OfS privacy

Privacy notice

How to use this privacy notice

Use the links below to select the reason that we process your personal information and see the following details:

  • The specific personal information held and used
  • Our purpose for using the information
  • Our legal basis for using the information
  • Any information we obtain from other sources
  • Who we share the information with and the reason for this
  • How long we will retain your personal data for
  • A link to a more specific privacy notice (if applicable).

Unless otherwise stated we will not transfer your data to another country or do automated decision making.

The specific personal information held and used 

Depending on the purpose and context, the personal data the OfS collects for regulatory purposes may include:

  • Your name and job title
  • Your contact information
  • Your occupation and employment details
  • Information relating to your age, disability status, racial or ethnic origin, political opinion and political affiliations, religious or philosophical belief, sex, sexual orientation, gender and nationality
  • Your views and opinions
  • Other information relevant to carrying out our statutory functions

Our purpose for using the information 

We mainly collect and process personal information in connection with performing any of our statutory functions. This includes (but is not limited to) the following:

  • maintaining the register of English higher education providers;
  • regulating and monitoring the activities of registered English higher education providers, for example by the imposition of new or revised regulatory obligations;
  • investigating, monitoring and assessing whether higher education providers have complied with regulatory and other legal obligations, for example those which relate to the following subject matter:
    • (a) the quality of, and standards applied to, higher education;
    • (b) financial stability and sustainability;
    • (c) management and governance;
    • (d) freedom of speech and academic freedom;
    • (e) consumer protection law;
    • (f) charity law;
  • promoting equality of opportunity in higher education;
  • providing funding for purposes connected with higher education;
  • making arrangements for the collection and publication of information about higher education providers and individuals connected with them;
  • sharing information with a wide range of other bodies, including (but not limited to) the Department for Education, the Student Loans Company, the Competition and Markets Authority, Local Authority Trading Standards Departments, the National Crime Agency, the Charity Commission.

Our legal basis for using the information 

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(g) – reasons of substantial public interest: in particular, for statutory and government purposes under paragraphs 6, 11 and 12 of Schedule 1 of DPA 2018.

Any information we obtain from other sources 

Other than the personal information collected from you directly, we also obtain personal information about you from other sources, listed below:  

  •  Education providers with which you have a connection
  • Professional, statutory and regulatory bodies (for example, bodies that set standards for the courses run by providers)
  • Survey and research organisations working on our behalf
  • Central and local government bodies
  • Other public sector bodies
  • Regulatory and civil/criminal enforcement bodies
  • Agents or service providers

Who we share the information with and the reason for this 

The OfS may also, from time to time, need to share your personal data with other third parties, including:

  • Education providers with which you have a connection
  • Professional, statutory and regulatory bodies (for example, bodies that set standards for courses run by providers)
  • Survey and research organisations working on our behalf
  • Central and local government bodies
  • Other public sector bodies
  • Regulatory and civil/criminal enforcement bodies
  • Agents or service providers

 We may pass your information (routinely or otherwise) to any other organisation where that is connected to the performance of our functions or the functions of the receiving organisation.

 We will also pass your information to other organisations where we have a legal duty to do so.

How long we will retain your personal data for 

The OfS will determine the period for which it needs to keep your personal data having regard to the reasons and purposes for which it was collected, our statutory duties and other legal obligations, the exercise and defence of any legal claims, including the period within which any current or potential future legal claims may be brought.

After that point, your personal information will be confidentially and securely disposed of.  

A link to a more specific privacy notice (if applicable) 

Within our privacy notice, see also:

  • ‘Registration of providers’
  • ‘Notifications about providers’

 

I am a current or former student at a higher education provider in England

  • People who are current students at a higher education provider in England
  • People who used to be students at a higher education provider in England
  • People who have participated in a programme specifically funded by the OfS.
The specific personal information held and used
  • Name
  • Date of birth
  • Contact details
  • Address
  • Nationality
  • Domicile
  • Sex
  • Family details
  • Student identifiers
  • Social circumstances
  • Financial details
  • Educational records and attainment
  • Career progression

Special category data:

  • Physical or mental health details
  • Racial or ethnic origin
  • Religious or other beliefs
  • Sexual orientation
Our purpose for using the information

We process personal information on students to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England.

For further information on how we use data on students to support our regulatory responsibilities, please view the OfS data strategy.

Our legal basis for using the information
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)).
  • Processing of special category data is necessary for statistical and research purposes in accordance with Article 89(1) and Schedule 1 part (4) of the DPA 2018 (see GDPR Article 9(2)(j)).
Any information we obtain from other sources

Much of the information we hold is collected from other sources, who may collect data from you directly, or via your educational provider.

