OfS privacy

Privacy notice

How to use this privacy notice

Use the links below to select the reason that we process your personal information and see the following details:

The specific personal information held and used
Our purpose for using the information
Our legal basis for using the information
Any information we obtain from other sources
Who we share the information with and the reason for this
How long we will retain your personal data for
A link to a more specific privacy notice (if applicable).

Unless otherwise stated we will not transfer your data to another country or do automated decision making.

Current or former student

I am a current or former student at a higher education provider in England

People who are current students at a higher education provider in England
People who used to be students at a higher education provider in England
People who have participated in a programme specifically funded by the OfS.

The specific personal information held and used	Name Date of birth Contact details Address Nationality Domicile Sex Family details Student identifiers Social circumstances Financial details Educational records and attainment Career progression Special category data: Physical or mental health details Racial or ethnic origin Religious or other beliefs Sexual orientation
Our purpose for using the information	We process personal information on students to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England. For further information on how we use data on students to support our regulatory responsibilities, please view the OfS data strategy.
Our legal basis for using the information	Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)). Processing of special category data is necessary for statistical and research purposes in accordance with Article 89(1) and Schedule 1 part (4) of the DPA 2018 (see GDPR Article 9(2)(j)).
Any information we obtain from other sources	Much of the information we hold is collected from other sources, who may collect data from you directly, or via your educational provider. If you have attended an educational establishment in the UK since 1994, then we will hold personal data about you from some or all of the following sources:

Source	Contents	Link to further information
Higher Education Statistics Agency (HESA)	HESA Student record Graduate Outcomes survey (formerly Destinations of Leavers from Higher Education in the UK)	Further information from HESA
Student Loans Company	Student loans information	See the SLC's privacy notice
Education and Skills Funding Agency	Individual Learner Record	See ILR privacy notice
Department for Education	National Pupil Database (school record)	Find and explore data in the National Pupil Database
Department for Education	Longitudinal educational outcomes	Find Graduate outcomes (LEO) data
UCAS	Admissions data	See UCAS privacy notice
Pearson Education	Course data	See Pearson privacy notice

If you have participated in a programme specifically funded by us, we will hold data in connection with that programme.

We also collect information directly from students in student surveys. We produce bespoke privacy notices for direct student surveys - see ‘a link to a more specific privacy notice’ below.

Who we share the information with and the reason for this

Where necessary or required, this information may be shared with:

Education providers with which you have a connection
Survey and research organisations working on our behalf, for example to administer surveys and evaluate programmes we have funded
Other public sector bodies
Agents or service providers

How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for including for the purpose to comply with any legal, reporting or accounting requirements.

Where student data is no longer necessary for ongoing functions, the data may be kept by the OfS for the purposes of archiving for historical research or statistical purposes. For personal data on students, the OfS considers archiving to be necessary to enable statistical analyses the OfS must perform in order to fulfil its functions.

A link to a more specific privacy notice (if applicable)

National Student Survey (NSS) - see the NSS privacy policy

Current or former employee of a higher education provider

I am a current or former employee of a higher education provider

People who are currently or formerly employed by a higher education provider in England.

The specific personal information held and used	Name Date of birth Provider name Demographic details Sex Identification number (HESA staff) Salary (for vice-chancellors and those holding similar roles in other providers) Employment details (including start date, end date, role type, academic discipline) Special category data: Physical or mental health details Racial or ethnic origin Religious or other beliefs Sexual orientation For further details on categories of personal data, please see the links to more specific privacy notices at the bottom of this table.
Our purpose for using the information	We process personal information to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England. For further information on how we use data on provider staff to support our regulatory responsibilities, please view the OfS data strategy.
Our legal basis for using the information	Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)). Processing of special category data is necessary for statistical and research purposes in accordance with Article 89(1) and Schedule 1 part (4) of the DPA 2018 (see GDPR Article 9(2)(j)).
Any information we obtain from other sources	Much of the information that we hold about provider staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994 then we will hold personal data about you from some or all of the following sources: Higher Education Statistics Agency (HESA) staff Provider returns
Who we share the information with and the reason for this	Where necessary or required this information may be shared with: Government departments or other public sector bodies Agents or service providers Survey and research organisations working on our behalf
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements. Where staff data is no longer necessary for ongoing functions, the data may be kept by OfS for the purposes of archiving for historical research or statistical purposes. For personal data on provider staff, OfS considers archiving to be necessary to enable statistical analyses the OfS must perform in order to fulfil its functions.
A link to a more specific privacy notice (if applicable)	See Registration privacy notice See HESA Staff data

