OfS privacy

Privacy notice

The Office for Students (OfS) is committed to protecting your personal information and being clear about what information we hold about you and how we use it. This privacy notice tells you what to expect when OfS collects personal information. This applies to information we collect about:

students (current and former)
staff (current and former) at higher education providers or other organisations that we work with
visitors to our website, blog readers and recipients of our newsletter and alerts
members of the public or stakeholders that we engage with
people who make a disclosure, raise a complaint, have a query or make a request under information access legislation (Freedom of Information Act, Environmental Information Regulations, Data Protection subject access request)
job applicants and our current and former employees
visitors to our premises and onsite contractors.

How to use this privacy notice

Select and view the relevant sections below to see how we use your personal information depending on the services we are providing to you. The services we provide are directed at learners aged 13 and over.

Why we hold personal information

We process personal information to enable us to fulfil our public tasks including our responsibilities as the lead regulator for higher education in England. This function is directed by the secretary of state and is in accordance with our legal obligations including those described in the Higher Education and Research Act 2017. We also have a role in monitoring the performance by higher education providers of their 'prevent' duty under the Counter-terrorism and Security Act 2015.

Personal information is also used for:

promoting and administering our services
maintaining our accounts
administrative purposes
supporting and managing our staff
awarding and assessing benefits, grants and loans
journalism and media
property management.

Queries or complaints about our use of your personal information

The OfS tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of personal information is unfair, misleading or inappropriate.

Access to personal information

The OfS tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under data protection legislation.

Learn how to make a subject access request for your personal data

Individuals have a number of rights over the way organisations use their personal information.

Disclosure of personal information

There are circumstances when we may disclose personal information without consent. For example, when we need to share personal information with:

the organisation concerned in the investigation of a complaint and with other relevant bodies
law enforcement agencies to prevent and detect crime
other Government departments, agencies or non-departmental public bodies
researchers or consultants acting on our behalf to produce anonymised statistics.

How we protect the personal information we hold

Some of the data we hold is special category data as defined by Data Protection legislation. We take our responsibilities to safeguard such data seriously.

We protect the personal data we hold under a framework of measures, including:

maintenance of an information asset register that provides a snapshot view of all of our information, its business purpose, its location and how it is secured
a range of physical, technical and organisational security measures, for example, access control, encryption, secure collection of data over our extranet
the use of fair processing notices so that individuals about whom we hold data are aware of why we hold it (noting that we have a statutory right to hold data relevant to our public role)
only keeping personal data for legitimate reasons
keeping personal data confidential, retaining its integrity but making it available (through restricting access) only to those staff who need access
having data sharing agreements in place with organisations with whom we share personal data (whether as data controller or processor)
ensuring that data protection features in routine business contracts
operating restrictions on the transmission of personal data, particularly overseas
internal policies with which staff and others are required to follow
training and awareness-raising activity for staff to promote compliance with our data protection and wider information security policies.

Students (current and former)

Personal information about current and former students is processed in order to inform policy development, policy analysis and research.

What kind of information is held?

The personal information processed either by us or on our behalf may include:

name
contact details
family details
social circumstances
financial details
educational records and attainment
career progression

The sensitive types of information may include:

physical or mental health details
racial or ethnic origin
religious or other beliefs.

Who is this information shared with?

Where necessary or required this information may be shared with:

education providers with which you have a connection
survey and research organisations working on our behalf
other public sector bodies
agents or service providers
individual researchers and contractors.

How is this information collected?

Much of the information OfS holds about students is collected from other sources. If you have attended an educational establishment in the UK since 1994 then we will hold personal data about you in some or all of the following databases:

Higher Education Statistics Agency (HESA)
HESA Destinations of Leavers from Higher Education in the UK (DLHE)
Individual Learner Record (ILR)
National Pupil Database (NPD)
National Student Survey (NSS)
UCAS admissions data

If you have participated in a programme specifically funded by us, we will hold data in connection with that programme.