If you have attended an educational establishment in the UK since 1994, then we will hold personal data about you from some or all of the following sources:

Source Contents Link to further information
Higher Education Statistics Agency (HESA)

HESA Student record

Graduate Outcomes survey (formerly Destinations of Leavers from Higher Education in the UK)
Further information from HESA
Student Loans Company Student loans information See the SLC's privacy notice
Education and Skills Funding Agency Individual Learner Record See ILR privacy notice
Department for Education National Pupil Database (school record) Find and explore data in the National Pupil Database
Department for Education Longitudinal educational outcomes Find Graduate outcomes (LEO) data
UCAS Admissions data See UCAS privacy notice
Pearson Education Course data See Pearson privacy notice

If you have participated in a programme specifically funded by us, we will hold data in connection with that programme.

We also collect information directly from students in student surveys. We produce bespoke privacy notices for direct student surveys - see ‘a link to a more specific privacy notice’ below.

Who we share the information with and the reason for this

Where necessary or required, this information may be shared with:

  • Education providers with which you have a connection
  • Survey and research organisations working on our behalf, for example to administer surveys and evaluate programmes we have funded
  • Other public sector bodies
  • Agents or service providers
How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for including for the purpose to comply with any legal, reporting or accounting requirements.

Where student data is no longer necessary for ongoing functions, the data may be kept by the OfS for the purposes of archiving for historical research or statistical purposes. For personal data on students, the OfS considers archiving to be necessary to enable statistical analyses the OfS must perform in order to fulfil its functions.

A link to a more specific privacy notice (if applicable) National Student Survey (NSS) - see the NSS privacy policy

I am a current or former employee of a higher education provider

  • People who are currently or formerly employed by a higher education provider in England.
The specific personal information held and used
  • Name
  • Date of birth
  • Provider name
  • Demographic details
  • Sex
  • Identification number (HESA staff)
  • Salary (for vice-chancellors and those holding similar roles in other providers)
  • Employment details (including start date, end date, role type, academic discipline)

Special category data:

  • Physical or mental health details
  • Racial or ethnic origin
  • Religious or other beliefs
  • Sexual orientation

For further details on categories of personal data, please see the links to more specific privacy notices at the bottom of this table.

Our purpose for using the information

We process personal information to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England.

For further information on how we use data on provider staff to support our regulatory responsibilities, please view the OfS data strategy.

Our legal basis for using the information

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)).

Processing of special category data is necessary for statistical and research purposes in accordance with Article 89(1) and Schedule 1 part (4) of the DPA 2018 (see GDPR Article 9(2)(j)).
Any information we obtain from other sources

Much of the information that we hold about provider staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994 then we will hold personal data about you from some or all of the following sources:

  • Higher Education Statistics Agency (HESA) staff
  • Provider returns
Who we share the information with and the reason for this

Where necessary or required this information may be shared with:

  • Government departments or other public sector bodies
  • Agents or service providers
  • Survey and research organisations working on our behalf
How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

Where staff data is no longer necessary for ongoing functions, the data may be kept by OfS for the purposes of archiving for historical research or statistical purposes. For personal data on provider staff, OfS considers archiving to be necessary to enable statistical analyses the OfS must perform in order to fulfil its functions.
A link to a more specific privacy notice (if applicable)

See Registration privacy notice

See HESA Staff data

I am employed by a provider who is applying to register with the OfS

  • People who are submitting an application to the OfS Register, on behalf of their provider
  • People who are completing ‘fit and proper person checks’ as part of their provider’s registration process.
The specific personal information held and used 

For the OfS Register:

  • Provider’s contact details (address, email address, and telephone number), where this relates to an identified or identifiable individual rather than generic information.

To undertake ‘fit and proper person’ checks, we need the following information about the accountable officer, chair of the governing body, all directors/trustees and individual shareholders:

  • Legal first name
  • Surname
  • Role title
  • Month and year of birth
Our purposes for using the information 
  • For publication on the Register, where contact details for general enquiries relate to an identifiable individual
  • To show who developed and authorised the submissions to meet registration conditions – for our internal use only
  • To maintain contact between the OfS and the provider regarding its entry on the Register - for our internal use only
  • To add contact details to the OfS database which we will use to consult with providers to inform funding, policy development, policy analysis and research
  • To assess your application for registration and the status of registration, as well as your provider’s continuing compliance with any ongoing conditions of any subsequent registration
  • Using personal information collected to undertake ‘fit and proper person' tests when necessary.
To fulfil any of our other statutory functions or legal requirements from time to time.
Our legal basis for using the information 
  • Article 6(1)(c) – where the processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Please refer to the specific privacy notice for further information on the relevant legal obligations and public tasks.

Any information we obtain from other sources

Other than the personal information collected from you directly, we also obtain personal information about you from other sources, if needed, for fit and proper person checks:  

  • Government departments or other public sector bodies (such as Companies House or the Insolvency Service)
  • Agents or service providers.
Who we share the information with and the reason for this

We will share your personal information to some other organisations for specific reasons, as explained below:  

  • Synectics Solutions Ltd
  • Government departments or other public sector bodies
  • Agents or service providers

The OfS uses a third party organisation, Synectics Solutions Ltd, to assist with ‘fit and proper person’ checks.