Registration of providers

I am employed by a provider who is applying to register with the OfS

People who are submitting an application to the OfS Register, on behalf of their provider
People who are completing ‘fit and proper person checks’ as part of their provider’s registration process.

The specific personal information held and used	For the OfS Register: Provider’s contact details (address, email address, and telephone number), where this relates to an identified or identifiable individual rather than generic information. To undertake ‘fit and proper person’ checks, we need the following information about the accountable officer, chair of the governing body, all directors/trustees and individual shareholders: Legal first name Surname Role title Month and year of birth
Our purposes for using the information	For publication on the Register, where contact details for general enquiries relate to an identifiable individual To show who developed and authorised the submissions to meet registration conditions – for our internal use only To maintain contact between the OfS and the provider regarding its entry on the Register - for our internal use only To add contact details to the OfS database which we will use to consult with providers to inform funding, policy development, policy analysis and research To assess your application for registration and the status of registration, as well as your provider’s continuing compliance with any ongoing conditions of any subsequent registration Using personal information collected to undertake ‘fit and proper person' tests when necessary. To fulfil any of our other statutory functions or legal requirements from time to time.
Our legal basis for using the information	Article 6(1)(c) – where the processing is necessary for compliance with a legal obligation to which the controller is subject Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Please refer to the specific privacy notice for further information on the relevant legal obligations and public tasks.
Any information we obtain from other sources	Other than the personal information collected from you directly, we also obtain personal information about you from other sources, if needed, for fit and proper person checks: Government departments or other public sector bodies (such as Companies House or the Insolvency Service) Agents or service providers.
Who we share the information with and the reason for this	We will share your personal information to some other organisations for specific reasons, as explained below: Synectics Solutions Ltd Government departments or other public sector bodies Agents or service providers The OfS uses a third party organisation, Synectics Solutions Ltd, to assist with ‘fit and proper person’ checks. Please refer to the specific privacy notice for further information about how we use Synectics Solutions. We will not disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law.
How long we will retain your personal data for	We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. For continuing providers, we will retain details of key individuals as long as they are required for the registration process and for a further seven years. For deregistered providers, we will retain details of key individuals for seven years following deregistration. For unapproved providers, we will retain details of key individuals for seven years following the decision not to register. After these points, your personal information will be confidentially and securely disposed of. We will also keep information published on the Register for as long you are registered. As part of The National Archives fulfilment of the Public Records Act, the published Register will be archived twice a year.
A link to a more specific privacy notice (if applicable)	See the Registration privacy notice See Synectics Solution’s privacy policy

Information about our stakeholders

I am a stakeholder or a member of a board, committee or panel who regularly interacts with the OfS

People who are currently or formerly board, committee and panel members
People who are stakeholders working together, or interacting with, the OfS.