Find more information about the data analysis work that we do

Staff (current and former) at higher education providers or other organisations that we work with

Personal information about current and former staff at higher education providers is processed to enable us to fulfil our public tasks, including our responsibilities as the lead regulatory body for higher education in England, and to inform funding, policy development, policy analysis and research.

What kind of information is held?

The personal information processed either by us or on our behalf may include:

name
contact details
family details
social and individual circumstances
financial details
educational records and attainment
career progression.

The sensitive types of information may include:

physical or mental health details
racial or ethnic origin
religious or other beliefs.

Who is this information shared with?

Where necessary or required this information may be shared with:

survey and research organisations working on our behalf
other public sector bodies
agents or service providers
individual researchers and contractors
the provider’s accountable officer - in certain circumstances where an enquiry has been made from a provider’s email address regarding regulatory requirements or practices.

Emails to the OfS

If you send an email to the OfS from a provider email address regarding regulatory requirements or practices, we will assume that the email is sent in an official capacity on behalf of the provider unless we are clearly informed otherwise. In these circumstances, we will ordinarily copy any response to the provider’s accountable officer. This is due to the nature and responsibilities of the accountable officer role.

If you are contacting us from a provider in any other capacity, or if the information is sensitive and you do not want correspondence to be dealt with in this way, please set this out clearly in your email.

How is this information collected?

Much of the information the OfS holds about staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994 then we will hold personal data about you in some or all of the following databases:

Higher Education Statistics Agency (HESA) staff data
Research Excellence Framework (REF) submissions (including individual circumstances)
Clinical Senior Lectureship Awards (CSLA) for Clinical Medicine and Dentistry
National Teaching Fellowship Scheme (NTFS)

Staff related inherited liabilities (pension information)

The OfS makes payments to local authorities, specific pension funds and higher education institutions to reimburse for pension increases under the local government superannuation scheme for people formerly employed at higher education institutions, teacher training colleges or institutions which provided further education or higher education or their dependants.

In order to make payments under this scheme we receive personal data from local authorities, specific pension funds and higher education institutions annually. The personal data we collect includes the following:

National insurance number
Surname
First name or initial
Sex
Date of birth
Original claimant or dependant.

Contact details

We maintain a database of contact details for key roles within higher education providers. Additionally we hold contact details and, where necessary, dietary requirements and access needs for panel members, advisers, working groups and other people we work with from time to time. In most cases contact details would be professional or 'work' addresses or numbers but may occasionally be private or 'home' details.

Visitors to our website, blog readers and recipients of our newsletters and alerts

Website (including blog)

When someone visits www.officeforstudents.org.uk we use two third party services, Google Analytics and SiteImprove, to collect information about how people use our website. We do this to help make sure that it is meeting your needs and to understand how we could do it better.

These services collect information about what pages you visit, how long you are on the site, how you got there and what links you follow. We do not collect or store your personal information (for example, your name or address) so this information cannot be used by us to identify who you are. We do not allow Google or SiteImprove to use or share our analytics data.

Newsletters

When someone subscribes to our monthly newsletter we use a third party service, Mailchimp.

To receive our monthly newsletters you will need to provide your name and email address. This personal information will be stored by Mailchimp on servers in the United States. Mailchimp is compliant with the EU-US Privacy Shield framework.

The personal information you provide to Mailchimp will be deleted when you unsubscribe from their service. This may take up to a week.

You can find out more about how Mailchimp protects your personal information in its privacy notice.

Mailchimp uses cookies to collect information about how people use its services. You can find out more about the cookies Mailchimp uses in its Cookies Statement.

Alerts

Our alerts are hosted by JiscMail. See JiscMail’s mailing list privacy notice. They will be delivered by Mailchimp from January on the same terms as for enewsletters.

Cookies

Cookies are test files placed on your computer to collect standard internet log information and visitor behaviour information. OfS uses cookies to collect information about how people use our website.