Please refer to the specific privacy notice for further information about how we use Synectics Solutions. We will not disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law.

How long we will retain your personal data for 

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. 

  • For continuing providers, we will retain details of key individuals as long as they are required for the registration process and for a further seven years.
  • For deregistered providers, we will retain details of key individuals for seven years following deregistration.
  • For unapproved providers, we will retain details of key individuals for seven years following the decision not to register.

After these points, your personal information will be confidentially and securely disposed of.  

We will also keep information published on the Register for as long you are registered. As part of The National Archives fulfilment of the Public Records Act, the published Register will be archived twice a year.

A link to a more specific privacy notice (if applicable) See the Registration privacy notice

See Synectics Solution’s privacy policy

I am a stakeholder or a member of a board, committee or panel who regularly interacts with the OfS

  • People who are currently or formerly board, committee and panel members
  • People who are stakeholders working together, or interacting with, the OfS.

The specific information held and used

  • Title and name
  • Work email
  • Work telephone number
  • Name, email and telephone number of Personal executive assistant (if provided)
  • Dietary requirements and access needs where necessary for meetings held in person
Our purpose for using the information

As an independent regulator, the OfS needs to communicate regularly with its stakeholders in the higher education sector, government departments and other sector bodies. These stakeholders include chief executive officers of sector bodies that we work with and officers in government departments.

In order to ensure that we can communicate with our stakeholders effectively, the OfS maintains a database of contact information for stakeholders. In addition:

  • Processing allows the OfS to inform members about activities, meeting dates and send documents relating to group matters
  • To maintain a record of working groups and members involved with student support networks.

Our legal basis for processing your personal information

Our legal basis for holding this information depends on the reasons why we need to contact you:

  • GDPR Article 6(1)(e) - We may need to contact you in order to meet our statutory functions as a regulator and because it is necessary to fulfil our public tasks)

Or

  • GDPR Article 6(1)(f) - We may have another ‘legitimate interest’ in contacting you, for example if OfS staff are meeting with you, they will have a legitimate need for your contact details in order to arrange the meeting.
Any information we obtain from other sources

We obtain this information directly from stakeholders and their interactions from us.

There will also be circumstances where we need to obtain your contact information from another source, so that we can contact you to meet our public task or a specified legitimate interest. For example, if you have recently joined a sector body that we work with and we do not have your contact details, we may need to obtain your details from a public source, such as your organisation’s website.

Who we share the information with and the reason for this

We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.

How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

Board, committee and panel records are retained seven years from date of last document.

A link to a more specific privacy notice (if applicable)

Stakeholders can subscribe to receive emails and news alerts from the OfS. Please refer to the section 'Staying informed' for this privacy information.

I’m responding to an OfS consultation or a survey

  • People who respond to one of our consultations or surveys.
The specific personal information held and used

The categories of personal information collected will vary depending on the specific consultation or survey. However, the information needed will include some or all of the following:

  • Name
  • Email address
  • Organisation
  • Job role

Demographic data such as:

  • Sex
  • Age

Special category data such as:  

  • Racial or ethnic origin

The specific information collected will be set out in the individual privacy notice for each consultation and survey.

Our purpose for processing the information

We use personal information about you in order to understand who has responded to the consultation or survey, and respondents’ views with the aim of being able to understand the different perspectives of stakeholders. We may also contact you for any queries relating to your responses.

We may publish a summary of the consultation responses and, in some cases, the responses themselves. The specific information that will be published will be set out in the individual privacy notice for each consultation and survey.

Our legal basis for using the information

Unless otherwise specified the legal basis for processing your information is Article 6(1)(e) public task. The legal basis for processing your personal information is that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where special category data is collected, the relevant condition is Article 9(2)(a) explicit consent given by the respondent.
Who we share the information with and the reason for this

Unless otherwise specified, responses are collected via SmartSurvey. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. See the SmartSurvey privacy notice

To support the analysis of consultations, we occasionally share the information collected through consultations with external organisations. Unless otherwise specified, analysis is undertaken by Pye Tait Consulting. Read the Pye Tait Consulting privacy notice for further information.

How long we will retain your personal data for

Each consultation and survey will indicate a time period as to how long personal information will be held for. After that point, your personal information will be confidentially and securely disposed of.

A link to a more specific privacy notice or information page (if applicable)

See the SmartSurvey privacy notice

See the Pye Tait Consulting privacy notice

I am attending an OfS conference or event

  • Invitees and delegates of in-person conferences or events organised by the OfS.
The specific personal information held and used 

If you choose to attend one of our events, you will be asked for the following:

  • Name
  • Job title
  • Organisation
  • Contact details (email address, telephone number and postal address)
  • The capacity in which you will attend the event
  • How you heard about the event
If you are offered a place, you will be invited to tell us about any dietary requirements or access provisions you may need. We won’t share this information in an identifiable way with the conference venue.
Our purpose for using the information

Our purpose for collecting this information is so that we can manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements.