The specific information held and used	Title and name Work email Work telephone number Name, email and telephone number of Personal executive assistant (if provided) Dietary requirements and access needs where necessary for meetings held in person
Our purpose for using the information	As an independent regulator, the OfS needs to communicate regularly with its stakeholders in the higher education sector, government departments and other sector bodies. These stakeholders include chief executive officers of sector bodies that we work with and officers in government departments. In order to ensure that we can communicate with our stakeholders effectively, the OfS maintains a database of contact information for stakeholders. In addition: Processing allows the OfS to inform members about activities, meeting dates and send documents relating to group matters To maintain a record of working groups and members involved with student support networks.
Our legal basis for processing your personal information	Our legal basis for holding this information depends on the reasons why we need to contact you: GDPR Article 6(1)(e) - We may need to contact you in order to meet our statutory functions as a regulator and because it is necessary to fulfil our public tasks) Or GDPR Article 6(1)(f) - We may have another ‘legitimate interest’ in contacting you, for example if OfS staff are meeting with you, they will have a legitimate need for your contact details in order to arrange the meeting.
Any information we obtain from other sources	We obtain this information directly from stakeholders and their interactions from us. There will also be circumstances where we need to obtain your contact information from another source, so that we can contact you to meet our public task or a specified legitimate interest. For example, if you have recently joined a sector body that we work with and we do not have your contact details, we may need to obtain your details from a public source, such as your organisation’s website.
Who we share the information with and the reason for this	We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements. Board, committee and panel records are retained seven years from date of last document.
A link to a more specific privacy notice (if applicable)	Stakeholders can subscribe to receive emails and news alerts from the OfS. Please refer to the section 'Staying informed' for this privacy information.

OfS consultation and survey respondents

I’m responding to an OfS consultation or a survey

People who respond to one of our consultations or surveys.

The specific personal information held and used	The categories of personal information collected will vary depending on the specific consultation or survey. However, the information needed will include some or all of the following: Name Email address Organisation Job role Demographic data such as: Sex Age Special category data such as: Racial or ethnic origin The specific information collected will be set out in the individual privacy notice for each consultation and survey.
Our purpose for processing the information	We use personal information about you in order to understand who has responded to the consultation or survey, and respondents’ views with the aim of being able to understand the different perspectives of stakeholders. We may also contact you for any queries relating to your responses.
Our legal basis for using the information	Unless otherwise specified the legal basis for processing your information is Article 6(1)(e) public task. The legal basis for processing your personal information is that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Where special category data is collected, the relevant condition is Article 9(2)(a) explicit consent given by the respondent.
Who we share the information with and the reason for this	Your data will not routinely be shared with any other organisations. Unless otherwise specified, responses are collected via SmartSurvey. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. See the SmartSurvey privacy notice
How long we will retain your personal data for	Each consultation and survey will indicate a time period as to how long personal information will be held for. After that point, your personal information will be confidentially and securely disposed of.
A link to a more specific privacy notice or information page (if applicable)	See the SmartSurvey privacy notice

Attending an OfS conference or event

I am attending an OfS conference or event

Invitees and delegates of in-person conferences or events organised by the OfS.

The specific personal information held and used	If you choose to attend one of our events, you will be asked for the following: Name Job title Organisation Contact details (email address, telephone number and postal address) The capacity in which you will attend the event How you heard about the event If you are offered a place, you will be invited to tell us about any dietary requirements or access provisions you may need. We won’t share this information in an identifiable way with the conference venue.
Our purpose for using the information	Our purpose for collecting this information is so that we can manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements. We use Eventbrite to manage our conferences and events. If you prefer not to use Eventbrite to respond to a conference or event invitation, you may respond directly using the contact details provided in the invitation. When you register for an OfS event using an Eventbrite form, you will be presented with a summary of how any personal information submitted will be used. The summary privacy information also includes a link to a more detailed privacy notice. We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list. Our key policy events may have a member of staff taking informal photos of the event, some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos, please make this known to a member of staff at the beginning of the event.
Our legal basis for using the information	To ensure the effective management and running of OfS events: Article 6(1)(f) legitimate interests Access and dietary requirements: Article 9(2)(a) explicit consent
Who we share the information with and the reason for this	We share information on numbers of delegates as well as access and dietary requirements (where supplied) with the conference venue or other event suppliers but not in way that identifies individuals.
Your rights over your personal information	Information about access and dietary requirements - Withdrawal of consent Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.
Whether we intend to transfer information to another country	Eventbrite processes data (including any personal data submitted by booking one of our events) in the USA. Because this means your information will be held outside the UK we have assessed the risks with storing your personal information in this country and are satisfied that it will not be put at any undue risk as a result. The reasons for this are there is an appropriate transfer mechanism in place (Standard Contractual Clauses) and an adequate level of protection for the nature of the personal data to be transferred. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy. If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to the OfS by contacting the event organiser using the details provided in the invitation.
How long we will retain your personal data for	We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. The personal information you have submitted will be kept for one month after the event. After that point, your personal information will be confidentially and securely disposed of. Eventbrite keeps registrations indefinitely.
A link to a more specific privacy notice or information page (if applicable)	See Eventbrite’s privacy policy See OfS events page

Attending an OfS webinar or other online event

I am attending an OfS webinar

People who participate in our webinars for events, workshops and conferences.

