Information for providers undergoing a merger
The below information is relevant to higher education providers who are involved, or soon to be involved, in a merger or acquisition.
Providers should notify HESA and their funder/regulator as soon as possible when considering this kind of transaction so that support can be provided. Please contact [email protected].
What to expect from HESA
Once HESA have been notified of a provider’s merger or acquisition, the provider will be contacted and guided through the following steps:
- The provider will need to complete the merger checklist, which collects details on the merger and provides guidance on HESA’s requirements throughout the process.
- HESA will review the completed checklist and make any amendments to existing legal agreements to reflect the merger or acquisition.
- HESA will set out provider submission requirements following the completion of the merger or acquisition. Providers will be given appropriate HESA Identity System access to fulfil the necessary requirements.
- HESA reserves the right to charge an administration fee to providers undergoing a merger or acquisition to reflect the additional administrative resource required. HESA will discuss the additional fee directly with impacted providers on a case by case basis.
There will be ongoing communication with key operational contacts at impacted provider(s), as well as the relevant regulator, to facilitate the above steps.
Data protection considerations
Providers should pay particular attention to this guidance as appropriate data protection assurances will need to be communicated to HESA.
In December 2020, the ICO published the Data Sharing Code, a statutory code of practice, under section 121 of the Data Protection Act 2018. The Data Sharing Code serves as a practical guide for organisations (including higher education providers) about how to share personal data in a way that enables sharing whilst complying with data protection laws.
HESA's merger process
HESA has an obligation to ensure that receiving and sharing personal data with merged entities is in compliance with data protection laws and with the Data Sharing Code.
HESA’s merger process and checklist confirms that the necessary actions have been taken by the merged entities in compliance with the Data Sharing Code. It’s therefore essential that HESA receive the completed checklist from providers as soon as possible.
Where the necessary actions have not been taken, HESA will be obliged to consider whether it is lawful to receive from and share data with the relevant organisation(s).
Please contact [email protected] if you have any further questions related to the information above.