We use Eventbrite to manage our conferences and events. If you prefer not to use Eventbrite to respond to a conference or event invitation, you may respond directly using the contact details provided in the invitation.

When you register for an OfS event using an Eventbrite form, you will be presented with a summary of how any personal information submitted will be used. The summary privacy information also includes a link to a more detailed privacy notice.

We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list.

Our key policy events may have a member of staff taking informal photos of the event, some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos, please make this known to a member of staff at the beginning of the event.

Our legal basis for using the information

To ensure the effective management and running of OfS events:

  • Article 6(1)(f) legitimate interests

Access and dietary requirements:

  • Article 9(2)(a) explicit consent
Who we share the information with and the reason for this

We share information on numbers of delegates as well as access and dietary requirements (where supplied) with the conference venue or other event suppliers but not in way that identifies individuals.

Your rights over your personal information

Information about access and dietary requirements - Withdrawal of consent
Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected]

Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent. 

Whether we intend to transfer information to another country

Eventbrite processes data (including any personal data submitted by booking one of our events) in the USA.

Because this means your information will be held outside the UK we have assessed the risks with storing your personal information in this country and are satisfied that it will not be put at any undue risk as a result. The reasons for this are there is an appropriate transfer mechanism in place (Standard Contractual Clauses) and an adequate level of protection for the nature of the personal data to be transferred.  

Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy.

If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to the OfS by contacting the event organiser using the details provided in the invitation.

How long we will retain your personal data for

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. The personal information you have submitted will be kept for one month after the event. After that point, your personal information will be confidentially and securely disposed of. Eventbrite keeps registrations indefinitely.

A link to a more specific privacy notice or information page (if applicable)

See Eventbrite’s privacy policy

See OfS events page

I am attending an OfS webinar   

  • People who participate in our webinars for events, workshops and conferences.

The specific personal information held and used

  • Name
  • Email address
  • Job title
  • Organisation
  • Collecting device and location information
  • IP address
  • Local IP (IP of device)
  • Network type
  • Type of microphone (for presenters)
  • Data centre
  • Collection type (joining and leaving webinar reasons and times)

Our purpose for processing the information

The OfS holds webinars, events, workshops and conferences to promote its work as a regulator and to support its statutory functions.

We usually use Zoom and Microsoft Teams to deliver and manage webinars, allowing participants to log in and attend webinars at the time or view the webinar later.

Our legal basis for using the information

  • Article 6(1)(f) - legitimate interests

We have a legitimate interest in collecting your personal information to ensure that the OfS has the necessary information to host webinars effectively, and to also ensure only invited individuals attend webinars or view webinars later.

Any information we obtain from other sources

 We usually use Zoom and Teams to deliver and manage webinars. We also use Teams to host external meetings and events.

On occasion, we use Eventbrite to allow attendees to register for online events we host.

Who we share the information with and the reason for this

  • As your personal information will be submitted by registering or logging in to Zoom or Microsoft Teams, any personal information you submit will be stored by, and accessible to, Zoom and Microsoft.
  • Zoom and Microsoft process personal data in accordance with their own privacy policies.
  • In addition, if you use an Eventbrite form to register for an OfS event hosted on Teams, any personal information submitted in the form will be stored by, and accessible to, Eventbrite.
  • Eventbrite processes personal data in accordance with its own privacy policy.

We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.

Whether we intend to transfer to another country

Eventbrite and Zoom are based in the United States. If you choose to register for an event through Eventbrite, any personal information you submit will be transferred to the United States. Zoom, in certain cases, will transfer data to the United States, as well as to other countries outside of the EEA.

How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for.

  • If you choose to attend a webinar through Zoom or Teams, any personal data processed will be retained for as long as is considered necessary by Zoom or Microsoft, and in accordance with their privacy policies (see relevant links below).
  • Your personal information will be stored by the OfS in the European Union/EEA. This means that your personal information is protected under the UK GDPR.
  • Cloud recordings are retained for 30 days, and meeting metrics are retained for 12 months.
  • If you choose to register for an event through Eventbrite, any personal data processed will also be retained for as long as is considered necessary by Eventbrite, and in accordance with their privacy policy (see relevant link below).

A link to a more specific privacy notice or information page (if applicable)

See Zoom's privacy notice

See the Eventbrite privacy notice

See Microsoft's privacy notice

I am interacting with OfS social media

  • Information we gather through social media platforms.
The specific personal information held and used
  • Public social media profiles
  • Public social media posts
  • Username
  • Followers/networks
  • Online behaviour, for instance likes and re-tweets.
Personal data is provided by social media platforms and other public sources.
Our purpose for processing the information

In line with the OfS’s social media strategy and student engagement strategy, the purpose is to use social media to understand what the wider public is saying about the Office for Students and the sentiment and conversations around other topics relevant to students and the higher education sector.

