OfS privacy

Privacy notice

How to use this privacy notice

Use the links below to select the reason that we process your personal information and see the following details:

The specific personal information held and used
Our purpose for using the information
Our legal basis for using the information
Any information we obtain from other sources
Who we share the information with and the reason for this
How long we will retain your personal data for
A link to a more specific privacy notice (if applicable).

Unless otherwise stated we will not transfer your data to another country or do automated decision making.

Collecting personal data for regulatory purposes

The specific personal information held and used	Depending on the purpose and context, the personal data we collect for our regulatory purposes may include: Your name Your job title Your contact information Your address Your occupation and employment details Your sex and gender Your nationality Information relating to your age Your views and opinions Educational records and attainment Other information relevant to carrying out our statutory functions. Special category data, including: Disability status Racial or ethnic origin Political opinion and political affiliations Religious or philosophical beliefs Sexual orientation.
Our purpose for using the information	We mainly collect and process personal information in connection with performing any of our statutory functions. This includes (but is not limited to) the following: maintaining the register of English higher education providers regulating and monitoring the activities of registered English higher education providers, for example by the imposition of new or revised regulatory obligations investigating, monitoring and assessing whether higher education providers have complied with regulatory and other legal obligations, for example those which relate to the following subject matter: (a) the quality of, and standards applied to, higher education (b) financial stability and sustainability (c) management and governance (d) freedom of speech and academic freedom (e) consumer protection law (f) charity law. promoting equality of opportunity in higher education providing funding for purposes connected with higher education making arrangements for the collection and publication of information about higher education providers and individuals connected with them monitoring and facilitating the provision of arrangements for student transfers in the event of market exit sharing information with a wide range of other bodies, including (but not limited to) the Department for Education, the Student Loans Company, the Competition and Markets Authority, Local Authority Trading Standards Departments, the National Crime Agency and the Charity Commission.
Our legal basis for using the information	UK GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. UK GDPR Article 9(2)(g) – reasons of substantial public interest: in particular, for statutory and government purposes under paragraphs 6, 11 and 12 of Schedule 1 of DPA 2018.
Any information we obtain from other sources	Other than the personal information collected from you directly, we also obtain personal information about you from other sources, listed below: Education providers with which you have a connection Professional, statutory and regulatory bodies (for example, bodies that set standards for the courses run by providers) Survey and research organisations working on our behalf Central and local government bodies Other public sector bodies Regulatory and civil/criminal enforcement bodies Organisations acting as our designated data body Agents or service providers.
Who we share the information with and the reason for this	We may also, from time to time, need to share your personal data with other third parties, including: Education providers with which you have a connection Professional, statutory and regulatory bodies (for example, bodies that set standards for courses run by providers) Survey and research organisations working on our behalf Central and local government bodies Other public sector bodies Regulatory and civil/criminal enforcement bodies Agents or service providers. We may pass your information (routinely or otherwise) to any other organisation where that is connected to the performance of our functions or the functions of the receiving organisation. We will also pass your information to other organisations where we have a legal duty to do so.
How long we will retain your personal data for	We will determine the period for which we need to keep your personal data having regard to the reasons and purposes for which it was collected, our statutory duties and other legal obligations, the exercise and defence of any legal claims, including the period within which any current or potential future legal claims may be brought. After that point, your personal information will be confidentially and securely disposed of.
A link to a more specific privacy notice (if applicable)	Within our privacy notice, see also: ‘Registration of providers’ ‘Notifications about providers’ 'Current or former student'.

Current or former student

I am a current or former student at a higher education provider in England

People who are current students at a higher education provider in England
People who used to be students at a higher education provider in England
People who have participated in a programme specifically funded by the OfS.

The personal data we process

Name
Date of birth
Contact details
Address
Nationality
Domicile
Sex
Family details
Student identifiers
Social circumstances
Financial details
Educational records and attainment
Career progression

Special category data:

Physical or mental health details
Racial or ethnic origin
Religious or other beliefs
Sexual orientation

Our purpose for processing the information

We process personal information on students to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England.

We use individualised and aggregate data relating to students in English higher education to inform and monitor funding allocations and to produce target lists, metrics and other data summaries. For further information, please view our guide to supplying data.

We use artificial intelligence as part of this processing activity. For more information on our use of AI, please see the ‘Information security’ guidance section.

Our lawful basis for using the information

UK GDPR Article 6(1)(e) Public task – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the OfS.
UK GDPR Article 9(2)(g) Reasons of substantial public interest - for our legal purposes under Schedule 1, part 2, paragraph 6 of the DPA 2018.
UK GDPR Article 9(2)(j) Research, archiving and statistics – the processing of special category data is necessary for statistical and research purposes in accordance with UK GDPR Articles 84A-D and Schedule 1, part 1, paragraph 4 of the DPA 2018.

Information we obtain from other sources

Other than the personal information collected from you directly, we also obtain personal information about you from other sources, for example your higher education provider.

If you have attended an educational establishment in the UK since 1994, then we will hold personal data about you from some or all of these sources:

Source	Contents	Further information
Jisc (operating as HESA)	HESA Student record Graduate Outcomes survey	Jisc’s privacy notice
Student Loans Company	Student loans information	SLC's privacy notice
Department for Education	Individual Learner Record	ILR privacy notice
	National Pupil Database (school record)	Find and explore data in the National Pupil Database
	Longitudinal educational outcomes	Find graduate outcomes (LEO) data
UCAS	Admissions data	UCAS privacy notice

Who the information is shared with and why

We will share your personal information with other organisations for specific reasons:

Education providers with which you have a connection
Survey and research organisations working on our behalf, for example to administer surveys and evaluate programmes we have funded
Other public sector bodies
Agents or service providers.

