Skip to main content

2017/18 Apprenticeship data: Data processing terms

The following text was emailed to all Student record contacts on 14 August 2017. It is important you read and complete the actions listed below if you wish to submit 2017/18 Apprenticeship Standards Student Data to HESA.

******

Terms and Conditions for Submission of 2017/18 Apprenticeship Standards Student Data to HESA – Please follow the instructions detailed below if you wish to use this service

As for the 2016/17 academic year the Higher Education Statistics Agency Limited (“HESA”) is offering a data processing service to Providers who wish to use the HESA Collection System to produce data files for their Apprenticeship Standards students (“ILR Files”) for submission to the Education & Skills Funding Agency (“ESFA”). This email is to make clear for data protection purposes the basis and terms on which HESA has agreed to offer such a service for the academic year 2017/18. These are very similar to the terms which applied for 2016/17 academic year but have been updated for the purpose of complying with the General Data Protection Regulation (GDPR).    

Please note that this data processing service is optional. Its cost is included within HESA’s Subscription Fee. Unlike the position where you submit data to HESA (for the uses outlined in the HESA Collection Notices), when providing this service HESA will be acting as a Data Processor and you (the higher education provider) will be the Data Controller. In order for your organisation to use this service an authorised signatory on behalf of your organisation will need to email HESA at the address set out below to confirm that your organisation accepts the terms on which the service is provided and wishes to use this data processing service.  For ease of reference we have also published a copy of these terms.

As the GDPR is coming into force in May 2018, and as the higher education provider is the Data Controller in respect of this arrangement, when asking HESA to undertake this processing it will be essential for you to ensure that your relevant processes and documentation will be compliant with GDPR, including your fair processing information and analysis of the legal basis for this data processing.

In order to produce ILR Files HESA will need to:

  • undertake some further processing of student personal data which is submitted in the ordinary course of making a student return to HESA (“HESA Student Data”), in addition to the usual processing of that data for the purposes set out in the HESA Collection Notice; 
  • process some additional data fields which are specifically required by the ESFA (“Additional Fields”) and are not within HESA Student Data.

As set out above should a higher education provider wish HESA to produce ILR Files HESA will be acting as its Data Processor, not Data Controller in carrying out both these categories of processing: it is therefore the higher education provider’s responsibility to ensure that it has complied with its fair processing obligations. As HESA is only acting as Data Processor, HESA has not made reference to the processing of data for Apprenticeship Standards in the HESA Student Collection Notice and that Notice will not therefore be effective in discharging the provider's statutory fair processing obligations in relation to the processing of data to produce ILR files.

HESA confirms that appropriate technical and organisational information security and processing procedures are maintained to ensure that the data fields processed to produce the ILR Files are sufficiently protected against any unlawful or unauthorised processing, as is the case in any event for HESA Student Data. As part of HESA’s data collection process HESA undertakes information security risk assessments and implements security controls managed within HESA’s ISO27001 information security management system.  HESA has disaster recovery and business continuity plans in place.  Further information about HESA's data security can be provided on request.

It is the responsibility of higher education providers who wish to use HESA to produce their ILR Files to submit accurate data.  In producing the ILR Files HESA is not applying a quality assurance process but simply processing the HESA Student Data and Additional Fields to make the ILR Files meet the data structure requirements of the ESFA.

HESA confirms that the Additional Fields will only be processed by HESA so that the ILR Files can be returned to you.  HESA will not share the Additional Fields or ILR Files with third parties and steps have been taken to exclude the Additional Fields from being accessed by Statutory Customers who undertake concurrent data quality assurance on data submissions to HESA. 

HESA has also taken steps to limit access to the Additional Fields to only those HESA Staff who have received Data Protection Training and require access for their roles. For the avoidance of doubt:

  • HESA liaison staff will be able to access the Additional Fields to enable them to assist higher education providers who require help with their Apprenticeship Standards Student data; 
  • the HESA Student Data submitted to HESA for use in accordance with HESA’s Student Collection Notice will continue to be processed and shared by HESA in accordance with the Student Collection Notice.

The data processed to produce ILR files which is also HESA Student Data will be processed and retained indefinitely for the research and statistical purposes set out in the HESA Collection Notice, but will not be further used for ILR or other purposes while it is retained. The Additional Fields and the ILR Files will be retained in HESA’s live systems for up to 6 months after the final closure of the Student Collection (i.e. following the closure of the relevant years' Student Collection Fixed Database).  Thereafter the Additional Fields and ILR Files will only be stored on HESA’s backups in accordance with HESA’s retention policy. HESA will not be able to process the Additional Fields and ILR Files for business as usual purposes or share it for any other reason, once they have been removed from the live system.  It is therefore the responsibility of higher education providers as Data Controllers to retain all copies of the HESA Student Data, Additional Fields, and ILR Files that they may be required to keep for their records.

If your organisation wishes to elect to use HESA to produce your ILR Files on the above terms please can you arrange for an email to be sent to [email protected] to confirm this.

If you do not agree to these terms do not submit the Additional Fields to HESA. 

If at any point you wish HESA to stop processing the Additional Fields and the ILR Files please also inform [email protected] .