To achieve the above aim, we will use a social listening tool to generate aggregate level reports about trends and insights across the higher education sector.
Our legal basis for using the information
  • Article 6(1)(e) – public task
The lawful basis for processing your personal data is it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, use of the tool relates to s35 of the Higher Education Research Act 2017, where the OfS’s role is to provide advice on good practice.
Any information we obtain from other sources We will use a social listening tool to analyse posts from social media accounts, which are available online.
Who we share the information with and the reason for this

The OfS will not be sharing any personal data, as the data the tool provides is aggregated.

We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.
Whether we intend to transfer to another country No
How long we will retain your personal data for Aggregate reports, which are anonymised, will be retained by the OfS for a maximum of five years. Any personal data that underpins the aggregate reports will be retained by the social media monitoring and listening company for a maximum of five years.

A link to a more specific privacy notice or information page (if applicable)

See the privacy notice for OfS analysis of social media

I have given permission or signed up to receive information about OfS news, events and opportunities to be involved in the work of the OfS

  • People who have subscribed to receive emails about OfS events
  • People who have subscribed to receive the OfS newsletter
  • People who have subscribed to receive emails about OfS alerts
  • People who have subscribed to receive the OfS monthly update
  • People who have subscribed to receive OfS ‘Student News’ alerts (previously named 'Student spotlight')
  • People who have subscribed to receive charity regulation alerts
  • People who have subscribed to receive Prevent monitoring alerts
The specific personal information held and used

If you subscribe to our monthly newsletters, alerts, information and updates you will need to provide your name and email address.

Our purpose for using the information

We will use your information to send you our monthly newsletters, alerts, information about upcoming events and opportunities to be involved with OfS work.

Our legal basis for using the information

Article 6(1)(a) - consent (by subscriber)

Who we share the information with and the reason for this

The OfS uses Mailchimp as our marketing platform. Your personal data will be shared with Mailchimp for processing in accordance with their privacy policy

When you subscribe to our newsletter, and any of our alerts or monthly updates, your name and email address will be stored by Mailchimp on servers in the United States.

Whether we intend to transfer to another country

Mailchimp is based in the United States and any personal data submitted when you subscribe will be processed in the United States according to Mailchimp’s own privacy policy.

How long we will retain your personal data for

Data will be held until consent is withdrawn.

The personal information you provide will be deleted when you unsubscribe; this may take up to a week.
Link to more specific privacy notices

See the privacy notice for OfS Student News alerts

See Mailchimp’s privacy policy

I am a third-party supplier to the OfS

  • People or organisations that provide unique services or goods to the OfS.
The specific personal information held and used
  • Name
  • Job title
  • Personal signature
  • Organisation name
  • Contact details (email, telephone)

As part of the credit checks (carried out by a third party, see ‘any information we obtain from other sources’), we process the following information of Persons of Significant Control:

  • Title
  • Name
  • Date of birth (month and year)
  • Address
  • Job title
  • Nationality
  • Appointment date
  • Occupation
Our purpose for processing the information
  • The OfS needs to collect personal data to help us communicate with you as part of the procurement process. We may also need to collect personal data to enable us to perform background checks (such as credit checks) on the bidding organisation, which can be necessary as part of the procurement process.
  • The personal data you provide to the OfS as part of the procurement process is necessary to ensure that we are able to undertake the required due diligence processes for bidding organisations.
  • We retain any personal data collected through the procurement process to support on-going contract management.
Our legal basis for using the information

Article 6(1)(e) - public task

Article 6(1)(c) - legal obligation

Any information we obtain from other sources We use a third party for credit checks – Creditsafe
Who we share the information with and the reason for this

We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. However, we are required to publish contract award notices on our website. This includes who the contract was awarded to, a contact name, phone number and email address.

How we store your personal data

We use a third-party company, BiP Solutions, for managing and storing procurement records.

Information related to your tender is accessible via a portal (Delta e-sourcing).

All information is stored within the EU.
Retention period

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

Contracts not under seal: Seven years from end of contract

Invitation to tender; successful tender documents: Seven years from date of last document

Unsuccessful tender documents; tender evaluation documents: Three years from date of last document

A link to a more specific privacy notice or information page (if applicable) See the Delta e-sourcing privacy policy

I am applying for a job with the OfS

  • Job applicants (current or former).
The specific personal information held and used

The personal information we will collect and use as part of the application process is:

  • Name
  • Address
  • Telephone number
  • Email address
  • Qualifications
  • Work history

Optional special category data (you can select ‘prefer not to say’ for all these categories):

  • Ethnicity
  • Disability
  • Gender identity
  • Religious belief
  • Sex
  • Sexual orientation
  • Unpaid caring responsibilities

If we invite you to an interview, we will ask if you require any reasonable adjustments to be made in relation to the interview process. This information will be held and used separately from the application form. Some roles require you to take an online assessment.