We will not routinely disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law.

Where personal information is disclosed routinely to another organisation, a contractual agreement will be in place to ensure the protection of your personal information and to ensure it is only used for the reasons described in this notice.

Whether the information will be transferred to another country

Your personal information will be stored on servers in the UK or European Economic Area and will not be transferred outside those territories unless required by a court order.

How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

After that point, your personal information will be confidentially and securely disposed of.

Where student data is no longer necessary for ongoing functions, we may keep the data for the purposes of archiving for historical research or statistical purposes. For personal data relating to students, we consider archiving to be necessary to enable statistical analyses we must perform to fulfil our functions.

Other relevant privacy notices

National Student Survey (NSS) - see the NSS privacy policy

We also collect information directly from students in student surveys. See the ‘consultation and survey respondents’ section for further information.

Current or former employee of a higher education provider

I am a current or former employee of a higher education provider

People who are currently or formerly employed by a higher education provider in England.

The personal data we process	Name Date of birth Provider name Demographic details Sex Identification number (HESA staff) Salary (for vice-chancellors and those holding similar roles in other providers) Employment details (including start date, end date, role type, academic discipline) Special category data: Physical or mental health details Racial or ethnic origin Religious or other beliefs Sexual orientation For further details on categories of personal data, please see the links to more specific privacy notices at the bottom of this table.
Our purpose for processing the information	We process personal information to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England. We use individualised and aggregate data relating to students and staff in English higher education to inform and monitor funding allocations and to produce target lists, metrics and other data summaries. For further information, please view our guide to supplying data. We use artificial intelligence as part of this processing activity. For more information on our use of AI, see the ‘Information security’ guidance section.
Our lawful basis for using the information	UK GDPR Article 6(1)(e) Public task – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the OfS. UK GDPR Article 9(2)(g) Reasons of substantial public interest - for our legal purposes under paragraphs 6 of Schedule 1 of DPA 2018. UK GDPR Article 9(2)(j) Research, archiving and statistics – the processing of special category data is necessary for statistical and research purposes in accordance with UK GDPR Articles 84A-D and Schedule 1, part 1, paragraph 4 of the DPA 2018.
Information we obtain from other sources	Much of the information that we hold about provider staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994, we will hold personal data about you from some or all of the following sources: HESA staff record Provider returns
Who the information is shared with and why	Where necessary or required, this information may be shared with: Government departments or other public sector bodies Agents or service providers Survey and research organisations working on our behalf We will not routinely disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law. Where personal information is disclosed routinely to another organisation, a contractual agreement will be in place to ensure the protection of your personal information and to ensure it is only used for the reasons described in this notice.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK or European Economic Area and will not be transferred outside those territories unless required by a court order.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements. After that point, your personal information will be confidentially and securely disposed of. Where staff data is no longer necessary for ongoing functions, we may keep the data for the purposes of archiving for historical research or statistical purposes. For personal data relating to provider staff, we consider archiving to be necessary to enable statistical analyses we must perform to fulfil our functions.
Other relevant privacy notices	See the ‘registration’ section of this notice See HESA Staff data

Registration of providers

I am employed by a provider that is applying to register with the OfS

People who are submitting an application to the OfS Register, on behalf of their provider
People who are completing ‘fit and proper person checks’ as part of their provider’s registration process.
People invited to attend an interview as part of the OfS’s assessment of the provider’s compliance with registration conditions.

The specific personal information held and used	As part of the provider registration process, we collect and process personal data relating to people in key governance, leadership, or ownership roles. This includes data gathered through the OfS Register, interviews (including audio and video recordings or written notes), and fit and proper person checks. Types of personal data collected: Legal first name and surname Role title and provider affiliation Date of birth Contact details (where not generic) Audio/video recordings of interviews, Personal views or statements shared during interviews Information relating to: Criminal convictions or cautions Bankruptcy or insolvency Disqualifications from directorships or similar roles Regulatory or professional findings (if relevant) In limited cases, special category data may be processed where it is disclosed during interviews or checks - for example, information relating to health, political opinions, or trade membership unions.
Our purposes for using the information	For publication on the Register, where contact details for general enquiries relate to an identifiable individual To assess the provider’s compliance with registration conditions, including whether individuals meet the fit and proper person requirement To assess the suitability of individuals or the provider through an interview process To inform decision making, monitor compliance and follow up concerns raised under registration conditions To contact you as part of the provider’s registration or compliance process. To fulfil any of our other statutory functions or legal requirements from time to time. Please note, we use artificial intelligence as part of this processing activity. AI is not used to carry out fit and proper persons checks or interviews, or to collect personal data. For more information on our use of AI, please see the ‘Information security’ guidance section.
Our legal basis for using the information	We rely on the following legal bases under the UK GDPR: Article 6(1)(e) – where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the OfS. Where special category data is processed (for example, ethnicity or health information) we rely on: Article 9(2)(g) – substantial public interest Schedule 1, Part 2, Paragraph 6 of the Data Protection Act 2018 – processing is necessary for statutory functions Where criminal offence data is processed, we rely on: Article 10 – processing authorised by law Schedule 1, Part 2, Paragraph 6 of the Data Protection Act 2018 - processing is necessary for statutory function, without needing to demonstrate substantial public interest
Any information we obtain from other sources	In addition to information collected directly, we may gather relevant information from other sources, for example: Government departments or other public sector bodies (such as Companies House or the Insolvency Service) Agents or service providers
Who we share the information with and the reason for this	We share your personal data with a small number of external organisations where necessary for regulatory purposes: Government departments or other public sector bodies – for verification purposes Agents or service providers – where necessary to support our functions We may use a third party organisation to assist with ‘fit and proper person’ checks. We do not share your personal data beyond those listed unless required to do so by law or as part of our regulatory responsibilities.
How long we will retain your personal data for	We only retain personal data for as long as it is needed for the purpose(s) for which it was collected. For providers that are approved and remain on the register, personal data may be retained for the duration of their registration and any ongoing regulatory activities. For providers that are deregistered or not approved, personal data will be retained for up to seven years from the date of deregistration or the decision not to register. Interview records, whether audio or video recordings or written notes, will be retained for no more than seven years. We will periodically review whether to retain or securely delete records in line with our regulatory needs and data protection principles.

