Data protection guidance
Many respondents to our final consultation were keen to ensure that the data protection implications of the Graduate Outcomes survey had been appropriately considered.
Data Protection compliance will be at the heart of the design of the Graduate Outcomes record (including the contractual relationship with the survey contractor) and we are taking all necessary steps to ensure that the Graduate Outcomes survey is compliant with the existing data protection laws and with the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.
We have taken specialist legal advice including from a leading Data Protection QC to ensure that all necessary aspects of data protection have been considered. We have also undertaken a detailed Privacy Impact Assessment which will be maintained as a living document. A high-level summary of the issues considered is set out below.
Lawfulness of processing
We have taken legal advice from data protection specialists to confirm our own assessment of the legal grounds under GDPR which will apply to each stage of processing of students’ and graduates’ personal data for the purposes of the Graduate Outcomes record.
We consider the processing required by the record is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in accordance with Article 6 (1)(e) of the GDPR. Data will be processed for a variety of public interest purposes, including:
- Meeting the requirements on providers to give information to public authorities with responsibility for funding and regulating higher education in the UK. This applies to the collection, transfer and onward use of both contact details and survey responses, by HE providers, the survey contractor, HESA and HESA’s statutory customers.
- Making available to the public accurate and transparent data on the outcomes of publicly funded and subsidised higher education.
While there will be no compulsion on graduates to complete the survey, any survey response data will be processed under the public interest grounds described above and not processed on the basis of consent.
Survey response data will only be processed by HESA and its customers for research and statistical purposes and will not be used to make decisions about individuals.
Providers in submitting contact details data to HESA for the Graduate Outcomes survey are acting as a controller. As a controller it is the responsibility of the Provider to make its own decision regarding the legal basis on which it is processing personal data.
The updated HESA Student Collection Notice describes the processing of student information by HESA and other organisations who receive the survey information. This has been updated to meet the requirements of Article 13 of the GDPR and to reflect the proposed open centralisation and current planned timing and information flows of the survey. For example the Student Collection Notice informs students that their contact details will be collected by their HE provider and may be passed to HESA and/or a third party organisation procured to conduct the Graduate Outcomes surveys. The notice also alerts students that survey responses will be made available to their HE provider who may choose to add additional questions to the survey for their own use. It also makes clear that in the absence of a response from the student, information may be accepted from a third party e.g. their HE provider or a family member. We recommend (as set out below) that HE providers link in their own privacy notice to the notice published on the HESA website so that if any changes to the notice need to be made these will be updated on the HESA website.
A further privacy notice will be produced by HESA giving information to graduates about how their survey response data will be processed. This will be made available before any survey questions are asked so that graduates can decide whether to complete the survey. A telephone script version of this notice will be prepared for use by the survey contractor when contacting graduates by phone.
Privacy Impact Assessment
We have undertaken a Privacy Impact Assessment to assess the risks posed by the survey model and the mitigations required to minimise or eliminate these risks. This will remain a living document, which we will continue to evolve throughout the implementation and business as usual phases.
The risks identified include impacts on graduates (around privacy and their rights) and the risks to HESA, HE providers, and data users (around compliance with regulations and preventing reputational damage). To protect the privacy and rights of data subjects (the graduates), we are aware of a number of solutions and mitigations we will need to apply and these are being addressed through our implementation plan. These can be categorised as follows:
- Agreements – Using specialist advice we will develop a contract for the survey contractor which sets out its required activities and ensures that data is processed securely and lawfully. Data sharing agreements will be in place to ensure survey data is only used in compliance with data protection requirements.
- Policies & procedures – Existing policies and procedures will be reviewed and updated; if new ones are required in some areas, these will be implemented. This will ensure that risks to privacy are minimised.
- Technical solutions – appropriate technical measures will be developed to ensure personal data is processed securely and that information security risks are minimised.
- Communication & training – all those who interact with the Graduate Outcomes record will be provided with the support and information necessary to understand the risks and to implement required mitigations.
Actions and implications on HE providers
We have separately published the data protection actions HE providers will need to undertake as a result of the new Graduate Outcomes record.