If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks and health questionnaire:

  • Name
  • Address
  • Date of birth
  • Proof of identity
  • Proof of your qualifications
  • Criminal records declaration

Some roles require a higher level of security clearance and, if this is the case, we will let you know.

If we make a final offer, we will also ask for the following:

  • Bank details
  • Emergency contact details
  • NI number
  • Any membership of a Civil Service Pension scheme.
Our purpose for processing the information

We will use your information for the following purposes:

  • to process your application
  • to invite you to interview (if relevant)
  • for referencing, pre-employment checks and onboarding on appointment
  • to monitor applicant pools for our equality and diversity data (you may prefer not to supply this data)
  • we publish non-identifiable data under our Public Sector Equality Duty
  • we are a Disability Confident employer and may ask for certain information to enable us to carry out our responsibilities in this area - for example, making reasonable adjustments for the interview process.

Our hiring managers shortlist applications for interview.

You must successfully complete pre-employment checks to progress to a final offer. We are legally required to confirm your identity and right to work in the UK.

If you choose to supply equality and diversity data, we will not make this information available to any staff outside our recruitment team (including hiring managers) in a way that can identify you. Your application will not be affected if you choose not to supply equality and diversity data.

Our legal basis for using the information
  • Legitimate interests – the OfS has a legitimate interest in processing your personal data to administer and consider your application.
  • Explicit consent – for special category data (e.g. ethnicity, gender, disability) should you choose to submit such information.
  • Contract – where processing is necessary to perform a contract or take steps, at your request, before entering a contract.
  • Legal obligation – for us to establish and record the right to work, security checks, if you provide us with any information about reasonable adjustments so that we can comply with our obligations under the Equality Act 2010.
Any information we obtain from other sources

Other than the personal information collected from you directly, we also obtain personal information about you from other sources:

  • Pre-employment checks, including references and DBS check on appointment only.
Who we share the information with

Other than the organisations listed below, we will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. (In exceptional circumstances, your information may be shared with someone who is not an OfS employee but is working with us to recruit to an OfS role, or a committee or panel.)

  • We use Workday Recruiting to manage the application and selection process.

Pre-employment checks:

  • DBS checks are carried out for us by Atlantic Data
  • We use Maximus Health Management to administer health questionnaires.
Your rights over your personal information

Equality and diversity data - withdrawal of consent

Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] 

Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.

Whether we intend to transfer to another country

Your personal information held on Workday will be stored securely within the European Economic Area (in Ireland and backed up in Germany) and will not be transferred outside that territory unless required by a court order.

The UK has agreed that countries within the EEA provide an equivalent level of safeguards for the processing of personal data.

How long we will retain your personal data for

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. Unless you are appointed, the personal information you have submitted will be kept for one year after the job has closed. After that point, your personal information will be confidentially and securely disposed of.

Cookies

Our careers site (Workday) uses strictly necessary cookies to allow the site to function properly and to enable the successful communication between the end-user and the service, as follows:

  • Session management cookies - User, device and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session.
  • Routing cookies - To forward requests for a single session to the same server for consistency of service. These cookies expire at the end of the session.
  • Application Security Management (ASM) cookies - To help protect web applications and infrastructure from security attacks. These cookies expire at the end of the session.

A link to a more specific privacy notice or information page (if applicable)

 Information about the measures that Workday has in place to keep your information secure. See Workday security information

See Atlantic data's privacy statement (DBS checks)

See Maximus health management privacy policy (Health questionnaire)

Information about working for the OfS can be found on our careers page.

Further details about how we process the personal information of our employees is provided in a separate privacy notice.

I am submitting a request under access to information legislation

  • People who submit a request for information under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004.
  • People who make a subject access request or another request about their information under data protection legislation.
The specific personal information held and used
  • Name
  • Contact details
  • Form of identification (where required)
Our purpose for processing the information

We use your name and contact details so that we can respond to your request for information.

If you are making a subject access request, we may require identification so that we can verify your identity.

Our legal basis for using the information

Article 6(1)(c) - compliance with our legal obligations under information rights legislation

Who we share the information with and the reason for this

We will not routinely share your personal information; however, in some circumstances we may need share your details with third parties so that we can respond to your request.

How long we will retain your personal data for

Information will be kept in line with our retention policy. This means that information related to your request or subsequent appeals will be retained for five years from date created.

