You need cookies enabled

Cookies

You need cookies enabled
How we may use your personal information

HEFCE is committed to protecting your personal information and being clear about what information we hold about you and how we use it. This privacy notice tells you what to expect when the Higher Education Funding Council for England (HEFCE) collects personal information. It applies to information we collect about:

  • students (current and former)
  • staff (current and former) at higher education providers or other organisations that we work with
  • visitors to our website, blog readers and recipients of our newsletter and alerts
  • members of the public or stakeholders that we engage with
  • people who make a disclosure, raise a complaint, have a query or make a request under information access legislation (Freedom of Information Act, Environmental Information Regulations, Data Protection subject access request)
  • job applicants and our current and former employees
  • visitors to our premises and onsite contractors.

How to use this privacy notice

Select and view the relevant sections below to see how we use your personal information depending on the services we are providing to you.

We will let you know if we make any changes to this privacy notice by revising the updated date, placing an alert on our website or by corresponding with you directly.

The services we provide are directed at learners aged 13 and over.

Request more information

This privacy notice does not provide exhaustive detail of all aspects of HEFCE’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. If you would like to request information about our privacy policies you can email us or write to:

Private and confidential
Data Protection and Information Manager
HEFCE
Nicholson House
Lime Kiln Close
Stoke Gifford
BRISTOL
BS34 8SR

Why we hold personal information

We process personal information to enable us to fulfil our public tasks including our responsibilities as the lead regulator for higher education in England. This function is directed by the secretary of state and is in accordance with our legal obligations including those described in the Further and Higher Education Act 1992. We also have a role in monitoring the performance by higher education providers of their 'prevent' duty under the Counter-terrorism and Security Act 2015.

Personal information is also used for:

  • promoting and administering our services
  • maintaining our accounts
  • administrative purposes
  • supporting and managing our staff
  • awarding and assessing benefits, grants and loans
  • journalism and media
  • property management
  • education. 

How we protect the personal information we hold

Some of the data we hold is sensitive personal data as defined by Data Protection legislation. We take our responsibilities to safeguard such data seriously.

We protect the personal data we hold under a framework of measures, including:

  • maintenance of an information asset register that provides a snapshot view of all of our information, its business purpose, its location and how it is secured
  • a range of physical, technical and organisational security measures, for example,. access control, encryption, secure collection of data over our extranet
  • the use of fair processing notices so that individuals about whom we hold data are aware of why we hold it (noting that we have a statutory right to hold data relevant to our public role)
  • only keeping personal data for legitimate reasons
  • keeping personal data confidential, retaining its integrity but making it available (through restricting access) only to those staff who need access
  • have data sharing agreements in place with organisations with whom we share personal data (whether as data controller or processor)
  • ensuring that data protection features in routine business contracts
  • operating restrictions on the transmission of personal data, particularly overseas
  • internal policies with which staff and others are required to follow
  • training and awareness raising activity for staff to promote compliance with our data protection and wider information security policies.
Students (current and former)

Personal information about current and former students is processed in order to inform policy development, policy analysis and research.

What kind of information is held?

The personal information processed either by us or on our behalf may include:

  • name
  • contact details
  • family details
  • social circumstances
  • financial details
  • educational records and attainment
  • career progression
  • income.

The sensitive types of information may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs.

Who is this information shared with?

Where necessary or required this information may be shared with:

  • education providers with which you have a connection
  • survey and research organisations working on our behalf
  • other public sector bodies
  • agents or service providers
  • individual researchers and contractors.

How is this information collected?

Much of the information HEFCE holds about students is collected from other sources. If you have attended an educational establishment in the UK since 1994 then we will hold personal data about you in some or all of the following databases:

If you have participated in a programme specifically funded by us we will hold data in connection with that programme, for example:

Find more information about the data analysis and research work that we do on our website

Staff (current and former) at higher education providers or other organisations that we work with

Personal information about current and former staff at higher education providers is processed in order to inform funding, policy development, policy analysis and research.

What kind of information is held?

The personal information processed either by us or on our behalf may include:

  • name
  • contact details
  • family details
  • social and individual circumstances
  • financial details
  • educational records and attainment
  • career progression
  • income.

The sensitive types of information may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs.

Who is this information shared with?

Where necessary or required this information may be shared with:

  • survey and research organisations working on our behalf
  • other public sector bodies
  • agents or service providers
  • and individual researchers and contractors.

How is this information collected?

Much of the information HEFCE holds about staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994 then we will hold personal data about you in some or all of the following databases:

Staff related inherited liabilities (pension information)

Read more about inherited staff liabilities

HEFCE makes payments to local authorities, specific pension funds and higher education institutions to reimburse for pension increases under the local government superannuation scheme for people formerly employed at higher education institutions, teacher training colleges or institutions which provided further education or higher education or their dependants.

In order to make payments under this scheme we receive personal data from local authorities, specific pension funds and higher education institutions annually. The personal data we collect includes the following:

  • national insurance number
  • surname
  • first name or initial
  • sex
  • date of birth
  • original claimant or dependant.

Contact details

We maintain a database of contact details for key roles within higher education providers. Additionally we hold contact details and, where necessary, dietary requirements and access needs for panel members, advisers, working groups and other people we work with from time to time. In most cases contact details would be professional or 'work' addresses or numbers but may occasionally be private or 'home' details.