Information about our stakeholders

I am a stakeholder or a member of a board, committee or panel who regularly interacts with the OfS

People who are currently or formerly board, committee and panel members
People who are stakeholders working together, or interacting with, the OfS.

The specific information held and used	Title and name Work email Work telephone number Name, email and telephone number of Personal executive assistant (if provided) Dietary requirements and access needs where necessary for meetings held in person
Our purpose for using the information	As an independent regulator, the OfS needs to communicate regularly with its stakeholders in the higher education sector, government departments and other sector bodies. These stakeholders include chief executive officers of sector bodies that we work with and officers in government departments. In order to ensure that we can communicate with our stakeholders effectively, the OfS maintains a database of contact information for stakeholders. In addition: Processing allows the OfS to inform members about activities, meeting dates and send documents relating to group matters To maintain a record of working groups and members involved with student support networks.
Our legal basis for processing your personal information	Our legal basis for holding this information depends on the reasons why we need to contact you: GDPR Article 6(1)(e) - We may need to contact you in order to meet our statutory functions as a regulator and because it is necessary to fulfil our public tasks) Or GDPR Article 6(1)(f) - We may have another ‘legitimate interest’ in contacting you, for example if OfS staff are meeting with you, they will have a legitimate need for your contact details in order to arrange the meeting.
Any information we obtain from other sources	We obtain this information directly from stakeholders and their interactions from us. There will also be circumstances where we need to obtain your contact information from another source, so that we can contact you to meet our public task or a specified legitimate interest. For example, if you have recently joined a sector body that we work with and we do not have your contact details, we may need to obtain your details from a public source, such as your organisation’s website.
Who we share the information with and the reason for this	We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements. Board, committee and panel records are retained seven years from date of last document.
A link to a more specific privacy notice (if applicable)	Stakeholders can subscribe to receive emails and news alerts from the OfS. Please refer to the section 'Staying informed' for this privacy information.

OfS consultation and survey respondents

I’m responding to an OfS consultation or a survey

People who respond to one of our consultations or surveys.

The specific personal information held and used	The categories of personal information collected will vary depending on the specific consultation or survey. However, the information needed will include some or all of the following: Name Email address Organisation Job role Demographic data such as: Sex Age Special category data such as: Racial or ethnic origin The specific information collected will be set out in the individual privacy notice for each consultation and survey.
Our purpose for processing the information	We use personal information about you in order to understand who has responded to the consultation or survey, and respondents’ views with the aim of being able to understand the different perspectives of stakeholders. We may also contact you for any queries relating to your responses. We may publish a summary of the consultation responses and, in some cases, the responses themselves. The specific information that will be published will be set out in the individual privacy notice for each consultation and survey.
Our legal basis for using the information	Unless otherwise specified the legal basis for processing your information is Article 6(1)(e) public task. The legal basis for processing your personal information is that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Where special category data is collected, the relevant condition is Article 9(2)(a) explicit consent given by the respondent.
Who we share the information with and the reason for this	Unless otherwise specified, responses are collected via SmartSurvey. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. See the SmartSurvey privacy notice To support the analysis of consultations, we occasionally share the information collected through consultations with external organisations. Unless otherwise specified, analysis is undertaken by Pye Tait Consulting. Read the Pye Tait Consulting privacy notice for further information.
How long we will retain your personal data for	Each consultation and survey will indicate a time period as to how long personal information will be held for. After that point, your personal information will be confidentially and securely disposed of.
A link to a more specific privacy notice or information page (if applicable)	See the SmartSurvey privacy notice See the Pye Tait Consulting privacy notice

Attending an OfS conference or event

I am attending an OfS conference or event

Invitees and delegates of in-person conferences or events organised by the OfS.

The specific personal information held and used	If you choose to attend one of our events, you will be asked for the following: Name Job title Organisation Contact details (email address, telephone number and postal address) The capacity in which you will attend the event How you heard about the event If you are offered a place, you will be invited to tell us about any dietary requirements or access provisions you may need. We won’t share this information in an identifiable way with the conference venue.
Our purpose for using the information	Our purpose for collecting this information is so that we can manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements. We use Eventbrite to manage our conferences and events. If you prefer not to use Eventbrite to respond to a conference or event invitation, you may respond directly using the contact details provided in the invitation. When you register for an OfS event using an Eventbrite form, you will be presented with a summary of how any personal information submitted will be used. The summary privacy information also includes a link to a more detailed privacy notice. We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list. Our key policy events may have a member of staff taking informal photos of the event, some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos, please make this known to a member of staff at the beginning of the event.
Our legal basis for using the information	To ensure the effective management and running of OfS events: Article 6(1)(f) legitimate interests Access and dietary requirements: Article 9(2)(a) explicit consent
Who we share the information with and the reason for this	We share information on numbers of delegates as well as access and dietary requirements (where supplied) with the conference venue or other event suppliers but not in way that identifies individuals.
Your rights over your personal information	Information about access and dietary requirements - Withdrawal of consent Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.
Whether we intend to transfer information to another country	Eventbrite processes data (including any personal data submitted by booking one of our events) in the USA. Because this means your information will be held outside the UK we have assessed the risks with storing your personal information in this country and are satisfied that it will not be put at any undue risk as a result. The reasons for this are there is an appropriate transfer mechanism in place (Standard Contractual Clauses) and an adequate level of protection for the nature of the personal data to be transferred. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy. If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to the OfS by contacting the event organiser using the details provided in the invitation.
How long we will retain your personal data for	We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. The personal information you have submitted will be kept for one month after the event. After that point, your personal information will be confidentially and securely disposed of. Eventbrite keeps registrations indefinitely.
A link to a more specific privacy notice or information page (if applicable)	See Eventbrite’s privacy policy See OfS events page

