Data protection: Operational support for the collection and use of contact details
We have published detailed guidance on the data protection implications of Graduate Outcomes. Since publishing this, we have received several queries about what this guidance means in practice. This page addresses some of the most common queries we have received:
No. Contact details are collected and returned to HESA under public interest grounds, not on the basis of consent.
The processing of Graduate Outcomes data is deemed ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in accordance with Article 6 (1)(e) of the General Data Protection Regulations (GDPR).
The public interest grounds include allowing providers to give relevant information to funding and regulatory bodies, and making accurate and transparent data on the outcomes of publicly funded and subsidised higher education available to the public. Due to this public interest, contact details are not collected on the basis of consent and so you don’t need to provide the facility for a student/graduate to opt-out. We will therefore expect contact details to be returned for all graduates in the population.
You collect contact details in order to provide accurate information to HESA to facilitate the delivery of the Graduate Outcomes survey.
You can use the contact details to undertake tasks which:
- Ensure the information you provide to HESA is accurate and comprehensive (for example, emailing graduates asking them to review and update their contact details).
- Support the delivery of the Graduate Outcomes survey (for example, contacting graduates to raise their awareness of the survey).
Contact details for graduates may be provided to HESA, and used to promote the Graduate Outcomes survey, without seeking further consent of students or graduates. Students have been informed about this contact, and the legal grounds for it, via the HESA Student Collection Notice.
Any other use of graduates' contact details are subject to your own status as a data controller under the General Data Protection Regulation (GDPR). HESA cannot offer data protection advice about other uses of graduates' contact details that are not related to Graduate Outcomes.
You are likely to routinely collect, and hold lists of, graduate contact details for your own purposes. Collection of contact details for Graduate Outcomes does not prohibit or hamper you also collecting contact details for these purposes.
The grounds for processing these details is likely to differ significantly from those which apply to processing details for the Graduate Outcomes survey. It is, for example, likely that these details will be processed on the basis of the graduate’s consent and will be subject to a graduate opting-out at a future date.
It is up to you to determine the basis for processing this data and what actions you need to undertake to be GDPR compliant. It is important that you clearly communicate to students/graduates the differences between contact details processed for your own purposes and for delivering Graduate Outcomes.
Communications promoting engagement with the Graduate Outcomes survey or requesting updates to contact details are undertaken under public interest grounds. As such, it is not necessary to provide an opt-out facility.
As a courtesy to graduates, we would strongly recommend that providers keep these communications proportionate. Our best practice guidelines suggest sending a communication at 5-6 months after graduation, and another to coincide with the survey opening.
It is not compulsory for a graduate to complete the survey. Graduates will have the opportunity to explicitly refuse to take part in the survey at the point at which the contractor asks them to complete it (around 15 months after they graduate). They are not able to opt-out prior to this point.
The student can only opt-out of the Graduate Outcomes survey through the contractor, they cannot opt-out of further contact from their provider through this route. Students who wish to opt-out of any further contact from their provider must do so through direct contact with the provider.
In June 2017 the data protection contacts at all HE providers were contacted with details of the Student Collection Notice. It is vital that this notice is available to all students as it includes a section outlining the processing of data for surveys of graduates. This notice is updated annually and made available to students via their universities.
This collection notice applies to the agreed Graduate Outcomes survey questions. These are the core survey questions and the opt-in question banks approved by the Graduate Outcomes governance process.
The survey will be accompanied by a further Graduate Outcomes survey collection notice informing graduates of the uses of their survey responses. If you are intending to add your own provider questions to the survey, you will need to ensure that this is covered appropriately in your own privacy notice(s) at the time of conducting the survey. HESA will not be Data Controller for the data generated by these additional questions.
HESA has no role in the setting and administering of provider questions, nor do we receive the data. These questions are handled entirely by providers. As such, they are not governed by our Graduate Outcomes survey collection notice, and you will need to make sure you provide a separate collection notice indicating the uses you will put the data to.
Provided you have made the HESA Student Collection Notice available to students prior to the survey and your own provider questions collection notice available to graduates at the point of survey, all of the graduates in the Graduate Outcomes population are eligible to be asked provider questions, as these are still part of the statutory Graduate Outcomes survey.