Data protection: Operational support for the collection and use of contact details
HESA is now part of Jisc. Jisc is now the data controller of personal data previously controlled by HESA. Pages on the HESA website are being updated to reflect this change. Please see updated Privacy information.
We have published detailed guidance on the data protection implications of Graduate Outcomes. Since publishing this, we have received several queries about what this guidance means in practice. This page addresses some of the most common queries we have received:
No. Contact details are processed by HESA under public interest grounds, not on the basis of consent.
HESA's processing of Graduate Outcomes data is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in accordance with Article 6 (1)(e) of the General Data Protection Regulations (GDPR).
You collect contact details in order to provide accurate information to HESA to facilitate the delivery of the Graduate Outcomes survey.
You can use the contact details to undertake tasks which:
- Ensure the information you provide to HESA is accurate and comprehensive (for example, emailing graduates asking them to review and update their contact details). You should ensure that the contact details you have are accurate and up to date on a regular basis.
- Support the delivery of the Graduate Outcomes survey (for example, contacting graduates to raise their awareness of the survey).
Contact details for graduates may be provided to HESA, and used to promote the Graduate Outcomes survey, without seeking further consent of students or graduates. Students have been informed about this contact, and the legal grounds for it, via the HESA Student Collection Notice.
Any other use of graduates' contact details are subject to your own status as a data Controller under the General Data Protection Regulation (GDPR). HESA cannot offer data protection advice about other uses of graduates' contact details that are not related to Graduate Outcomes.
You are likely to routinely collect, and hold lists of, graduate contact details for your own purposes. Collection of contact details for Graduate Outcomes does not prohibit or hamper you also collecting contact details for these purposes.
The grounds for processing these details is likely to differ significantly from those which apply to processing details for the Graduate Outcomes survey. It is, for example, likely that these details will be processed on the basis of the graduate’s consent and will be subject to a graduate opting-out at a future date.
It is up to you to determine the basis for processing this data and what actions you need to undertake to be compliant with data protection legislation. It is important that you clearly communicate to students/graduates the differences between contact details processed for your own purposes and for delivering Graduate Outcomes.
On an annual basis, the data protection contacts at all HE providers are contacted with details of the Student Collection Notice. It is vital that this notice is made available to all students as it includes a section outlining the processing of data for surveys of graduates. This notice is updated annually and made available to students via their providers.
This Collection Notice applies to the agreed Graduate Outcomes survey questions. These are the core survey questions and the opt-in question banks approved by the Graduate Outcomes governance process.
The survey will be accompanied by Graduate Outcomes survey privacy information which informs graduates of the uses of their survey responses. This is available from the Graduate Outcomes website.
In response to queries that our data protection team have received, we have produced the following additional guidance. Should you have any further queries on this issue please contact:
When a provider submits data about graduates’ contact details to HESA for the Graduate Outcomes survey, the provider is thereby processing the personal data of its graduates. In respect of that processing, the provider is acting as a data controller. As such, the provider is responsible for determining that it is fair and lawful to submit the data to HESA. This note is intended to assist providers in making that determination and in recording their legal basis for sharing contact details with HESA.
In relation to fairness, providers are reminded that the HESA Student Collection Notice for the Academic Year 2017/18 and all subsequent years refers to the Graduate Outcomes survey, including the fact that third parties may be asked to provide responses in respect of a graduate who is included in the survey: see https://www.hesa.ac.uk/about/regulation/data-protection/notices/previous.
In terms of lawfulness, it is for providers to determine which of the processing conditions under GDPR Article 6 applies to the sharing of graduate contact details with HESA. We are aware that many providers consider that sharing information with HESA is undertaken on the basis of GDPR Article 6.1.(c) (processing is necessary for compliance with a legal obligation to which the controller is subject). It is for individual providers to satisfy themselves whether Article 6.1(c) applies, or whether they are relying on some other basis for processing.
HESA has published on https://www.hesa.ac.uk/about/regulation/data-protection/guidance details of the statutory basis whereby HESA collects data on behalf of the HE funding and regulatory bodies. We note that providers may also have additional contractual agreements in place between themselves and their relevant HE funder/regulator.
Following consultations held by HESA in 2016 and 2017 (the NewDLHE: Destinations and outcomes review), the HE funding and regulatory bodies asked HESA to replace the Destination of Leavers from Higher Education Survey with the Graduate Outcomes survey. Each of the HE funding and regulatory bodies confirmed that the information specified in the core survey is necessary for their statutory / public functions.