A link to a more specific privacy notice or information page (if applicable)

See information about making a request

See our Retention Schedules

I am making a notification about a provider

  • Students, staff members and others who wish to let us know about an issue within a university or college registered with the OfS.
The specific personal information held and used
  • Name
  • Email address
  • Telephone number
  • Any other personal information you choose to provide as part of the notification
Our purpose for processing the information
  • A notification is a way for students, staff members or others to let us know about an issue at university or college
  • Notifications are sent to us by email
  • When we receive a notification, we will review it and we may decide to investigate further, to take regulatory action, or both.
Contact can be made at [email protected] or via other routes. We may need to contact you again if we require any further details.
Our legal basis for using the information

Our legal basis:

  • DPA 2018
  • GDPR
  • Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.

When the OfS is obliged to process the personal data to comply with the law:

  • Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The legal basis for processing your information for notifications is because it is necessary for the performance of the task carried out, in the public interest:

  • Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data.

All notifications will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000. The information will be kept strictly confidential.

Who we share the information with and the reason for this

We may share information obtained in the course of our review or other activity with other bodies, including:

  • The Department for Education
  • Providers
  • To support Law Enforcement if the complaint relates to a crime or incident
  • Advertising Standards Agency
  • PSRB – professional statutory or regulatory body.
We are normally able to share information about a notification in a way that does not reveal the identity of the notifier.
How long we will retain your personal data for

As stated in the OfS Retention Schedules (May 2021 version):

  • Disposal action: Retain permanently
A link to a more specific privacy notice or information page (if applicable)  See information about OfS notifications

I am making a complaint about the OfS

The specific personal information held and used
  • Name
  • Contact details
  • Email address
  • Any other personal information you choose to provide as part of your complaint.
Our purpose for processing the information

Where complaints are submitted to us by email at [email protected] or via other routes, we will use and retain the information supplied to us to handle the complaint and any subsequent issues, but also to check on the level of service we provide:

  • To enable us to carry out investigations into your complaint
  • To provide a response and agree appropriate actions
  • To learn from experience to inform change in policy and/or process.
Our legal basis for using the information

Our complaints process follows and is subject to the Parliamentary and Health Service Ombudsman’s Principles of Good Complaint Handling.

We should act according to our statutory powers and duties as well as follow our own policy and procedural guidance.

The UK GDPR states:

  • Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.

When the OfS is obliged to process the personal data to comply with the law:

  • Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We are required to have a published complaints procedure to enable members of the public who are in receipt of any service to, should they feel their needs are not being met. Therefore, we are carrying out a public task which is carried out in the public interest and is also in the exercise of official authority vested in us as a Public Authority.

The legal basis for processing your information for enquiries is because it is necessary for the performance of the task carried out, in the public interest:

  • Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data.

All complaints will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000.  

Information will be kept strictly confidential. It will be stored in a secure database on the OfS’s computer system.

Who we share the information with and the reason for this

From time to time we may be asked to share information with other organisations in the event of a complaint about the OfS itself, for example:

  • To assist the Parliamentary and Health Service Ombudsman in their work
  • To support law enforcement if the complaint relates to a crime or incident.
How long we will retain your personal data for

Information will be kept in line with our retention policy. This means that information related to your complaint or subsequent appeals will be retained for ten years.

The OfS Retention Schedule (May 2021) states:

  • Appeals and complaints have a retention period of 10 years
  • Disposal action: destroy 10 years from date created.
A link to a more specific privacy notice or information page (if applicable) Our complaints process follows, and is subject to, the Parliamentary and Health Service Ombudsman’s Principles of Good Complaint Handling.

I have logged my details when visiting the OfS premises

  • People who visit our premises to attend a meeting or an interview
  • People who are onsite contractors.
The specific personal information held and used

We routinely collect the following information:

  • Name
  • Signature
  • Organisation
  • Vehicle registration
Our purpose for using the information

The logbook is used for:

  • Maintaining the security of property and premises
  • Preventing and investigating crime
  • Maintain safety and security of the OfS (and Research England) colleagues, stakeholders and members of the public/visitors
  • Issuing visitors with a pass to manage access to the building
  • Asking for car registration details to manage use of the car park.
Our legal basis for using the information

Our legal basis:

  • UK DPA 2018
  • GDPR
  • Article 6(1)(c) - legal obligation: The OfS is obliged to process the personal data to comply with the law
  • Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime
  • Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security and public health e.g. COVID-19 pandemic
  • Article 9(2)(a) - explicit consent: an unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her
  • For the interest of public safety: The Law Enforcement Directive (LED). This empowers the Police to process personal data for the purposes of preventing, detecting and investigating crime.

We also need to consider our obligations in relation to the following:

  • Freedom of Information Act 2000
  • Human Rights Act 1998

Any information we obtain from other sources

Images captured using CCTV: static or moving imagery is recorded of those who visit the OfS building and staff.

Who we share the information with and the reason for this

The facilities management team will maintain and operate procedures relating to the logbook, to ensure the OfS performs in accordance with legislation.  