You can read more about how we use cookies on our Cookies page, or for further general information visit: www.aboutcookies.org or www.allaboutcookies.org.

Search engine

Our website search is powered by the Funnelback application. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either OfS or any third party.

Members of the public; stakeholders; conference or event attendees

Conferences and events

We use Eventbrite to manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements.

Eventbrite processes data (including any personal data submitted by booking one of our events) outside the European Economic Area. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy.

If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to us by contacting the event organiser using the details provided in the invitation.

We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list.

Our key policy events may have a member of staff taking informal photos of the event some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos please make this known to a member of staff at the beginning of the event.

People who respond to our consultations

We use SmartSurvey to carry out consultations with the sector and stakeholders. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. Read SmartSurvey’s privacy policy.

People who call or email us

We may make a note of your contact details and information about the subject of your call so that we can deal with your enquiry. We do not electronically record or monitor telephone calls, other than when messages are left on an answerphone service. If your phone settings allow for caller line identification and broadcasting of your number this may be stored within our phone system (e.g. missed calls and address books).

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Where enquiries are submitted to us we will only use and retain the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

People who make a disclosure or complaint, or make a request to us under information access legislation

When we receive a disclosure, complaint or request we make up a file containing the details of the disclosure, complaint or information access request. This normally contains the identity of the discloser, complainant or requester and any other individuals involved.

We will only use the personal information we collect to process the disclosure, complaint or information access request and to check on the level of service we provide.

We will keep personal information contained in the disclosure, complaint or information access request files in line with our retention policy. This means that information relating to a disclosure, complaint or information access request will be retained for five years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

If you are making a disclosure or complaint about a university or college we use discretion in investigating your concerns. However, we are not able to guarantee confidentiality. In most cases the concerns will already be known to the provider, and any conversation we have with the institution about your disclosure or complaint, will in all likelihood, lead to your identity being deduced. Anonymous disclosures are received from time to time. Our policy is normally not to take action in response to these.

From time to time we may be asked to share information with other organisations in the event of a complaint about OfS itself, for example to assist the Parliamentary and Health Service Ombudsman in their work. In these circumstances, we are usually obliged to provide the information by law.

We may compile and publish statistics showing information like the number of complaints or requests we receive, but not in a form which identifies anyone.

Job applicants, current and former OfS employees

We have a separate recruiting privacy notice which explains how we process personal data relating to job applicants.

Once a person has taken up employment with the OfS, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with the OfS has ended, we will retain the file in accordance with the requirements of our retention schedule and legal obligations, and then delete it.

Visitors to our premises and onsite contractors

All visitors to our premises will be asked to sign in to our visitors' log and issued with a pass. Visitors must sign out and return the pass so that it can be shredded when they leave. Visitor details are retained on the log for one month and then destroyed. Visitors arriving by car will be asked to provide their car registration number so that they can be contacted in the event that they are blocking in other car park users.

CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

Links to other websites

This privacy notice does not cover the links within this site to other websites. We encourage you to read the privacy statements on the other websites you visit.

Contact details of the Data Protection Officer

Under the General Data Protection Regulation we are required to appoint a Data Protection Officer (DPO). One of their tasks is to be the first point of contact for supervisory authorities and for individuals whose data is processed. Contact details for our DPO are as follows:

Data Protection Officer
Office for Students
Nicholson House
Lime Kiln Close
Stoke Gifford
BRISTOL
BS34 8SR

Email: [email protected]

Tel: 0117 931 7270

Changes to this privacy notice

We keep our privacy notice under regular review.

This privacy notice was last updated on 11 April 2019 and is version 001a. Details of the Data Protection Officer were amended on 15 August 2018.

Help us improve your experience

Describe your experience of using this website

What were you doing on the website? * Is there anything you liked or disliked? *

OfS privacy

Privacy notice

Share this page:

Thank you for your feedback