Visitors to our website, blog readers and recipients of our newsletters and alerts

When someone visits www.hefce.ac.uk we use two third party services, Google Analytics and SiteImprove, to collect information about how people use our website. We do this to help make sure that it is meeting your needs and to understand how we could do it better.

These services collect information about what pages you visit, how long you are on the site, how you got there and what links you follow. We do not collect or store your personal information (for example, your name or address) so this information cannot be used by us to identify who you are. We do not allow Google or SiteImprove to use or share our analytics data.

Cookies

Cookies are test files placed on your computer to collect standard internet log information and visitor behaviour information. HEFCE uses cookies to collect information about how people use our website.

You can read more about how we use cookies on our Cookies page or for further general information visit: www.aboutcookies.org or www.allaboutcookies.org.

Search engine

Our website search is powered by the Funnelback application. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either HEFCE or any third party.

HEFCE blog comments

We use a third party service, Disqus, to receive comments on our blog. See Disqus' privacy policy.

Members of the public or stakeholders that we engage with

People who attend our conferences or events

We use Eventbrite to manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements.

Eventbrite processes data (including any personal data submitted by booking one of our events) outside of the European Economic Area. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy.

If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to us by contacting the event organiser using the details provided in the invitation.

We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list.

Our key policy events may have a member of staff taking informal photos of the event some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos please make this known to a member of staff at the beginning of the event.

People who respond to our consultations

We use SmartSurvey to carry out consultations with the sector and stakeholders. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. Read SmartSurvey’s privacy policy.

People who call or email us

We may make a note of your contact details and information about the subject of your call so that we can deal with your enquiry. We do not electronically record or monitor telephone calls, other than when messages are left on an answerphone service. If your phone settings allow for caller line identification and broadcasting of your number this may be stored within our phone system (e.g. missed calls and address books).

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Where enquiries are submitted to us we will only use and retain the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

People who make a disclosure or complaint, or make a request to us under information access legislation

When we receive a disclosure, complaint or request we make up a file containing the details of the disclosure, complaint or information access request. This normally contains the identity of the disloser, complainant or requester and any other individuals involved.

We will only use the personal information we collect to process the disclosure, complaint or information access request and to check on the level of service we provide.

We will keep personal information contained in the disclosure, complaint or information access request files in line with our retention policy. This means that information relating to a disclosure, complaint or information access request will be retained for five years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

If you are making a disclosure or complaint about a university or college we use discretion in investigating your concerns. However, we are not able to guarantee confidentiality. In most cases the concerns will already be known to the provider, and any conversation we have with the institution about your disclosure or complaint, will in all likelihood, lead to your identity being deduced. Anonymous disclosures are received from time to time. Our policy is normally not to take action in response to these.

From time to time we may be asked to share information with other organisations in the event of a complaint about HEFCE itself, for example to assist the Parliamentary and Health Service Ombudsman in their work. In these circumstances, we are usually obliged to provide the information by law.

Read more about our complaints procedures

We may compile and publish statistics showing information like the number of complaints or requests we receive, but not in a form which identifies anyone.

Job applicants, current and former HEFCE employees

When individuals apply to work for HEFCE, we will only use the information supplied to us to process their application and to monitor recruitment statistics. Where we need to disclose information to a third party, for example because we want to take up a reference or obtain a ‘disclosure’ we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for one year after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with HEFCE, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with HEFCE has ended, we will retain the file in accordance with the requirements of our retention schedule and legal obligations, and then delete it.

Visitors to our premises and onsite contractors

All visitors to our premises will be asked to sign in to our visitors log and issued with a pass. Visitors must sign out and return the pass so that it can be shredded when they leave. Visitor details are retained on the log for one month and then destroyed. Visitors arriving by car will be asked to provide their car registration number so that they can be contacted in the event that they are blocking in other car park users.

CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

Queries or complaints about our use of your personal information

HEFCE tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of personal information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. You can email us or write to:

Private and Confidential
Data Protection and Information Manager
HEFCE
Nicholson House
Lime Kiln Close
Stoke Gifford
BRISTOL
BS34 8SR

Access to personal information

HEFCE tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998.

Learn how to make a subject access request for your personal data

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate using the address details provided.

Disclosure of personal information

There are circumstances when we may disclose personal information without consent. For example, when we need to share personal information with:

  • the organisation concerned in the investigation of a complaint and with other relevant bodies
  • law enforcement agencies to prevent and detect crime
  • other Government departments, agencies or non-departmental public bodies
  • researchers or consultants acting on our behalf to produce anonymised statistics.
Links to other websites

This privacy notice does not cover the links within this site to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 20 December 2017 and is version 001.

Contact details of the Data Protection Officer

Under the General Data Protection Regulation we are required to appoint a Data Protection Officer (DPO). One of their tasks is to be the first point of contact for supervisory authorities and for individuals whose data is processed. Contact details for our DPO are as follows:

Pippa Thompson
Head of Knowledge and Information Management
HEFCE
Nicholson House
Lime Kiln Close
Stoke Gifford
BRISTOL
BS34 8SR

Email: p.thompson@hefce.ac.uk

Tel: 0117 931 7177