Skip to main content

Data protection: Operational support for the collection and use of contact details

We have published detailed guidance on the data protection implications of Graduate Outcomes. Since publishing this, we have received several queries about what this guidance means in practice. This page addresses some of the most common queries we have received:

Are contact details for Graduate Outcomes collected on the basis of consent?
What can we do with the contact details we collect?

You collect contact details in order to provide accurate information to HESA to facilitate the delivery of the Graduate Outcomes survey.

You can use the contact details to undertake tasks which:

  • Ensure the information you provide to HESA is accurate and comprehensive (for example, emailing graduates asking them to review and update their contact details).
  • Support the delivery of the Graduate Outcomes survey (for example, contacting graduates to raise their awareness of the survey).

Contact details for graduates may be provided to HESA, and used to promote the Graduate Outcomes survey, without seeking further consent of students or graduates. Students have been informed about this contact, and the legal grounds for it, via the HESA Student Collection Notice

Any other use of graduates' contact details are subject to your own status as a data controller under the General Data Protection Regulation (GDPR). HESA cannot offer data protection advice about other uses of graduates' contact details that are not related to Graduate Outcomes.

 

What impact does this have on our current mailing lists of graduates?

You are likely to routinely collect, and hold lists of, graduate contact details for your own purposes. Collection of contact details for Graduate Outcomes does not prohibit or hamper you also collecting contact details for these purposes.

The grounds for processing these details is likely to differ significantly from those which apply to processing details for the Graduate Outcomes survey. It is, for example, likely that these details will be processed on the basis of the graduate’s consent and will be subject to a graduate opting-out at a future date.

It is up to you to determine the basis for processing this data and what actions you need to undertake to be GDPR compliant. It is important that you clearly communicate to students/graduates the differences between contact details processed for your own purposes and for delivering Graduate Outcomes.

What if a student/graduate wants to opt-out of the survey?

It is not compulsory for a graduate to complete the survey. Graduates will have the opportunity to explicitly refuse to take part in the survey at the point at which they are asked to complete it (around 15 months after they graduate).

Graduates or students have the right to object to HESA contacting them for the Graduate Outcomes survey. Objections can be made by emailing [email protected].

The student cannot opt-out of further contact from their provider through these routes. Students who wish to opt-out of further contact from their provider must do so through direct contact with the provider.

What information must we provide to students?

In June 2017 the data protection contacts at all HE providers were contacted with details of the Student Collection Notice. It is vital that this notice is available to all students as it includes a section outlining the processing of data for surveys of graduates. This notice is updated annually and made available to students via their universities.

This collection notice applies to the agreed Graduate Outcomes survey questions. These are the core survey questions and the opt-in question banks approved by the Graduate Outcomes governance process.

What further data protection information will be given to graduates at the time of the survey?

The survey will be accompanied by a further Graduate Outcomes survey collection notice informing graduates of the uses of their survey responses.

For the first year of Graduate Outcomes there will not be an option to add your own provider questions to the survey. If this option becomes available in the future you will need to ensure that this is covered appropriately in your own privacy notice(s) at the time of conducting the survey.