The specific personal information held and used	Name Email address Job title Organisation Collecting device and location information IP address Local IP (IP of device) Network type Type of microphone (for presenters) Data centre Collection type (joining and leaving webinar reasons and times)
Our purpose for processing the information	The OfS holds webinars, events, workshops and conferences to promote its work as a regulator and to support its statutory functions. Zoom and Microsoft Teams are the software used to deliver and manage webinars, allowing participants to log in and attend webinars at the time or view the webinar later.
Our legal basis for using the information	Article 6(1)(f) - legitimate interests We have a legitimate interest in collecting your personal information to ensure that the OfS has the necessary information to host webinars effectively, and to also ensure only invited individuals attend webinars or view webinars later.
Any information we obtain from other sources	Data subject - when you register with Zoom or log in to Zoom to attend a webinar or view a webinar. We also use Teams to host external meetings and events. Since Teams doesn’t have a registration tool, we use Eventbrite to allow attendees to register for an event we host on Teams.
Who we share the information with and the reason for this	As your personal information will be submitted by logging in to Zoom or Microsoft Teams, any personal information you submit will be stored by, and accessible to, Zoom and Teams. Zoom processes personal data in accordance with its own privacy policy. In addition, if you use an Eventbrite form to register for an OfS event hosted on Teams, any personal information submitted in the form will be stored by, and accessible to, Eventbrite. Eventbrite processes personal data in accordance with its own privacy policy. We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.
Whether we intend to transfer to another country	Eventbrite is based in the United States. If you choose to register for an event through Eventbrite, any personal information you submit will be transferred to the United States.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for. If you choose to attend a webinar through Zoom or Teams, any personal data processed will be retained for as long as is considered necessary by Zoom or Teams, and in accordance with their privacy policies (see relevant links below). Your personal information will be stored in the European Union/EEA. This means that your personal information is protected under the GDPR. Zoom, in certain cases, will transfer data from the EU. Cloud recordings are retained for 30 days, and meeting metrics are retained for 12 months. If you choose to register for an event through Eventbrite, any personal data processed will also be retained for as long as is considered necessary by Eventbrite, and in accordance with their privacy policy (see relevant link below). Eventbrite is based in the United States and so any personal information you submit to Eventbrite will be stored in the United States and processed in accordance with their privacy policy.
A link to a more specific privacy notice or information page (if applicable)	See Zoom's privacy notice See the Eventbrite privacy notice See Microsoft's privacy notice

Social media users

I am interacting with OfS social media

Information we gather through social media platforms.

The specific personal information held and used	Public social media profiles Public social media posts Username Followers/networks Online behaviour, for instance likes and re-tweets. Personal data is provided by social media platforms and other public sources.
Our purpose for processing the information	In line with the OfS’s social media strategy and student engagement strategy, the purpose is to use social media to understand what the wider public is saying about the Office for Students and the sentiment and conversations around other topics relevant to students and the higher education sector. To achieve the above aim, we will use a social listening tool to generate aggregate level reports about trends and insights across the higher education sector.
Our legal basis for using the information	Article 6(1)(e) – public task The lawful basis for processing your personal data is it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, use of the tool relates to s35 of the Higher Education Research Act 2017, where the OfS’s role is to provide advice on good practice.
Any information we obtain from other sources	We will use a social listening tool to analyse posts from social media accounts, which are available online.
Who we share the information with and the reason for this	The OfS will not be sharing any personal data, as the data the tool provides is aggregated. We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.
Whether we intend to transfer to another country	No
How long we will retain your personal data for	Aggregate reports, which are anonymised, will be retained by the OfS for a maximum of five years. Any personal data that underpins the aggregate reports will be retained by the social media monitoring and listening company for a maximum of five years.
A link to a more specific privacy notice or information page (if applicable)	See the privacy notice for OfS analysis of social media

