Skip to main content

Information for providers undergoing a merger

The below information is relevant to higher education providers who are involved, or soon to be involved, in a merger or acquisition. 

Providers should notify HESA, part of Jisc, and their funder/regulator as soon as possible when considering this kind of transaction so that support with statutory data submissions can be provided. To formally notify us of an upcoming or confirmed transaction, please contact [email protected].

What to expect from HESA

Once HESA have been notified of a provider’s merger or acquisition, the provider will be contacted and guided through the following steps: 

  • The provider will need to complete a merger/ demerger checklist which collects details on the merger and is the method through which the provider will provide the necessary due-diligence assurances to HESA. HESA will send the merger/demerger checklist to the provider via a system called OneTrust.
  • The completion of the checklist by the provider may be an iterative process. We may raise questions within the OneTrust checklist which will then be sent back to the provider for review.
  • Once the checklist element has been completed, and requirements have been received from the primary regulator/funder, we will make any amendments to existing legal agreements to reflect the merger or acquisition.  
  • Providers will be given appropriate Identity System access to fulfil the necessary requirements as set out by the primary regulator/funder.
  • We reserve the right to charge an administration fee to providers undergoing a merger or acquisition to reflect the additional administrative resource required. We will discuss the additional fee directly with impacted providers on a case-by-case basis.

There will be ongoing communication with key operational contacts at impacted provider(s), as well as the relevant regulator, to facilitate the above steps. This may involve sharing responses to the checklist with the relevant primary regulator/ funder.

Data protection considerations 

Providers should pay particular attention to this guidance as appropriate data protection assurances will need to be communicated via the checklist.

In December 2020, the ICO published the Data Sharing Code, a statutory code of practice, under section 121 of the Data Protection Act 2018. The Data Sharing Code serves as a practical guide for organisations (including higher education providers) about how to share personal data in a way that enables sharing whilst complying with data protection laws.

We encourage you to consult with key Data Protection and Compliance personnel within your organisation when completing the checklist.

Our merger process

HESA, part of Jisc, has an obligation to ensure that receiving and sharing personal data with merged entities is in compliance with data protection laws and with the Data Sharing Code.

Our merger process and checklist confirms that the necessary actions have been taken by the merged entities in compliance with the Data Sharing Code. It’s therefore essential that we receive the completed checklist from providers as soon as possible.

Where the necessary actions have not been taken, we will consider whether it is lawful to receive from and share data with the relevant organisation(s).

Please contact [email protected] if you have any further questions related to the information above.

Useful information

Provider changes and mergers

PDF copy of Merger/Demerger checklist