Attending an OfS webinar or other online event

I am attending an OfS webinar

People who participate in our webinars for events, workshops and conferences.

The specific personal information held and used	Name Email address Job title Organisation Collecting device and location information IP address Local IP (IP of device) Network type Type of microphone (for presenters) Data centre Collection type (joining and leaving webinar reasons and times)
Our purpose for processing the information	The OfS holds webinars, events, workshops and conferences to promote its work as a regulator and to support its statutory functions. We usually use Zoom and Microsoft Teams to deliver and manage webinars, allowing participants to log in and attend webinars at the time or view the webinar later.
Our legal basis for using the information	Article 6(1)(f) - legitimate interests We have a legitimate interest in collecting your personal information to ensure that the OfS has the necessary information to host webinars effectively, and to also ensure only invited individuals attend webinars or view webinars later.
Any information we obtain from other sources	We usually use Zoom and Teams to deliver and manage webinars. We also use Teams to host external meetings and events. On occasion, we use Eventbrite to allow attendees to register for online events we host.
Who we share the information with and the reason for this	As your personal information will be submitted by registering or logging in to Zoom or Microsoft Teams, any personal information you submit will be stored by, and accessible to, Zoom and Microsoft. Zoom and Microsoft process personal data in accordance with their own privacy policies. In addition, if you use an Eventbrite form to register for an OfS event hosted on Teams, any personal information submitted in the form will be stored by, and accessible to, Eventbrite. Eventbrite processes personal data in accordance with its own privacy policy. We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.
Whether we intend to transfer to another country	Eventbrite and Zoom are based in the United States. If you choose to register for an event through Eventbrite, any personal information you submit will be transferred to the United States. Zoom, in certain cases, will transfer data to the United States, as well as to other countries outside of the EEA.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for. If you choose to attend a webinar through Zoom or Teams, any personal data processed will be retained for as long as is considered necessary by Zoom or Microsoft, and in accordance with their privacy policies (see relevant links below). Your personal information will be stored by the OfS in the European Union/EEA. This means that your personal information is protected under the UK GDPR. Cloud recordings are retained for 30 days, and meeting metrics are retained for 12 months. If you choose to register for an event through Eventbrite, any personal data processed will also be retained for as long as is considered necessary by Eventbrite, and in accordance with their privacy policy (see relevant link below).
A link to a more specific privacy notice or information page (if applicable)	See Zoom's privacy notice See the Eventbrite privacy notice See Microsoft's privacy notice

Social media users

I am a social media user

Information we gather through social media platforms.

The personal data we process	Personal data posted on social media platforms and other public sources, including: Public social media profiles Public social media posts Username Followers and networks Online behaviour, for instance likes and re-tweets.
Our purpose for processing the information	We use social media to understand what the wider public is saying about the Office for Students and the sentiment and conversations around other topics relevant to students and the higher education sector. We also use social media for our general regulatory purposes, including to identify potential regulatory issues and sector-wide emerging themes. To achieve these aims, we use a social listening tool to monitor publicly available social media and generate reports about trends, insights, and regulatory issues across the higher education sector.
Our lawful basis for using the information	UK GDPR Article 6(1)(e) Public task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Information we obtain from other sources	Other than the personal information collected from you directly, we also obtain personal information about you from Pulsar, a social listening tool to monitor and analyse publicly available posts from social media sites, blogs, forums, and news sites.
Who the information is shared with and why	We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.
Whether the information will be transferred to another country	We do not store data from social media users on our servers. Instead, your personal information will be stored by the individual social media companies, on their own servers. Please note, Pulsar, LinkedIn, YouTube (Google), X, and Facebook and Instagram (Meta) all share data outside of the European Economic Area. Their privacy notices are linked at the end of this table.
How long we will retain your personal data for	Any personal data that underpins the aggregate reports will be retained by the social media monitoring and listening company for a maximum of two years. After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than two years, we will update our privacy information to reflect this.
Other relevant privacy notices	Pulsar’s privacy policy LinkedIn privacy policy YouTube - Google privacy policy X privacy policy Meta privacy policy - Facebook, Instagram and Messenger

Signed up to receive information

I have given permission or signed up to receive information about OfS news, events and opportunities to be involved in the work of the OfS

People who have subscribed to receive emails about OfS events
People who have subscribed to receive the OfS newsletter
People who have subscribed to receive emails about OfS alerts
People who have subscribed to receive the OfS monthly update
People who have subscribed to receive OfS ‘Student News’ alerts (previously named 'Student spotlight')