Please note that the following terms have been included in the Data Collection Student Contact IDS System. 

New Clause 3 Record Contact Responsibilities

3 HESA has agreed to offer an option for higher education providers to elect to use HESA’s data collection system to produce data files to submit to the Education & Skills Funding Agency (“ESFA”) for their Apprenticeship Standards students (“ILR Files”). If your organisation has opted to use HESA to produce its ILR Files HESA will need to carry out additional processing of some student personal data which is submitted in the ordinary course of making a student return to HESA (“for the purposes of this clause 3 described as HESA Student Data”) for the purposes set out in the HESA Student Collection Notice, and to collect and process some additional data fields which are specifically required by the ESFA (“Additional Fields”). Do not submit the Additional Fields unless an authorised signatory on behalf of your organisation has emailed [email protected]  to accept HESA’s terms. This is essential to confirm the instruction to HESA to carry out this processing on behalf of your organisation as Data Controller.  By sending such an email, your organisation will be confirming its instructions to carry out the processing described in this clause.  The following conditions will apply to this data processing service:

  1. HESA will be acting as a Data Processor for your organisation and your organisation is the Data Controller in respect of this processing.
  2. It is your responsibility on behalf of your organisation to ensure prior to submitting the Additional Fields to HESA that your organisation has complied with its fair processing obligations and identified a legal basis (under both the Data Protection Act 1998 and the General Data Protection Regulation) for the processing.  HESA is only acting as Data Processor on your organisation's instructions, and it has not made reference to the processing of Apprenticeship Standards personal data in its own fair processing notification, the HESA Student Collection Notice.
  3. It is your responsibility on behalf of your organisation to submit or arrange for the submission of accurate data for inclusion in the ILR Files.  In producing the ILR Files HESA is not applying a quality assurance process or making decisions about the data to be processed, but simply processing the HESA Student Data and Additional Fields to create the ILR Files which will meet the data structure requirements of the ESFA. The Additional Fields will only be processed by HESA so that the ILR Files can be returned to your organisation in accordance with your instructions.  HESA will not share the Additional Fields with third parties and will not carry out any other processing of the Additional Fields unless this is the subject of a written instruction from your organisation which is accepted in writing by HESA.  In addition to the processing of HESA Student Data for the purposes of creating the ILR, HESA will otherwise only process the HESA Student Data in accordance with the HESA Student Collection Notice and the terms on which your organisation submits data to HESA for these purposes. 
  4. HESA will maintain appropriate technical and organisational information security and processing procedures to ensure that HESA Student Data and the Additional Fields are sufficiently protected against any unlawful or unauthorised processing. As part of HESA’s data collection process HESA undertakes information security risk assessments and implements security controls managed within HESA’s ISO27001 information security management system.  HESA has in place disaster recovery and business continuity measures which it considers appropriate in respect of the data processing it carries out.  HESA keeps its data security measures under review.  HESA will provide on request reasonable information about its data security measures.
  5. HESA will limit access to the Additional Fields to only those HESA Staff who have received Data Protection Training and require access for their roles. This includes HESA liaison staff, who will be able to access the Additional Fields to enable them to assist higher education providers who require help with their Apprenticeship Standards Student data. Access to HESA Student Data is limited in accordance with HESA's processes which apply to the processing of HESA Student Data for the purposes set out in HESA's Student Collection Notice.
  6. HESA Student Data will be processed and retained indefinitely for research and statistical purposes as set out in the HESA Student Collection Notice. It will not be processed for ILR or other purposes in addition to the ILR processing carried out under this clause 3.  The Additional Fields and the ILR Files will be retained in HESA’s live systems for up to 6 months after the final closure of the Student Collection (i.e. following the closure of the relevant year’s Student Collection fixed database).  Thereafter the Additional Fields and ILR Files will only be stored on HESA’s backups in accordance with HESA's retention policy, which can be found on its website. HESA will not be able to process the Additional Fields and ILR Files for business as usual purposes or share it for any other reason, once they have been removed from the live system.  It is therefore your responsibility to ensure your organisation has taken steps to retain all copies of the HESA Student Data, Additional Fields, and ILR Files that it is required to keep for its records.
  7. HESA will provide your organisation with any assistance reasonably required to enable the organisation to investigate reasonable concerns about the data processing under this clause and to comply with the rights of data subjects.
  8. HESA agrees to notify your organisation if:
    • It is legally required to undertake any processing of the Additional Fields beyond that described in this clause 3, save where such notification would be unlawful
    • It identifies a security breach which has taken place in respect of the Additional Fields or the processing of data described in this clause 3. Such notification shall explain the nature of the security breach, including the categories of data field and the number of records or data subjects concerned, the steps being taken by HESA to remediate or control the breach and the name and contact details of the person at HESA who liaise with your organisation about the breach;
    • Any subject access request or other request to exercise data subject rights which is received by HESA in respect of the Additional Fields  or the processing described in this clause 3. HESA shall not respond directly to such communications but shall pass them to your organisation as quickly as reasonably possible.
  9. HESA is not permitted to sub-contract its data processing obligations under this clause.
  10. This data processing agreement will terminate automatically on completion of the data processing and supply