Signed up to receive information

I have given permission or signed up to receive information about OfS news, events and opportunities to be involved in the work of the OfS

People who have subscribed to receive emails about OfS events
People who have subscribed to receive the OfS newsletter
People who have subscribed to receive emails about OfS alerts
People who have subscribed to receive the OfS monthly update
People who have subscribed to receive OfS ‘Student Spotlight’ alerts
People who have subscribed to receive charity regulation alerts
People who have subscribed to receive Prevent monitoring alerts

The specific personal information held and used	If you subscribe to our monthly newsletters, alerts, information and updates you will need to provide your name and email address.
Our purpose for using the information	We will use your information to send you our monthly newsletters, alerts, information about upcoming events and opportunities to be involved with OfS work.
Our legal basis for using the information	Article 6(1)(a) - consent (by subscriber)
Who we share the information with and the reason for this	The OfS uses Mailchimp as our marketing platform. Your personal data will be shared with Mailchimp for processing in accordance with their privacy policy. When you subscribe to our newsletter, and any of our alerts or monthly updates, your name and email address will be stored by Mailchimp on servers in the United States.
Whether we intend to transfer to another country	Mailchimp is based in the United States and any personal data submitted when you subscribe will be processed in the United States according to Mailchimp’s own privacy policy.
How long we will retain your personal data for	Data will be held until consent is withdrawn. The personal information you provide will be deleted when you unsubscribe; this may take up to a week.
Link to more specific privacy notices	See the privacy notice for OfS Student Spotlight alerts See Mailchimp’s privacy policy

Third-party services

I am a third-party supplier to the OfS

People or organisations that provide unique services or goods to the OfS.

The specific personal information held and used	Name Job title Personal signature Organisation name Contact details (email, telephone) As part of the credit checks (carried out by a third party, see ‘any information we obtain from other sources’), we process the following information of Persons of Significant Control: Title Name Date of birth (month and year) Address Job title Nationality Appointment date Occupation
Our purpose for processing the information	The OfS needs to collect personal data to help us communicate with you as part of the procurement process. We may also need to collect personal data to enable us to perform background checks (such as credit checks) on the bidding organisation, which can be necessary as part of the procurement process. The personal data you provide to the OfS as part of the procurement process is necessary to ensure that we are able to undertake the required due diligence processes for bidding organisations. We retain any personal data collected through the procurement process to support on-going contract management.
Our legal basis for using the information	Article 6(1)(e) - public task Article 6(1)(c) - legal obligation
Any information we obtain from other sources	We use a third party for credit checks – Creditsafe
Who we share the information with and the reason for this	We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. However, we are required to publish contract award notices on our website. This includes who the contract was awarded to, a contact name, phone number and email address.
How we store your personal data	We use a third-party company, BiP Solutions, for managing and storing procurement records. Information related to your tender is accessible via a portal (Delta e-sourcing). All information is stored within the EU.
Retention period	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements. Contracts not under seal: Seven years from end of contract Invitation to tender; successful tender documents: Seven years from date of last document Unsuccessful tender documents; tender evaluation documents: Three years from date of last document
A link to a more specific privacy notice or information page (if applicable)	See the Delta e-sourcing privacy policy

Recruitment

I am applying for a job with the OfS

Job applicants (current or former).