The specific personal information held and used	Name Email address Whether you are a student, graduate, students' union officer, a students' union member of staff or from another demographic (Student News newsletter only) Where you are based (Student News newsletter only)
Our purpose for using the information	We will use your information to send you our newsletters (weekly, monthly or termly), OfS alerts, information about upcoming events and opportunities to be involved with OfS work.
Our legal basis for using the information	UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes. You can withdraw your consent at any point if you are no longer happy for your personal information to be processed. If you to wish to withdraw consent, please do so by clicking ‘unsubscribe’ link on the bottom of any email you receive. Alternatively, you can contact our Data Protection Officer - see details. Once consent is withdrawn, we will destroy all relevant personal information. However, withdrawing your consent does not affect the lawfulness of personal information processed before you withdrew consent.
Who we share the information with and the reason for this	The OfS uses Mailchimp (owned by Intuit) as our marketing platform. Your personal data will be shared with Intuit for processing in accordance with its privacy policy.
Whether we intend to transfer to another country	Mailchimp is based in the United States; therefore, when you subscribe to our newsletter, and any of our alerts or monthly updates, your personal data will be processed by Mailchimp on servers outside of the EEA. MailChimp also reserves the right to transfer your personal data to other countries in which its service providers operate. For further information, you may wish to read Intuit’s privacy policy.
How long we will retain your personal data for	Data will be held until consent is withdrawn. The personal information you provide will be deleted when you unsubscribe; this may take up to a week.
Link to more specific privacy notices	See the privacy notice for OfS Student News alerts See Intuit's privacy policy

Procurement

I am a third-party supplier to the OfS

People or organisations that provide unique services or goods to the OfS.
People or organisations that bid on invitations to tender and other procurement opportunities.

The personal data we process	Name Job title Date of birth Personal signature Organisation name Contact details (email, address, telephone number) Nationality Country of residence Associations with legal entities We may also process criminal offence data to allow us to comply with our legal obligations under the Procurement Act 2023 and the Procurement Regulations 2024. As part of the credit checks (carried out by a third party, see ‘any information we obtain from other sources’ below), we process the following information of people with significant control: Title Name Date of birth (month and year) Address Job title Nationality Appointment date Occupation.
Our purpose for processing the information	We need to collect personal data to help us communicate with you as part of the procurement process. We may also need to collect personal data to enable us to perform background checks (such as credit checks) on the bidding organisation, which can be necessary as part of the procurement process. The personal data you provide to us as part of the procurement process is necessary to ensure that we can undertake the required due diligence processes for bidding organisations, suppliers and those ‘connected people’. The processing of criminal offence data is necessary to enable us to comply with our legal obligations under the Procurement Act 2023 and the Procurement Regulations 2024. This information may be used to determine whether any exclusion grounds for the purposes of public procurement apply. We retain any personal data collected through the procurement process to support ongoing contract management.
Our lawful basis for using the information	UK GDPR Article 6(1)(e) Public task – processing is necessary to source, receive, purchase and inspect goods and services, to perform our functions as a public body. UK GDPR Article 6(1)(c) Legal obligation – processing is necessary for us to comply with the Procurement Act 2023 and the Procurement Regulations 2024. Criminal offence data is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment or rule of law (see paragraph 6 of Schedule 1 of DPA 2018).
Whether individuals are under a statutory or contractual obligation to provide the personal data	In the context of this processing, the personal data of connected persons is required by the Procurement Act 2023 and the Procurement Regulations 2024. That is: Name Job title Date of birth Contact details (email, address, telephone number) Nationality Country of residence Associations with legal entities If this data is not provided, we will not be able to process supplier's bids for invitations to tender and other procurement opportunities.
Information we obtain from other sources	We use a third party for credit checks – Creditsafe We process personal data jointly with the Cabinet Office via the Find a Tender service.
Who the information is shared with and why	We use a third-party company, BiP Solutions, for managing and storing procurement and contract records. We are required to publish contract award notices through the Find a Tender service portal (Delta e-sourcing). This includes who the contract was awarded to, a contact name, phone number and email address. We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK and will not be transferred outside that territory unless required by a court order.
How long we will retain your information for	Contracts not under seal: seven years from end of contract Invitation to tender; successful tender documents: seven years from date of last document Unsuccessful tender documents; tender evaluation documents: three years from date of last document After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than the stated retention period, we will update our privacy information to reflect this.
Other relevant privacy notices	Delta e-sourcing privacy policy Find a Tender Service privacy notice

Recruitment

I am applying for a job with the OfS

Job applicants (current or former).

