxes below summarise the key information you need to know. Click on each box for more detail.

Data controllers and contact details
The Higher Education Statistics Agency Limited (HESA) is the data controller for the processing described on this page unless otherwise indicated.

On this page “HESA” (or "we" or "us") refers to the Higher Education Statistics Agency Limited. HESA is the data controller for the data processing described on this page. This means it is HESA who determines the manner and purpose of processing.

HESA Services Limited (HESA’s wholly owned subsidiary) often acts as a data processor for HESA or HESA’s customers (processing data on their instructions). Occasionally HESA Services Limited may act as a data controller making its own decisions about how to process data. The sections below will indicate if HESA Services Limited is a data controller. HESA Services Limited has the same contact details and staff as HESA.

If you have any questions about HESA and data protection please contact our Data Protection Officer:

  • Email: [email protected]
  • Tel: +44 (0)1242 211135
  • Address: HESA, 95 Promenade, Cheltenham, GL50 1HZ
Your rights
Data protection legislation gives you rights over your personal data. These include rights to know what information is processed about you and how it is processed.

You have the right to be informed about how your personal data is used. This Privacy Information is regularly reviewed to ensure that it accurately describes how personal data is used by HESA. This information may be updated from time to time, for example when new legislation is enacted, or when new purposes or systems are added.

You have the right to request access to your information held by HESA.

You have the right to request rectification of incorrect information.

You may have the right to object to some processing. If your concern relates to the Graduate Outcomes survey, please see Information for students/graduates.

To exercise your data protection rights please contact our Data Protection Officer:

  • Email: [email protected]
  • Tel: +44 (0)1242 211135
  • Address: HESA, 95 Promenade, Cheltenham, GL50 1HZ

You have the right to complain to the Information Commissioner’s Office – please see the ICO website.

Data transfers to other countries
Some HESA systems use cloud data storage and your information may be transferred to countries outside the European Union.

Our CRM, payment, and booking systems use cloud data storage. By default, data is stored at data centres located in the UK or the EU. In exceptional circumstances data may be processed at data centres in the USA or elsewhere.

Emails to some generic team addresses are processed by Help Scout. These emails may be processed outside the European Economic Area. Team email addreses that use Help Scout include [email protected], [email protected], [email protected] and [email protected].

Your personal data will only be transferred to countries whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place to protect your personal data. Decisions on the adequacy of the protection of personal data in third countries are published on the European Commission's website.

Website privacy policy and cookies
The HESA website uses cookies and logs IP addresses.

Browsing the HESA website will generate a log of your IP address. The website will also save cookies to your computer. Cookies make the website work properly for users and collect anonymous web metrics - find out more about how we use cookies.

Our website contains links to other websites. We are not responsible for the privacy practices or content of other sites. We encourage our visitors to be aware when they leave our website and to read the privacy policy of other sites that collect or use personal data.

This policy applies only to this website, https://www.hesa.ac.uk. This policy does not cover any other website operated by HESA.

Legal basis:
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in providing a website that functions effectively for all users.

Students, graduates and staff of higher education providers
HESA collects data from HE providers. Full information for data subjects is provided in HESA’s Collection Notices.

Detailed information for students and staff can be found in the Student and Staff Collection Notices.

Information about the latest Destinations of Leavers from Higher Education (DLHE) survey can be found in the 2016/17 DLHE Collection Notice.

Information for students about the Graduate Outcomes survey (starting December 2018) can be found here: Information for students/graduates.

HE provider contacts
HESA holds personal data about staff at HE providers to administer the data collection process. Access to HESA’s collection systems is administered through the HESA Identity System (IDS).

If you are involved in the submission or review of HESA data returns you will need an account with the HESA Identity System (IDS). You will need to provide personal data to create an account and accept an IDS role. Each IDS role has its own specific terms of use which give further information about how HESA uses this data.

The personal data provided to set up the account is used for administration of HESA’s data collection and sharing process. This may include processing of your data in HESA data collection systems (e.g. Aardvark, Minerva, the HESA Data Platform, email) and sharing your information with statutory data users if this is necessary for the administration of the data collection process.

It is the responsibility of HE providers to ensure that individuals hold appropriate IDS roles. Information about the IDS roles you have held will be retained for audit purposes.

Data held in IDS will also be stored in HESA’s Customer relationship management (CRM) system – see CRM section below.

Legal basis:
GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Statutory data users
HESA holds personal data about staff at public authority funders and regulators of higher education to administer the data collection process. Access to HESA’s collection systems is administered through the HESA Identity System (IDS).

If you are involved in the review and delivery of HESA data returns you will need an account with the HESA Identity System (IDS). You will need to provide personal data to create an account and accept an IDS role. Each IDS role has its own specific terms of use which give further information about how HESA uses this data.

The personal data provided to set up the account is used for administration of HESA’s data collection and sharing process. This may include processing of your data in HESA data collection systems (e.g. Aardvark, Minerva, the HESA Data Platform, email) and sharing your information with other users of these systems (including higher education providers and other Statutory Customers) if this is necessary for the administration of the data collection process.

It is the responsibility of your organisaton to ensure that individuals hold appropriate IDS roles. Information about the IDS roles you have held will be retained for audit purposes.

