OfS privacy

We aspire to provide a consistently high quality service to our stakeholders. This requires our approach to the management of IT and communication to be supported by robust and secure systems and processes that protect information and personal data.

We seek to protect our information assets, including personal data concerned with our policy analysis and funding roles, wherever, however, and whenever they are created, processed, transmitted, shared or stored.

Our intention is to protect our information assets from misuse of any type, including unauthorised disclosure, modification and destruction. We manage the development and continuous improvement of our information security processes through drawing on UK government and international standards. For example, we are accredited to the Cyber Essentials PLUS standard for cybersecurity

Verify our certification details on the IASME website

This is achieved through:

• using cross-organisational groups with oversight of this work
• assigning senior and other roles with specific responsibilities in this work
• using regularly reviewed policies, procedures, guidance and technical responses to issues arising which staff and others are required to follow
• all staff completing mandatory training on data protection and information security, upon joining the organisation and annually thereafter
• training and awareness-raising activity for staff to promote compliance with our data protection and wider information security policies
• keeping personal data confidential, retaining its integrity but making it available (through restricting access) only to those staff who need access
• having data sharing agreements in place with organisations with whom we share personal data (whether as data controller or processor)
• ensuring that data protection features in routine business contracts
• operating restrictions on the transmission of personal data, particularly overseas
• a range of physical, technical, and organisational security measures - for example, access control, encryption, secure collection of data via the OfS Portal.

Our information security policies are designed to support staff in protecting the information assets that we hold from all threats, whether internal or external, deliberate or accidental. These policies are a blend of technical, behavioural, cultural, ethical and process driven approaches to information security.

As a relatively small organisation, we are able to maintain a high level of consistency and awareness in our information security management system and are able to adapt swiftly to changing threat landscapes.

We use Microsoft 365 Copilot (Copilot) to enhance staff productivity and efficiency.

Copilot utilises large language models (LLMs), a type of artificial intelligence (AI) algorithm that uses deep learning techniques to understand, summarise, predict, and generate content.

We use these tools to help summarise information (such as emails, Teams chat messages, meeting transcripts and documents), for example to prepare for meetings, create and format documents, and generate content such as draft emails or presentations. They also assist with notetaking and idea generation to support efficient communication and decision making.

Any data, used with Copilot, is stored and stays within our secure UK Microsoft 365 and Azure tenants, and is not used for training foundation models.

We may collect audio and visual recordings, as well as transcripts, of conversations held using Microsoft Teams. The transcription function in Teams allows Copilot to produce some of the outputs referred to above. Recordings and transcripts are automatically deleted after 120 days. This information may be kept for longer if it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with our regulatory duties, any legislative obligations, reporting or accounting requirements. All Copilot prompts and responses are kept up to one year.

We are also developing an internal AI tool, to support, inform and help monitor our regulatory and strategy processes. This is in line with the OfS strategy. We will use this tool to help summarise information provided by higher education providers, to streamline our processes such as registration and ongoing monitoring of compliance with conditions of registration.

Where we use individuals’ personal data with AI, this may be processed under one of:

• Our public task, to fulfil our legal and statutory duties e.g. to help our staff determine whether a provider is complying with conditions of registration.
• A legitimate interest e.g. to help our staff with sifting through large amounts of applications in our recruitment processes.

For more information, please refer to our general privacy notice, which explains when AI is used within each processing activity.

Although AI is used as a tool to support decision making, decisions are not taken solely through automated means and are subject to human involvement.  

We will continue to monitor our use of AI to review the risks and benefits of this deployment. Any extension of our use will be considered under our risk assessment processes and privacy notices will be updated accordingly.

Part of any organisation’s commitment to maintaining the confidentiality, integrity and availability of its information is to have in place a way to protect its resources in the event of a serious incident that affects its ability to carry out its business.

The OfS therefore has in place a business continuity plan, which takes into account the risks we face, and which incorporates a disaster recovery plan. The key features of these plans are:

• Our main servers (and therefore our data) are offsite in a secure facility
• The network we use is managed by professional staff who operate a cybersecurity protection service from which we benefit
• Our technical infrastructure operates with a number of firewalls to protect against external attack
• We use anti-virus and anti-malware software, security certification, adopt a standard approach to patching, use two-factor authentication and complex passwords for access to systems, and operate perimeter and other physical controls
• We can monitor activity across our network
• We test our controls to ensure their effectiveness
• Staff can access critical parts of our systems using secure remote access so critical functions can continue in the event of an emergency
• Our key processes and operating procedures are documented
• We have made assessments of the action we would take in a number of scenarios.

To support staff responsible for the management and security of information, our governance function independently reviews and provides assurance over what we do.

We use our internal auditors to review information security arrangements regularly.

We meet the requirements of the Government (Cabinet Office) Security Policy Framework, which requires an annual self-assessment. We are also required to periodically provide assurance to government about aspects of our information security arrangements for example, in respect of the large data sets we hold, including those used to calculate OfS funding for institutions.

We regularly review our information security policies under the oversight of our Information Security and Data Privacy Group.

We report on our information security arrangements to our Audit Committee at least annually and make a statement about these arrangements in our annual accounts.