Skip to main content

Data protection: Operational support for the collection and use of contact details

We have published detailed guidance on the data protection implications of Graduate Outcomes. Since publishing this, we have received several queries about what this guidance means in practice. This page addresses some of the most common queries we have received:

Are contact details for Graduate Outcomes collected on the basis of consent?
What can we do with the contact details we collect?

You collect contact details in order to provide accurate information to HESA to facilitate the delivery of the Graduate Outcomes survey.

You can use the contact details to undertake tasks which:

  • Ensure the information you provide to HESA is accurate and comprehensive (for example, emailing graduates asking them to review and update their contact details).
  • Support the delivery of the Graduate Outcomes survey (for example, contacting graduates to raise their awareness of the survey).

Contact details for graduates may be provided to HESA, and used to promote the Graduate Outcomes survey, without seeking further consent of students or graduates. Students have been informed about this contact, and the legal grounds for it, via the HESA Student Collection Notice

Any other use of graduates' contact details are subject to your own status as a data controller under the General Data Protection Regulation (GDPR). HESA cannot offer data protection advice about other uses of graduates' contact details that are not related to Graduate Outcomes.


What impact does this have on our current mailing lists of graduates?

You are likely to routinely collect, and hold lists of, graduate contact details for your own purposes. Collection of contact details for Graduate Outcomes does not prohibit or hamper you also collecting contact details for these purposes.

The grounds for processing these details is likely to differ significantly from those which apply to processing details for the Graduate Outcomes survey. It is, for example, likely that these details will be processed on the basis of the graduate’s consent and will be subject to a graduate opting-out at a future date.

It is up to you to determine the basis for processing this data and what actions you need to undertake to be GDPR compliant. It is important that you clearly communicate to students/graduates the differences between contact details processed for your own purposes and for delivering Graduate Outcomes.

What if a student/graduate wants to opt-out of further contact about Graduate Outcomes?

Communications promoting engagement with the Graduate Outcomes survey or requesting updates to contact details are undertaken under public interest grounds. As such, it is not necessary to provide an opt-out facility.

As a courtesy to graduates, we would strongly recommend that providers keep these communications proportionate. Our best practice guidelines suggest sending a communication at 5-6 months after graduation, and another to coincide with the survey opening.

What if a student/graduate wants to opt-out of the survey?

It is not compulsory for a graduate to complete the survey. Graduates will have the opportunity to explicitly refuse to take part in the survey at the point at which the contractor asks them to complete it (around 15 months after they graduate). They are not able to opt-out prior to this point.

The student can only opt-out of the Graduate Outcomes survey through the contractor, they cannot opt-out of further contact from their provider through this route. Students who wish to opt-out of any further contact from their provider must do so through direct contact with the provider.

What information must we provide to students?

In June 2017 the data protection contacts at all HE providers were contacted with details of the Student Collection Notice. It is vital that this notice is available to all students as it includes a section outlining the processing of data for surveys of graduates. This notice is updated annually and made available to students via their universities.

This collection notice applies to the agreed Graduate Outcomes survey questions. These are the core survey questions and the opt-in question banks approved by the Graduate Outcomes governance process.

What further data protection information will be given to graduates at the time of the survey?

The survey will be accompanied by a further Graduate Outcomes survey collection notice informing graduates of the uses of their survey responses. If you are intending to add your own provider questions to the survey, you will need to ensure that this is covered appropriately in your own privacy notice(s) at the time of conducting the survey. HESA will not be Data Controller for the data generated by these additional questions.

What are the data protection implications for the provider questions?

HESA has no role in the setting and administering of provider questions, nor do we receive the data. These questions are handled entirely by providers. As such, they are not governed by our Graduate Outcomes survey collection notice, and you will need to make sure you provide a separate collection notice indicating the uses you will put the data to.

Provided you have made the HESA Student Collection Notice available to students prior to the survey and your own provider questions collection notice available to graduates at the point of survey, all of the graduates in the Graduate Outcomes population are eligible to be asked provider questions, as these are still part of the statutory Graduate Outcomes survey.