As indicated above, it is for each provider to determine the Article 6 ground under which it is processing graduates’ contact details and sharing them with HESA. However, it is HESA’s view that where data is processed under Article 6.1.(c) (legal obligation) data subjects do not have the right to object to the processing; consequently data subjects do not have the right to object to the submission of their contact details to HESA.
On receipt of the contact details, HESA processes the data on the basis of Article 6.1(e) (public interest) and data subjects therefore have the right to object to this processing. In the event that a graduate wishes to exercise this right, the graduate can contact [email protected] and they will be removed from the survey population. Alternatively, graduates can get in touch with their providers to request an opt-out. More information can be found in the specific FAQ above. In any event, the completion of the survey by Data Subjects is optional. Both the Collection Notice (which has been drafted to meet the requirements of GDPR Article 13), and communications that HESA issues to graduates, will explain how they can opt out of completing the survey and receiving further survey communications.
With regard to opt-in question banks, a separate guidance note and Addendum will be issued. The survey will be structured so that it is very clear that (i) these opt-in questions banks are separate from the main survey and are included at the request of the relevant provider, and (ii) the graduates as data subjects have an additional option as to whether they wish to answer them.
If opt-in questions banks are requested to be included ("mandated") by a HESA statutory customer, then the relevant statutory customer will be required to confirm that the information being collected is necessary for their public/statutory function before the questions are raised. These questions are separate from the core survey questions.
Graduates are able to opt out from the survey and any further communication through a number of different channels. The email invitations and online survey instrument provide graduates with information on how to opt-out.
The option to opt-out is available to graduates until after the survey closes, up to a fixed point in time, which is outlined in the Graduate Outcomes Collection Notice (currently 1 January). After an opt-out request has been actioned, it can take up to five working days from receipt by HESA to take effect across all of HESA’s systems.
Graduates who have opted-out will not be re-contacted about the survey. If a graduate opts out of communications about the survey, they will not be removed from the survey population, this is to allow HESA to accurately measure response and non-response rates.
Graduates who opt out of the survey are not treated as a valid response in the calculation of response rates.
The following channels can be used by graduates to opt-out of the Graduate Outcomes survey:
Contacting HESA directly
Respondents can contact HESA via [email protected] to request an opt-out or deletion of their survey data or contact details as per their rights under the Data Protection Act 2018.
Opting out through our survey partners
Respondents can also refuse to take part in the survey over the phone and interviewers are trained to handle such requests and will opt them out.
Opting-out through Providers
Providers can opt students or graduates out of the survey if they have explicitly stated they do not wish to be contacted about taking part in Graduate Outcomes specifically.
Graduates can get in touch with their providers to request an opt-out. All opt-outs should be notified by the provider to HESA using [email protected]. Providers should consider secure disclosure methods when notifying HESA of graduate opt-outs.
In acknowledging the opt-out requests, the provider should inform the graduate that the opt-out will be effective up to five working days after HESA have been notified by the provider.
Respondents who opt-out are marked as such by HESA in the portal and all future communications cease within five working days from notification of the request to HESA. Providers should note that this is currently not visible from the portal and providers should not re-submit contact details for an individual who they have opted out, unless that individual has specifically requested to be opted back into the survey population.
Providers are expected to inform their eligible students that their contact details will be passed on to the contractor for completing the survey, to explain what the Graduate Outcomes survey is about, how they can complete the survey and how they will be contacted by HESA. Guidance and template forms of communication are provided by HESA. Reference to the survey is also included in the Student Collection Notice which should be made available to students throughout the duration of their studies with the provider.
In the event that a graduate wishes to opt-out of the Graduate Outcomes survey, prior to contact details being sent to HESA, the provider would need to exclude the contact details of the graduate in their submission and separately notify HESA via Liaison that the graduate has opted-out.
It is important to note that if a provider opts out a graduate in advance of the survey but then provides HESA with contact details for that graduate, the opted-out status may be overwritten and the individual may inadvertently be contacted by the survey contractor. Providers must review their contact details submissions for opted-out graduates prior to submitting contact details to HESA and will be asked to confirm they have done so when approving the records to be sent to Confirmit.
Although we do not require providers to supply evidence of the opt-out request, it should be retained and may be audited at a future date by your primary regulator/funder. HESA is also expected by some primary regulator/funders to monitor and report on levels of opt-outs directly submitted by providers.
If a student informs the provider that they do not wish to be surveyed during the survey period, the provider can directly notify HESA of the graduate’s wish to prevent further communication. Evidence of the request should be retained and recorded by the provider and HESA should be notified via Liaison, as described above.