The specific personal information held and used	The personal information we will collect and use as part of the application process is: Name Address Telephone number Email address Qualifications Work history Optional special category data (you can select ‘prefer not to say’ for all these categories): Ethnicity Disability Gender identity Religious belief Sex Sexual orientation Unpaid caring responsibilities If we invite you to an interview, we will ask if you require any reasonable adjustments to be made in relation to the interview process. This information will be held and used separately from the application form. Some roles require you to take an online assessment. If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks and health questionnaire: Name Address Date of birth Proof of identity Proof of your qualifications Criminal records declaration Some roles require a higher level of security clearance and, if this is the case, we will let you know. If we make a final offer, we will also ask for the following: Bank details Emergency contact details NI number Any membership of a Civil Service Pension scheme.
Our purpose for processing the information	We will use your information for the following purposes: to process your application to invite you to interview (if relevant) for referencing, pre-employment checks and onboarding on appointment to monitor applicant pools for our equality and diversity data (you may prefer not to supply this data) we publish non-identifiable data under our Public Sector Equality Duty we are a Disability Confident employer and may ask for certain information to enable us to carry out our responsibilities in this area - for example, making reasonable adjustments for the interview process. Our hiring managers shortlist applications for interview. You must successfully complete pre-employment checks to progress to a final offer. We are legally required to confirm your identity and right to work in the UK. If you choose to supply equality and diversity data, we will not make this information available to any staff outside our recruitment team (including hiring managers) in a way that can identify you. Your application will not be affected if you choose not to supply equality and diversity data.
Our legal basis for using the information	Legitimate interests – the OfS has a legitimate interest in processing your personal data to administer and consider your application. Explicit consent – for special category data (e.g. ethnicity, gender, disability) should you choose to submit such information. Contract – where processing is necessary to perform a contract or take steps, at your request, before entering a contract. Legal obligation – for us to establish and record the right to work, security checks, if you provide us with any information about reasonable adjustments so that we can comply with our obligations under the Equality Act 2010. Employment, social security and social protection law – where reasonable adjustments are required during the recruitment process including what the reasonable adjustment is, although not the rationale behind the reasonable adjustment itself.
Any information we obtain from other sources	Other than the personal information collected from you directly, we also obtain personal information about you from other sources: Pre-employment checks, including references and DBS check on appointment only. From recruitment agencies, where an agency has been used to identify candidates suitable for a role.
Who we share the information with	Other than the organisations listed below, we will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. (In exceptional circumstances, your information may be shared with someone who is not an OfS employee but is working with us to recruit to an OfS role, or a committee or panel.) We use Workday Recruiting to manage the application and selection process. Pre-employment checks: DBS checks are carried out for us by Atlantic Data We use Maximus Health Management to administer health questionnaires.
Your rights over your personal information	Equality and diversity data - withdrawal of consent Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.
Whether we intend to transfer to another country	Your personal information held on Workday will be stored securely within the European Economic Area (in Ireland and backed up in Germany) and will not be transferred outside that territory unless required by a court order. The UK has agreed that countries within the EEA provide an equivalent level of safeguards for the processing of personal data.
How long we will retain your personal data for	We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. Unless you are appointed, the personal information you have submitted will be kept for one year after the job has closed. After that point, your personal information will be confidentially and securely disposed of.
Cookies	Our careers site (Workday) uses strictly necessary cookies to allow the site to function properly and to enable the successful communication between the end-user and the service, as follows: Session management cookies - User, device and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. Routing cookies - To forward requests for a single session to the same server for consistency of service. These cookies expire at the end of the session. Application Security Management (ASM) cookies - To help protect web applications and infrastructure from security attacks. These cookies expire at the end of the session.
A link to a more specific privacy notice or information page (if applicable)	Information about the measures that Workday has in place to keep your information secure. See Workday security information See Atlantic data's privacy statement (DBS checks) See Maximus health management privacy policy (Health questionnaire) Information about working for the OfS can be found on our careers page. Further details about how we process the personal information of our employees is provided in a separate privacy notice.

Requesting information held by the OfS

I am submitting a request under access to information legislation

People who submit a request for information under the Freedom of Information Act 2000, the Environmental Information Regulations 2004 or the Re-use of Public Sector Information Regulations 2015.
People who make a subject access request or another request about their information under the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR).

The personal information we process	Name Contact details Form of identification (where required)
Our purpose for processing the information	We use your name and contact details so that we can respond to your request for information. If you are making a subject access request or another request under the DPA or UK GDPR, we may require a form of identification so that we can verify your identity and search for your personal data. If you are making a subject access request or another request under the DPA or UK GDPR on behalf of another person, we may require a form of identification and confirmation that you are entitled to act on this person’s behalf before we begin processing your request.
Our lawful basis for using the information	UK GDPR Article 6(1)(c) Legal obligation - compliance with our legal obligations under information rights legislation.
Who the information is shared with and why	We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. However, in some circumstances we may need share your details with third parties so that we can respond to your request.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK and will not be transferred outside that territory unless required by a court order.
How long we will retain your personal data for	The personal data and information related to your request or subsequent appeals will be retained for three years from date created. After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than three years, we will update our privacy information to reflect this.
A link to a more specific privacy notice or information page (if applicable)	See information about making a request

Notifications about providers

I am making a notification about a provider

Students, staff members and members of the public who wish to let us know about an issue within a university or college registered with the OfS.

The personal data we process	Personal data: Name Email address Telephone number Other personal information you choose to provide to us as part of the notification. In some instances, this might include special category data. These are classed as special categories of personal data: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership health data sex life or sexual orientation.
Our purpose for processing the information	A notification is a way for students, staff members or others to let us know about an issue at university or college. Notifications are sent to us by email to [email protected] or via other routes. We process your personal information to review notifications and decide whether or not to investigate further, to take regulatory action, or both. We may need to contact you again if we require any further details.
Our lawful basis for using the information	UK GDPR Article 6(1)(e) - Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. If you choose to share special category data with us as part of your notification, the lawful basis for processing is: UK GDPR Article 9(2)(g) Reasons of substantial public interest - in particular, for statutory and government purposes under paragraphs 6, 11 and 12 of Schedule 1 of DPA 2018
Information we obtain from other sources	We sometimes receive notifications, and related information, on behalf of others, for example: An MP sending a notification on behalf of their constituent A law firm sending a notification on behalf of their client A parent or legal guardian on behalf of a student Sector body group on behalf of academics.
Who the information is shared with and why	We may share information obtained in the course of our review or other activity with other bodies, including: The Department for Education Higher education providers To support law enforcement if the complaint relates to a crime or incident Advertising Standards Agency PSRB – professional statutory or regulatory body Students Loan Company Office of Qualifications and Examinations Regulation (Ofqual). Our general approach is to make every attempt to protect a notifier’s identity from a university or college where requested, and we can normally share information about a notification without revealing this. Sometimes the nature of a notification reveals the notifier’s identity, or those of students the concerns relate to, especially if the issue has already been raised directly with the university or college. If you are worried that an identity could be revealed if we contact a university or college about your notification, please let us know so that we can consider how best to proceed. We wouldn’t expect submitting a notification to negatively impact your studies. We will not routinely disclose your information to any other organisation other than those listed, except: where required to do so as part of our functions (including where we are concerned for the immediate safety of you or another individual) where we are required to do so by law (including disclosures made under the Freedom of Information Act 2000). Where personal information is disclosed routinely to another organisation, a contractual agreement will be in place to ensure the protection of your personal information and to ensure it is only used for the reasons described above.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK or European Economic Area and will not be transferred outside that territory unless required by a court order.
How long we will retain your personal data for	We will keep your personal data for ten years. After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than ten years, we will update our privacy information to reflect this.
Other relevant privacy notices or information	See information about OfS notifications

