Skip to main content

Data protection for custom data requests

HESA's job is to collect, analyse, and share data, so data protection is pivotal in everything that we do.

Protecting the data of HE students and staff

We collect the information that higher education providers are legally obliged to provide to funding and regulatory bodies in England, Wales, Scotland and Northern Ireland. Students and staff don't give their consent for this data sharing, so we have ethnical as well as legal responsibilities to protect their data and share it only for specified legitimate research purposes.

What can HESA data be used for?

The Collection Notices are the privacy information we provide for students and staff. This explains what the data is used for including statistical research into higher education for academic, commercial, journalistic or personal reasons. HESA data must not be used to identify individual people or make decisions about them.

How much data can HESA share?

The GDPR principal of data minimisation means we will only supply the minimum amount of data, at the minimum level of detail, necessary for any particular research purpose. This is why we always ask what data will be used for, and what question researchers are trying to answer, before we share any data.

If a question can be answered with data that has been rounded we will offer data in this format. If a large and detailed dataset is needed we may ask for more details about the information security policies and procedures of the organisation requesting the data.

What are the license terms for using HESA data?

The Agreement for the Supply of Information Services sets out what users can and can't do with HESA data. The agreement specifies:

  • The disclosure control that must be applied to prevent identification of individuals from reports. This is nearly always the HESA Standard Rounding Methodology,
  • The permitted purposes for which the data may be used,
  • The end date on which the original data must be deleted (secondary analysis and reports don't need to be deleted),
  • If the data supply is larger or more detailed the individuals who are permitted to have access to it. 

Protecting the data of customers and colleagues

The Privacy Information page describes the various ways in which HESA processes the personal data of customers, colleagues, stakeholders, website users and anyone else who interacts with HESA.

For more information about HESA and data protection please start from our data protection home page, or contact [email protected].