Data protection: Operational support for the collection and use of contact details
We have published detailed guidance on the data protection implications of Graduate Outcomes. Since publishing this, we have received several queries about what this guidance means in practice. This page addresses some of the most common queries we have received:
No. Contact details are processed by HESA under public interest grounds, not on the basis of consent.
HESA's processing of Graduate Outcomes data is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in accordance with Article 6 (1)(e) of the General Data Protection Regulations (GDPR).
You collect contact details in order to provide accurate information to HESA to facilitate the delivery of the Graduate Outcomes survey.
You can use the contact details to undertake tasks which:
- Ensure the information you provide to HESA is accurate and comprehensive (for example, emailing graduates asking them to review and update their contact details).
- Support the delivery of the Graduate Outcomes survey (for example, contacting graduates to raise their awareness of the survey).
Contact details for graduates may be provided to HESA, and used to promote the Graduate Outcomes survey, without seeking further consent of students or graduates. Students have been informed about this contact, and the legal grounds for it, via the HESA Student Collection Notice.
Any other use of graduates' contact details are subject to your own status as a data controller under the General Data Protection Regulation (GDPR). HESA cannot offer data protection advice about other uses of graduates' contact details that are not related to Graduate Outcomes.
You are likely to routinely collect, and hold lists of, graduate contact details for your own purposes. Collection of contact details for Graduate Outcomes does not prohibit or hamper you also collecting contact details for these purposes.
The grounds for processing these details is likely to differ significantly from those which apply to processing details for the Graduate Outcomes survey. It is, for example, likely that these details will be processed on the basis of the graduate’s consent and will be subject to a graduate opting-out at a future date.
It is up to you to determine the basis for processing this data and what actions you need to undertake to be GDPR compliant. It is important that you clearly communicate to students/graduates the differences between contact details processed for your own purposes and for delivering Graduate Outcomes.
It is not compulsory for a graduate to complete the survey. Graduates will have the opportunity to explicitly refuse to take part in the survey at the point at which they are asked to complete it (around 15 months after they graduate).
Graduates or students have the right to object to HESA contacting them for the Graduate Outcomes survey. Objections can be made by emailing [email protected].
The student cannot opt-out of further contact from their provider through these routes. Students who wish to opt-out of further contact from their provider must do so through direct contact with the provider.
In June 2017 the data protection contacts at all HE providers were contacted with details of the Student Collection Notice. It is vital that this notice is available to all students as it includes a section outlining the processing of data for surveys of graduates. This notice is updated annually and made available to students via their universities.
This collection notice applies to the agreed Graduate Outcomes survey questions. These are the core survey questions and the opt-in question banks approved by the Graduate Outcomes governance process.
The survey will be accompanied by a further Graduate Outcomes survey collection notice informing graduates of the uses of their survey responses.
For the first year of Graduate Outcomes there will not be an option to add your own provider questions to the survey. If this option becomes available in the future you will need to ensure that this is covered appropriately in your own privacy notice(s) at the time of conducting the survey.