Making a complaint about the OfS

I am making a complaint about the OfS

The personal data we prcoess	Name Contact details Email address Other personal information you choose to provide to us as part of your complaint We do not actively seek special category data, but on occasion, those making a complaint may refer to special category data such as their racial or ethnic origin, opinions or beliefs, or health data as part of their complaint. These are classed as special categories of personal data: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership health data sex life or sexual orientation.
Our purpose for processing the information	We use personal information to respond to a complaint. Often we need to redirect a complaint to the OfS notifications email address, as the correspondence is not a complaint within the scope of the scheme, but instead concerns a student’s provider. Where complaints are submitted to us by email at [email protected] or via other routes, we will use and retain the information supplied to us to handle the complaint and any subsequent issues, and to check on the level of service we provide: To enable us to carry out investigations into your complaint To provide a response and agree appropriate actions To learn from experience to inform change in policy and/or process. Our complaints process follows and is subject to the Parliamentary and Health Service Ombudsman’s principles of good complaint handling.
Our lawful basis for using the information	UK GDPR Article 6(1)(e) Public task – we are required to have a published complaints procedure to enable members of the public who are in receipt of any service to contact us, should they feel their needs are not being met. If a complainant chooses to share special category data with us as part of their complaint against the OfS, the lawful basis for processing is: UK GDPR Article 9(2)(g) Reasons of substantial public interest – in particular, for statutory and government purposes under paragraphs 6, 11 and 12 of Schedule 1 of DPA 2018.
Who the information is shared with and why	In the event of a complaint about the OfS itself, we will share your personal information with other organisations for specific reasons: To assist the Parliamentary and Health Service Ombudsman in their work To support law enforcement if the complaint relates to a crime or incident To copy our response to an MP if you had copied them into the original complaint, and subsequently agree to us sharing the response with them. We will not routinely disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law. Where personal information is disclosed routinely to another organisation, a contractual agreement will be in place to ensure the protection of your personal information and to ensure it is only used for the reasons described above.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK and will not be transferred outside that territory unless required by a court order.
How long we will retain your personal data for	The personal data relating to your complaint may be kept for up to 10 years from the end of the project, case closure or date created, if it is considered to come within the scope of our complaints policy. After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than ten years, we will update our privacy information to reflect this.
A link to a more specific privacy notice or information page (if applicable)	Our complaints process follows, and is subject to, the Parliamentary and Health Service Ombudsman’s principles of good complaint handling.

OfS CCTV

How we use information captured by our on-site CCTV

People who visit our premises including staff, onsite contractors and visitors

The specific personal information held and used	Images captured using CCTV: static or moving imagery. We may process special category data. To ensure we do not breach privacy law, all CCTV cameras are focused on OfS property. All recorded images can be found on viewing monitors, locked in a server room and can only be viewed by authorised staff. CCTV does have the ability to record sound although this function is currently switched off.
Our purpose for using the information	CCTV is used for: Maintaining the security of property and premises Preventing and investigating crime Maintaining the safety and security of OfS (and Research England) colleagues, stakeholders and members of the public/visitors.
Our legal basis for using the information	Our legal basis: UK DPA 2018 GDPR Article 6(1)(c) - legal obligation: The OfS is obliged to process personal data to comply with the law. Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime. Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security. The Law Enforcement Directive (LED). For the interest of public safety, we must ensure we process personal data for security purposes. The information also empowers the police to process personal data for the purposes of preventing, detecting and investigating crime. We also need to consider our obligations in relation to the following: Freedom of Information Act 2000 Protection of Freedoms Act (has an important role in regulating surveillance systems, creating the role of the Surveillance Camera Commissioner with which the ICO has a memorandum of understanding to ensure effective cooperation). It also provides advice and guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available. Human Rights Act 1998 Surveillance Camera Code of Practice (issued under the Protection of Freedoms Act).
Any information we obtain from other sources	The visitors' logbook: a register (of personal data) of those who visit the OfS building and staff.
Who we share the information with and the reason for this	The facilities management team will maintain and operate procedures intended to implement the CCTV policy. These procedures will ensure the CCTV system will be operated in accordance with legislation. The lawful justification for collecting and using CCTV imagery is that there are legitimate reasons to do so. CCTV imagery may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public: OfS personnel Local authorities Police/law enforcement Fire and rescue services Insurance companies (only when authorised). Our camera infrastructure is shared with third parties such as the police and local authorities. They may take control of cameras and use them for security or crime prevention activities. These arrangements are covered by information sharing agreements and legislation as mentioned above.
How long we will retain your personal data for	The system overwrites itself. This means that CCTV images will typically be kept for up to six to eight weeks. CCTV footage will be kept for up to three months unless required as part of our function or by law.