Data held in IDS will also be stored in HESA’s Customer relationship management (CRM) system – see CRM section below.

Legal basis:
GDPR Article 6(1)(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Enquiry forms and emails
If you enquire about HESA services using a form or email we will process your data in order to deal with your enquiry.

We will hold your information in our Customer relationship management (CRM) system so that we can respond to your query effectively. If you or your organisation do not enter into a contract with us this information will be retained for 12 months, and then deleted.

If you or your organisation go on to enter a contract (e.g. purchase a custom data licence) then we may hold your personal data for longer – see Custom data and reports.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in responding to enquiries from third parties and recording these responses.

Custom data and reports
If you buy a custom data licence or a bespoke report we will hold your personal data to administer the licence terms and conditions.

Custom data extracts and reports are supplied under an Agreement for the Supply of Information Services (see sample agreement). If you or your organisation enter an agreement with HESA or HESA Services your data will be processed for the purpose of administering this agreement.

Your personal data will be retained for seven years after the latest licence end date specified in any agreement with you.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in maintaining a record of data supplied to third parties.

Publications and online purchases
If you buy a product directly from the HESA website your personal data is processed for billing purposes.

When you or your organisation buy a publication or other product from the HESA website you will need to provide contact and billing details so that we can complete your order. Invoicing details are retained for accounting purposes.

If you wish to pay by credit card payments are processed by Stripe.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Training
If you book a training event we will ask you for your details and details of the proposed attendees. We will use this data to administer the training and inform you of related events.

HESA Services Limited is the data controller for personal data processed for training purposes.

We process data about training attendees and registrants in our events planning system so that we can provide and administer the training. If you book a training place for someone else you must have their permission to do so.

We will hold the personal data of attendees and registrants for three years from the date of the last event attended/booked so that we have a record of the training we have supplied.

If you tell us about dietary requirements or any disabilities we may use this information to make adjustments for attendees.

It may also be necessary to share information with third party venue providers so that they have a register of attendees and are able to make any appropriate adjustments for attendees.

We may contact you to tell you about relevant events in future, but you can opt out of receiving this information by emailing [email protected].

Payments for training and seminars are processed by Stripe. Invoicing details are retained for accounting purposes.

For more details see the training terms and conditions.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in administering and maintaining records of training and seminars.
GDPR Article 9(2)(a)
The data subject has given explicit consent to the processing of personal data relating to health and disability.

E-Learning
If you undertake a HESA e-learning course the Easygenerator system will hold your name, email address, and course grades. This information is only accessible to HESA staff and only used to monitor use of the e-learning system.

We process data about e-learning users in Easygenerator so that we can provide and administer the training.

We will hold the names and email addresses of users for 5 years so that we have a record of who has started and completed courses, and to allow users to continue courses that they have started.

Some e-learning data protection courses are provided to meet the data protection requirements of Heidi Plus user agreements. We may contact Heidi Plus users with reminders to undertake data protection refresher training based on records maintained in the Easygenerator system.

For more information about e-learning please contact [email protected].

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in administering and maintaining records of training.

Heidi Plus
If you use Heidi Plus we will process personal data to administer your user agreement. We also log IP addresses to monitor and measure use of the Heidi Plus service.

Further details are available in the Heidi Plus privacy policy and user agreements. These can be found in the Heidi Plus Support centre project – workbook 7. Heidi Plus operational documentation.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in administering and monitoring use of the Heidi Plus business intelligence service.

Suppliers of goods and services
If you supply goods or services to HESA we may process personal data about you in order to enter into agreements, make orders, and pay bills.

Details of any personal data processing should be included in any agreement to supply goods and services to HESA or HESA Services.

Invoicing and payment details are retained for seven years.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in obtaining goods and services necessary to its business.

Job applications
Personal data provided through unsuccessful job applications is held for two years and then deleted.

Information provided to HESA in support of job applications is processed via People HR for the purpose of selecting suitable candidates for job vacancies.

If your application is not successful your application form, CV, and covering letter will be held for two years from the date at which someone is appointed to the advertised position. Data is held for the purpose of monitoring the level of repeated applications and maintaining a talent pool of candidates who may be interested in other vacancies.

Legal basis:
GDPR Article 6(1)(b)
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in recruiting qualified staff.

Customer relationship management (CRM) system and marketing information
If you use HESA products or services we may hold your data in a CRM system. We will only send you marketing information if you give your permission, or if you are a current customer of HESA or HESA Services.

The CRM enables us to keep track of our communications with you. We hold records on the CRM for as long as necessary for the reason we collected them – see the sections above for the different reasons we collect data.

We like to keep people informed about the products and services that we offer, but we will only use your CRM record to send you marketing information if you explicitly consent to this, or to tell you about updates to something you’ve recently bought. Any marketing communication will give you the opportunity to unsubscribe from these messages.

Legal basis for using CRM:
GDPR Article 6(1)(f)
Processing is necessary for the purposes of HESA’s legitimate interests in communicating with customers, stakeholders and business contact necessary to run its business.
Legal basis for marketing:
GDPR Article 6(1)(a)
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.