The specific personal information held and used	The personal information we will collect and use as part of the application process is: Name Address Telephone number Email address Qualifications Work history Optional special category data (you can select ‘prefer not to say’ for all these categories): Ethnicity Disability Gender identity Religious belief Sex Sexual orientation Unpaid caring responsibilities If we invite you to an interview, we will ask if you require any reasonable adjustments to be made in relation to the interview process. This information will be held and used separately from the application form. Some roles require you to take an online assessment. If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks and health questionnaire: Name Address Date of birth Proof of identity Proof of your qualifications Criminal records declaration Some roles require a higher level of security clearance and, if this is the case, we will let you know. If we make a final offer, we will also ask for the following: Bank details Emergency contact details NI number Any membership of a Civil Service Pension scheme.
Our purpose for processing the information	We will use your information for the following purposes: to process your application to invite you to interview (if relevant) for referencing, pre-employment checks and onboarding on appointment to monitor applicant pools for our equality and diversity data (you may prefer not to supply this data) we publish non-identifiable data under our Public Sector Equality Duty we are a Disability Confident employer and may ask for certain information to enable us to carry out our responsibilities in this area - for example, making reasonable adjustments for the interview process. Our hiring managers shortlist applications for interview. You must successfully complete pre-employment checks to progress to a final offer. We are legally required to confirm your identity and right to work in the UK. If you choose to supply equality and diversity data, we will not make this information available to any staff outside our recruitment team (including hiring managers) in a way that can identify you. Your application will not be affected if you choose not to supply equality and diversity data.
Our legal basis for using the information	Legitimate interests – the OfS has a legitimate interest in processing your personal data to administer and consider your application. Explicit consent – for special category data (e.g. ethnicity, gender, disability) should you choose to submit such information. Contract – where processing is necessary to perform a contract or take steps, at your request, before entering a contract. Legal obligation – for us to establish and record the right to work, security checks, if you provide us with any information about reasonable adjustments so that we can comply with our obligations under the Equality Act 2010.
Any information we obtain from other sources	Other than the personal information collected from you directly, we also obtain personal information about you from other sources: Pre-employment checks, including references and DBS check on appointment only.
Who we share the information with	Other than the organisations listed below, we will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. We use Workday Recruiting to manage the application and selection process. Pre-employment checks: DBS checks are carried out for us by Atlantic Data We use Maximus Health Management to administer health questionnaires.
Your rights over your personal information	Equality and diversity data - withdrawal of consent Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.
Whether we intend to transfer to another country	Your personal information held on Workday will be stored securely within the European Economic Area (in Ireland and backed up in Germany) and will not be transferred outside that territory unless required by a court order. The UK has agreed that countries within the EEA provide an equivalent level of safeguards for the processing of personal data.
How long we will retain your personal data for	We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. Unless you are appointed, the personal information you have submitted will be kept for one year after the job has closed. After that point, your personal information will be confidentially and securely disposed of.
Cookies	Our careers site (Workday) uses strictly necessary cookies to allow the site to function properly and to enable the successful communication between the end-user and the service, as follows: Session management cookies - User, device and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. Routing cookies - To forward requests for a single session to the same server for consistency of service. These cookies expire at the end of the session. Application Security Management (ASM) cookies - To help protect web applications and infrastructure from security attacks. These cookies expire at the end of the session.
A link to a more specific privacy notice or information page (if applicable)	Information about the measures that Workday has in place to keep your information secure. See Workday security information See Atlantic data's privacy statement (DBS checks) See Maximus health management privacy policy (Health questionnaire) Information about working for the OfS can be found on our careers page. Further details about how we process the personal information of our employees is provided in a separate privacy notice.

Requesting information held by the OfS

I am submitting a request under access to information legislation

People who submit a request for information under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004.
People who make a subject access request or another request about their information under data protection legislation.

The specific personal information held and used	Name Contact details Form of identification (where required)
Our purpose for processing the information	We use your name and contact details so that we can respond to your request for information. If you are making a subject access request, we may require identification so that we can verify your identity.
Our legal basis for using the information	Article 6(1)(c) - compliance with our legal obligations under information rights legislation
Who we share the information with and the reason for this	We will not routinely share your personal information; however, in some circumstances we may need share your details with third parties so that we can respond to your request.
How long we will retain your personal data for	Information will be kept in line with our retention policy. This means that information related to your request or subsequent appeals will be retained for five years from date created.
A link to a more specific privacy notice or information page (if applicable)	See information about making a request See our Retention Schedules

Notifications about providers

I am making a notification about a provider

Students, staff members and others who wish to let us know about an issue within a university or college registered with the OfS.