Attending our offices

We meet pre-arranged visitors at our Bristol offices, including:

People visiting our premises to attend a meeting or an interview
People who are on-site contractors.

Our London office is part of a shared government building, where visitor arrangements are controlled by our landlord, the Government Property Agency (GPA).

The personal data we process	For visitors, we routinely collect: Name Signature Organisation Vehicle registration, if travelling by car to our Bristol office Special category data Health data – related to site access (if you choose to share this) and health and safety or emergency processes. For OfS staff, and for staff from our tenant organisation (Research England) we collect: Name Phone number Work email address Car registration Organisation Special category data Health data - related to site access (if you choose to share this) and health and safety or emergency processes).
Our purpose for using the information	We use visitor information for security and safety reasons: to manage our office sites and building access (including car park at our Bristol office) effectively, securely and safely. Your name and visit details will be shared with the on-site team before your visit, so that they know to expect you. You'll be asked to sign in and out and may be asked to show a form of photo ID. This is for identification only; we don't keep a record of this information. You'll be given a personalised paper pass which you must wear throughout your visit. This pass will be destroyed when you leave the site. You are invited to share any information which may impact your building access requirements. We also process your personal information to manage our health and safety processes, including the reporting of accident and incident reporting.
Our lawful basis for using the information	UK GDPR Article 6(1)(f) Legitimate interests – the OfS has a legitimate interest in processing your personal data for safety and security of our office and its users. UK GDPR Article 6(1)(c) Legal obligation – the OfS must record employee accidents in line with regulation 25 of the Social Security (Claims and Payments) Regulations 1979 and report any incidents that meet the threshold to the Health and Safety Executive (HSE) under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013. UK GDPR Article 9(2)(b) Employment and social security and social protection law – to carry out our obligations as an employer, providing appropriate safeguards to our employees. UK GDPR Article (9)(2)(g) Reasons of substantial public interest under schedule 1 part 2 subsection 6 of DPA - to provide health and safety safeguards, for example accommodating accessibility requirements, for visitors to our offices, as is our duty under section 3 of the Health and Safety Act 1974. Very occasionally we may need to process your special category data to protect your vital interests or those of another person where you are incapable of giving your consent (Article 9(2)(c)). For example, by providing your personal data to ambulance or healthcare professionals if you are unconscious or otherwise unable to speak for yourself.
Information we obtain from other sources	Images captured using CCTV: static or moving imagery is recorded of those who visit the OfS building and staff. This is covered by a separate privacy notice. For our London office managed by the GPA, the GPA will share information with us to manage and develop the government property estate, and to provide building services and facilities in a safe and secure environment.
Who the information is shared with and why	In some circumstances we may need to share your personal information with other organisations for specific reasons. The information may be handled and used by the following recipients to maintain a safe, secure, efficient, and compliant environment for our colleagues, stakeholders and visitors: OfS and Research England staff Local authorities The Health and Safety Executive Police and law enforcement Fire and rescue services Insurance companies (only when authorised). For our London office managed by the GPA, we will share information with the GPA to enable the provision of landlord, workplace and organisational services. We will not routinely disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law. Where personal information is disclosed routinely to another organisation, a contractual agreement will be in place to ensure the protection of your personal information and to ensure it is only used for the reasons described above.
Whether the information will be transferred to another country	Your personal information will be stored on servers in the UK or European Economic Area and will not be transferred outside that territory unless required by a court order.
How long we will retain your personal data for	We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for: Paper building passes will be securely destroyed the day after your visit. Personal details held in the OfS visitor logbook will be held for up to one year, after which your information will be securely destroyed. For OfS staff and Research England staff: Car park access information is held until you leave the organisation. Your access arrangements information is held until you leave the organisation. After that point, your personal information will be confidentially and securely disposed of. If we need to keep your personal information for longer than specified here, we will update our privacy information to reflect this.
Other relevant privacy notices	GPA data privacy notice and Wifi connection privacy notice HSE privacy policy statements

Last updated 27 April 2026 + show all updates

27 April 2026: Updated information across several sections, including our general privacy notice, to provide further clarity on how we use personal data in accordance with updated data protection regulations and changes to guidance around information security.
10 December 2025: We have updated the 'Collecting personal data for regulatory purposes' section of the privacy notice.
05 September 2025: Updated social media policy to reflect use of a social listening tool (Pulsar)
04 September 2025: Updated details for registration of providers.
01 July 2025: The 'OfS CCTV' section has been updated.
07 April 2025: The 'Recruitment' section has been updated.
18 March 2025: The 'Third party services' section has been renamed to 'Procurement', and the content of that section has been updated.
23 December 2024: Updated privacy information for 'Signed up to receive information' section.
12 March 2024: Updated OfS consultations and survey respondents information
04 May 2023: Section added on 'OfS car park' giving information on how we use vehicle information.
09 January 2023: Wording added on sharing information for recruitment.
18 November 2022: Added a section on collecting data for regulatory purposes.
20 May 2022: Updates to the recruitment section to reflect changes to the specific personal information held and our purpose for processing the information.
02 November 2021: Extensive review and update of the OfS privacy notice, re-structuring to help users find information more easily.

Help us improve your experience

Describe your experience of using this website

OfS privacy

Privacy notice

How to use this privacy notice

Share this page:

Thank you for your feedback