Skip to main content

Data protection

HESA is now part of Jisc. Jisc is now the data controller of personal data previously controlled by HESA. Pages on the HESA website are being updated to reflect this change. Please see updated Privacy information.

This page links to information for individuals and organisations about HESA's compliance with the General Data Protection Regulation (GDPR) and other data protection legislation.

Personal data held by HESA

HESA holds information on students and staff in universities, higher education (HE) colleges and specialist providers in the UK. The Collection Notices describe the purposes for which this data is collected. The data collection coding manuals for each academic year 1994/95 show the full lists of data fields collected each year.

We also hold information on customers and other people who have contact with HESA where it is necessary to allow HESA to carry out its functions. The Privacy Information page describes how and why we process personal data, the legal bases for this processing, and individuals' rights under data protection legislation.

Data Futures

The Data Futures Data Protection and Information Security White Paper provides an overview of the Data Futures programme and its approach to Data Protection and Information Security by design.

Graduate Outcomes

From December 2018 graduates from the 2017/18 academic year will receive the new Graduate Outcomes survey. The following data protection information for HE providers can found via the main Graduate Outcomes section:

Guidance for higher education providers

Our Data Protection Guidance for the HESA Records aims to provide supporting information for those in HE providers dealing with data protection issues, with additional guidance for Alternative Providers new to the HESA data collection process.

HE providers must make the HESA Collection Notices available to students and staff whose data they send to HESA, usually by including a link from their own privacy information.

Disclosure control in statistical publications

Please see Rounding and suppression to anonymise statistics for information on how we protect personal data from being re-identified from statistical data tables.


HESA maintains the ISO 27001 International Standards certification for Information Security. This means that the security of HESA's systems and processes are regularly and independently audited.

Data Protection Register

HESA and its subsidiary HESA Services Ltd are listed as Data Controllers in the Register of Data Controllers maintained by the Information Commissioner's Office.

  • Higher Education Statistics Agency Limited - Registration Number Z7475057
  • HESA Services Limited - Registration Number Z7899462

Contact details for more information

If you have any questions about HESA and data protection please contact our Data Protection Officer:

  • Email:
  • Tel: +44 (0)1242 388 513 [option 5]
  • Address: Jisc, Clockwise, Festival House, Jessop Avenue, Cheltenham, GL50 3SH