Data protection guidance
Data protection compliance exists at the heart of the design of the Graduate Outcomes record and we have taken all necessary steps to ensure that the Graduate Outcomes survey is compliant with data protection legislation.
We have continually taken specialist legal advice including from a leading data protection QC to ensure that all necessary aspects of data protection have been considered. We have also undertaken a Data Protection Impact Assessment which is maintained as a living document and updated on an ongoing basis. A high-level summary of the issues considered is set out below.
Lawfulness of processing
We took legal advice from data protection specialists to confirm our own assessment of the legal grounds under GDPR which will apply to each stage of processing of students’ and graduates’ personal data for the purposes of the Graduate Outcomes record.
We consider the processing required by the record is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in accordance with Article 6 (1)(e) of the GDPR. Data is processed for a variety of public interest purposes, including:
- Meeting the requirements on providers to give information to public authorities with responsibility for funding and regulating higher education in the UK. This applies to the collection, transfer and onward use of both contact details and survey responses, by HE providers, HESA and HESA’s statutory customers.
- Making available to the public accurate and transparent data on the outcomes of publicly funded and subsidised higher education.
- While there will be no compulsion on graduates to complete the survey, any survey response data will be processed under the public interest grounds described above and not processed on the basis of consent.
Survey response data is processed by HESA and its customers for research and statistical purposes and is not used to make decisions about individuals.
Providers, in submitting contact details data to HESA for the Graduate Outcomes survey, are acting as a Controller. As a Controller, it is the responsibility of the provider to make its own decision regarding the legal basis on which it is processing personal data.
Fairness and transparency
The updated HESA Student Collection Notice describes the processing of student information by HESA and other organisations who receive the survey information. This has been updated to meet the requirements of Article 13 of the GDPR and to reflect the open centralisation and timing and information flows of the survey. For example, the Student Collection Notice informs students that their contact details are collected by their HE provider and will be passed to HESA and our survey suppliers to conduct the Graduate Outcomes surveys.
The notice also alerts students that survey responses are made available to their HE provider who may choose to add additional questions to the survey for their own use. It also makes clear that in the absence of a response from the student, information may be accepted from a third party e.g. their HE provider or a family member. Third party responses are not currently applicable to graduates of English Further Education Colleges.
We recommend (as set out below) that HE providers link in their own privacy notice to the notice published on the HESA and the Graduate Outcomes websites so that if any changes to the notice need to be made these will be updated on those websites.
A further notice (the privacy information), giving information to graduates about their survey response data, is available from the Graduate Outcomes website. This is made available before any survey questions are asked so that graduates can decide whether to complete the survey. A telephone script is in place for use by the contact centre to direct the graduate to the privacy information when contact is made by telephone.
Data Protection Impact Assessment
We undertook a Data Protection Impact Assessment to assess the risks posed by the survey model and the mitigations required to minimise or eliminate these risks. This remains a living document, which we have continued to evolve throughout the implementation and business as usual phases.
The risks identified include impacts on graduates (around privacy and their rights) and the risks to HESA, HE providers, and data users (around compliance with regulations and preventing reputational damage). To protect the privacy and rights of data subjects (the graduates), HESA has implemented a number of solutions and mitigations. These can be categorised as follows:
- Agreements – Using specialist advice we developed contracts for our survey data processors which set out required activities and ensure that data is processed securely and lawfully. Data sharing agreements are in place to ensure survey data is only used in compliance with data protection requirements.
- Policies and procedures – Existing policies and procedures were reviewed and updated; if new ones are required in some areas, these will be implemented. This will ensure that risks to privacy are minimised.
- Technical solutions – Appropriate technical measures are in place to ensure personal data is processed securely and that information security risks are minimised.
- Communication and training – All those who interact with the Graduate Outcomes record have been provided with the support and information necessary to understand the risks and to implement required mitigations.
Actions and implications on HE providers
We have separately published the data protection actions HE providers need to undertake as a result of the Graduate Outcomes record.