The lawful justification for collecting personal data by way of a logbook is that there are legitimate reasons to do so. The information may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public:

  • OfS personnel
  • Local authorities
  • Police/law enforcement
  • Fire and rescue services.

The data obtained through the logbook may be shared with third parties such as the police and local authorities. They may use this information for investigating and/or detecting crime. These arrangements are covered by information sharing agreements and legislation, as mentioned above.

How long we will retain your personal data for Personal details held in the visitor logbook will be held for one month and then destroyed thereafter.

How we use information captured by our on-site CCTV

  • People who visit our premises including staff, onsite contractors and visitors
The specific personal information held and used

Images captured using CCTV: static or moving imagery.   

We may process special category data.

To ensure we do not breach privacy law, all CCTV cameras are focused on OfS property.

All recorded images can be found on viewing monitors, locked in a server room and can only be viewed by authorised staff.

CCTV does have the ability to record sound although this function is currently switched off.

Our purpose for using the information

CCTV is used for:

  • Maintaining the security of property and premises
  • Preventing and investigating crime
  • Maintaining the safety and security of OfS (and Research England) colleagues, stakeholders and members of the public/visitors.
Our legal basis for using the information

Our legal basis:

  • UK DPA 2018
  • GDPR
    • Article 6(1)(c) - legal obligation: The OfS is obliged to process personal data to comply with the law.
    • Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime.
    • Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security.
  • The Law Enforcement Directive (LED). For the interest of public safety, we must ensure we process personal data for security purposes. The information also empowers the police to process personal data for the purposes of preventing, detecting and investigating crime.

We also need to consider our obligations in relation to the following:

  • Freedom of Information Act 2000
  • Protection of Freedoms Act (has an important role in regulating surveillance systems, creating the role of the Surveillance Camera Commissioner with which the ICO has a memorandum of understanding to ensure effective cooperation). It also provides advice and guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available.
  • Human Rights Act 1998
  • Surveillance Camera Code of Practice (issued under the Protection of Freedoms Act).

Any information we obtain from other sources

The visitors' logbook: a register (of personal data) of those who visit the OfS building and staff.

Who we share the information with and the reason for this

The facilities management team will maintain and operate procedures intended to implement the CCTV policy. These procedures will ensure the CCTV system will be operated in accordance with legislation. 

The lawful justification for collecting and using CCTV imagery is that there are legitimate reasons to do so. CCTV imagery may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public:

  • OfS personnel
  • Local authorities
  • Police/law enforcement
  • Fire and rescue services
  • Insurance companies (only when authorised).

Our camera infrastructure is shared with third parties such as the police and local authorities. They may take control of cameras and use them for security or crime prevention activities. These arrangements are covered by information sharing agreements and legislation as mentioned above.

How long we will retain your personal data for

The system overwrites itself. This means that CCTV images will typically be kept for up to 6-8 weeks.

CCTV footage will be kept for up to three months unless required as part of our function or by law.
A link to a more specific privacy notice (if applicable)

See the OfS CCTV policy

How we use vehicle information

  • OfS and Research England (RE) staff who park in our Bristol office car park

The specific information held and used

  • Staff name

  • Work number

  • Work email

  • Car registration

  • Organisation

Our purpose for using the information

The OfS currently manages the Bristol office car park for OfS and Research England staff, using a vehicle register, which lists all vehicles, and vehicle passes.

The vehicle passes for OfS vehicles will be placed on vehicle windscreens, and will contain the extension number to call by staff who block in the vehicle during busy car parking times (referred to as double parking).

Facilities Management will inform Research England drivers if they are blocked in by another vehicle.

Our legal basis for processing your personal information

Our legal basis:

  • UK DPA 2018
  • GDPR
    • Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security.
Any information we obtain from other sources

Email addresses, and work numbers from OfS Outlook

Who we share the information with and the reason for this

The Facilities Management team will maintain and operate the vehicle register and vehicle passes.

The lawful justification for collecting and using vehicle information is that there are legitimate reasons to do so. This information may be handled and used by the following recipients to maintain a safe, secure, efficient, and compliant environment for our colleagues, stakeholders and members of the public:

  • OfS and Research England personnel
  • Local authorities
  • Police/law enforcement
  • Fire and rescue services

Insurance companies (only when authorised).

How long we will retain your personal data for

For the duration of time the staff member works for the OfS or Research England.

Last updated 12 March 2024
12 March 2024
Updated OfS consultations and survey respondents information
04 May 2023
Section added on 'OfS car park' giving information on how we use vehicle information.
09 January 2023
Wording added on sharing information for recruitment.
18 November 2022
Added a section on collecting data for regulatory purposes.
20 May 2022
Updates to the recruitment section to reflect changes to the specific personal information held and our purpose for processing the information.
02 November 2021
Extensive review and update of the OfS privacy notice, re-structuring to help users find information more easily.

Describe your experience of using this website

Improve experience feedback
* *

Thank you for your feedback