The specific personal information held and used	Name Email address Telephone number Any other personal information you choose to provide as part of the notification
Our purpose for processing the information	A notification is a way for students, staff members or others to let us know about an issue at university or college Notifications are sent to us by email When we receive a notification, we will review it and we may decide to investigate further, to take regulatory action, or both. Contact can be made at [email protected] or via other routes. We may need to contact you again if we require any further details.
Our legal basis for using the information	Our legal basis: DPA 2018 GDPR Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject. When the OfS is obliged to process the personal data to comply with the law: Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The legal basis for processing your information for notifications is because it is necessary for the performance of the task carried out, in the public interest: Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data. All notifications will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000. The information will be kept strictly confidential.
Who we share the information with and the reason for this	We may share information obtained in the course of our review or other activity with other bodies, including: The Department for Education Providers To support Law Enforcement if the complaint relates to a crime or incident Advertising Standards Agency PSRB – professional statutory or regulatory body. We are normally able to share information about a notification in a way that does not reveal the identity of the notifier.
How long we will retain your personal data for	As stated in the OfS Retention Schedules (May 2021 version): Disposal action: Retain permanently
A link to a more specific privacy notice or information page (if applicable)	See information about OfS notifications

Making a complaint about the OfS

I am making a complaint about the OfS

The specific personal information held and used	Name Contact details Email address Any other personal information you choose to provide as part of your complaint.
Our purpose for processing the information	Where complaints are submitted to us by email at [email protected] or via other routes, we will use and retain the information supplied to us to handle the complaint and any subsequent issues, but also to check on the level of service we provide: To enable us to carry out investigations into your complaint To provide a response and agree appropriate actions To learn from experience to inform change in policy and/or process.
Our legal basis for using the information	Our complaints process follows and is subject to the Parliamentary and Health Service Ombudsman’s Principles of Good Complaint Handling. We should act according to our statutory powers and duties as well as follow our own policy and procedural guidance. The UK GDPR states: Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject. When the OfS is obliged to process the personal data to comply with the law: Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We are required to have a published complaints procedure to enable members of the public who are in receipt of any service to, should they feel their needs are not being met. Therefore, we are carrying out a public task which is carried out in the public interest and is also in the exercise of official authority vested in us as a Public Authority. The legal basis for processing your information for enquiries is because it is necessary for the performance of the task carried out, in the public interest: Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data. All complaints will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000. Information will be kept strictly confidential. It will be stored in a secure database on the OfS’s computer system.
Who we share the information with and the reason for this	From time to time we may be asked to share information with other organisations in the event of a complaint about the OfS itself, for example: To assist the Parliamentary and Health Service Ombudsman in their work To support law enforcement if the complaint relates to a crime or incident.
How long we will retain your personal data for	Information will be kept in line with our retention policy. This means that information related to your complaint or subsequent appeals will be retained for ten years. The OfS Retention Schedule (May 2021) states: Appeals and complaints have a retention period of 10 years Disposal action: destroy 10 years from date created.
A link to a more specific privacy notice or information page (if applicable)	Our complaints process follows, and is subject to, the Parliamentary and Health Service Ombudsman’s Principles of Good Complaint Handling.

Visitor to the OfS premises - logbook

I have logged my details when visiting the OfS premises

People who visit our premises to attend a meeting or an interview
People who are onsite contractors.

The specific personal information held and used	We routinely collect the following information: Name Signature Organisation Vehicle registration
Our purpose for using the information	The logbook is used for: Maintaining the security of property and premises Preventing and investigating crime Maintain safety and security of the OfS (and Research England) colleagues, stakeholders and members of the public/visitors Issuing visitors with a pass to manage access to the building Asking for car registration details to manage use of the car park.
Our legal basis for using the information	Our legal basis: UK DPA 2018 GDPR Article 6(1)(c) - legal obligation: The OfS is obliged to process the personal data to comply with the law Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security and public health e.g. COVID-19 pandemic Article 9(2)(a) - explicit consent: an unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her For the interest of public safety: The Law Enforcement Directive (LED). This empowers the Police to process personal data for the purposes of preventing, detecting and investigating crime. We also need to consider our obligations in relation to the following: Freedom of Information Act 2000 Human Rights Act 1998
Any information we obtain from other sources	Images captured using CCTV: static or moving imagery is recorded of those who visit the OfS building and staff.
Who we share the information with and the reason for this	The facilities management team will maintain and operate procedures relating to the logbook, to ensure the OfS performs in accordance with legislation. The lawful justification for collecting personal data by way of a logbook is that there are legitimate reasons to do so. The information may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public: OfS personnel Local authorities Police/law enforcement Fire and rescue services. The data obtained through the logbook may be shared with third parties such as the police and local authorities. They may use this information for investigating and/or detecting crime. These arrangements are covered by information sharing agreements and legislation, as mentioned above.
How long we will retain your personal data for	Personal details held in the visitor logbook will be held for one month and then destroyed thereafter.

OfS CCTV

How we use information captured by our on-site CCTV

People who visit our premises including staff, onsite contractors and visitors

The specific personal information held and used	Images captured using CCTV: static or moving imagery. We may process special category data. To ensure we do not breach privacy law, all CCTV cameras are focused on OfS property. All recorded images can be found on viewing monitors, locked in a server room and can only be viewed by authorised staff. CCTV does have the ability to record sound although this function is currently switched off.
Our purpose for using the information	CCTV is used for: Maintaining the security of property and premises Preventing and investigating crime Maintaining the safety and security of OfS (and Research England) colleagues, stakeholders and members of the public/visitors.
Our legal basis for using the information	Our legal basis: UK DPA 2018 GDPR Article 6(1)(c) - legal obligation: The OfS is obliged to process personal data to comply with the law. Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime. Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security. The Law Enforcement Directive (LED). For the interest of public safety, we must ensure we process personal data for security purposes. The information also empowers the police to process personal data for the purposes of preventing, detecting and investigating crime. We also need to consider our obligations in relation to the following: Freedom of Information Act 2000 Protection of Freedoms Act (has an important role in regulating surveillance systems, creating the role of the Surveillance Camera Commissioner with which the ICO has a memorandum of understanding to ensure effective cooperation). It also provides advice and guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available. Human Rights Act 1998 Surveillance Camera Code of Practice (issued under the Protection of Freedoms Act).
Any information we obtain from other sources	The visitors' logbook: a register (of personal data) of those who visit the OfS building and staff.
Who we share the information with and the reason for this	The facilities management team will maintain and operate procedures intended to implement the CCTV policy. These procedures will ensure the CCTV system will be operated in accordance with legislation. The lawful justification for collecting and using CCTV imagery is that there are legitimate reasons to do so. CCTV imagery may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public: OfS personnel Local authorities Police/law enforcement Fire and rescue services Insurance companies (only when authorised). Our camera infrastructure is shared with third parties such as the police and local authorities. They may take control of cameras and use them for security or crime prevention activities. These arrangements are covered by information sharing agreements and legislation as mentioned above.
How long we will retain your personal data for	The system overwrites itself. This means that CCTV images will typically be kept for up to 6-8 weeks. CCTV footage will be kept for up to three months unless required as part of our function or by law.
A link to a more specific privacy notice (if applicable)	See the OfS CCTV policy

Changes to this privacy notice

We keep our privacy notice under regular review.

This privacy notice was last updated on 2 November 2021 and is version 2.0. Details of the Data Protection Officer were amended on 15 August 2018.

Last updated 20 May 2022 + show all updates

20 May 2022: Updates to the recruitment section to reflect changes to the specific personal information held and our purpose for processing the information.
02 November 2021: Extensive review and update of the OfS privacy notice, re-structuring to help users find information more easily.

Help us improve your experience

Describe your experience of using this website

What were you doing on the website? * Is there anything you liked or disliked? *

OfS privacy

Privacy notice

Share this page:

Thank you for your feedback