OfS privacy

The specific personal information held and used 

Depending on the purpose and context, the personal data the OfS collects for regulatory purposes may include:

• Your name and job title
• Your contact information
• Your occupation and employment details
• Information relating to your age, disability status, racial or ethnic origin, political opinion and political affiliations, religious or philosophical belief, sex, sexual orientation, gender and nationality
• Your views and opinions
• Other information relevant to carrying out our statutory functions

Our purpose for using the information 

We mainly collect and process personal information in connection with performing any of our statutory functions. This includes (but is not limited to) the following:

• maintaining the register of English higher education providers;
• regulating and monitoring the activities of registered English higher education providers, for example by the imposition of new or revised regulatory obligations;
• investigating, monitoring and assessing whether higher education providers have complied with regulatory and other legal obligations, for example those which relate to the following subject matter:
  • (a) the quality of, and standards applied to, higher education;
  • (b) financial stability and sustainability;
  • (c) management and governance;
  • (d) freedom of speech and academic freedom;
  • (e) consumer protection law;
  • (f) charity law;
• promoting equality of opportunity in higher education;
• providing funding for purposes connected with higher education;
• making arrangements for the collection and publication of information about higher education providers and individuals connected with them;
• sharing information with a wide range of other bodies, including (but not limited to) the Department for Education, the Student Loans Company, the Competition and Markets Authority, Local Authority Trading Standards Departments, the National Crime Agency, the Charity Commission.

Our legal basis for using the information 

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 9(g) – reasons of substantial public interest: in particular, for statutory and government purposes under paragraphs 6, 11 and 12 of Schedule 1 of DPA 2018.

Any information we obtain from other sources 

Other than the personal information collected from you directly, we also obtain personal information about you from other sources, listed below:  

•  Education providers with which you have a connection
• Professional, statutory and regulatory bodies (for example, bodies that set standards for the courses run by providers)
• Survey and research organisations working on our behalf
• Central and local government bodies
• Other public sector bodies
• Regulatory and civil/criminal enforcement bodies
• Agents or service providers

Who we share the information with and the reason for this 

The OfS may also, from time to time, need to share your personal data with other third parties, including:

• Education providers with which you have a connection
• Professional, statutory and regulatory bodies (for example, bodies that set standards for courses run by providers)
• Survey and research organisations working on our behalf
• Central and local government bodies
• Other public sector bodies
• Regulatory and civil/criminal enforcement bodies
• Agents or service providers

 We may pass your information (routinely or otherwise) to any other organisation where that is connected to the performance of our functions or the functions of the receiving organisation.

 We will also pass your information to other organisations where we have a legal duty to do so.

How long we will retain your personal data for 

The OfS will determine the period for which it needs to keep your personal data having regard to the reasons and purposes for which it was collected, our statutory duties and other legal obligations, the exercise and defence of any legal claims, including the period within which any current or potential future legal claims may be brought.

After that point, your personal information will be confidentially and securely disposed of.  

A link to a more specific privacy notice (if applicable) 

Within our privacy notice, see also:

• ‘Registration of providers’
• ‘Notifications about providers’

• Name
• Date of birth
• Contact details
• Address
• Nationality
• Domicile
• Sex
• Family details
• Student identifiers
• Social circumstances
• Financial details
• Educational records and attainment
• Career progression

Special category data:

• Physical or mental health details
• Racial or ethnic origin
• Religious or other beliefs
• Sexual orientation

We process personal information on students to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England.

For further information on how we use data on students to support our regulatory responsibilities, please view the OfS data strategy.

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)).
• Processing of special category data is necessary for statistical and research purposes in accordance with Article 89(1) and Schedule 1 part (4) of the DPA 2018 (see GDPR Article 9(2)(j)).

Much of the information we hold is collected from other sources, who may collect data from you directly, or via your educational provider.

If you have attended an educational establishment in the UK since 1994, then we will hold personal data about you from some or all of the following sources:

HESA Student record

Where necessary or required, this information may be shared with:

• Education providers with which you have a connection
• Survey and research organisations working on our behalf, for example to administer surveys and evaluate programmes we have funded
• Other public sector bodies
• Agents or service providers

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for including for the purpose to comply with any legal, reporting or accounting requirements.

Where student data is no longer necessary for ongoing functions, the data may be kept by the OfS for the purposes of archiving for historical research or statistical purposes. For personal data on students, the OfS considers archiving to be necessary to enable statistical analyses the OfS must perform in order to fulfil its functions.

• Name
• Date of birth
• Provider name
• Demographic details
• Sex
• Identification number (HESA staff)
• Salary (for vice-chancellors and those holding similar roles in other providers)
• Employment details (including start date, end date, role type, academic discipline)

Special category data:

• Physical or mental health details
• Racial or ethnic origin
• Religious or other beliefs
• Sexual orientation

For further details on categories of personal data, please see the links to more specific privacy notices at the bottom of this table.

We process personal information to enable us to fulfil our public tasks under the Higher Education and Research Act (HERA) 2017, including our responsibilities as the lead regulator for higher education in England.

For further information on how we use data on provider staff to support our regulatory responsibilities, please view the OfS data strategy.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (see GDPR Article 6(1)(e)).

Much of the information that we hold about provider staff is collected from other sources. If you have worked at an educational establishment in the UK since 1994 then we will hold personal data about you from some or all of the following sources:

• Higher Education Statistics Agency (HESA) staff
• Provider returns

Where necessary or required this information may be shared with:

• Government departments or other public sector bodies
• Agents or service providers
• Survey and research organisations working on our behalf

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

See Registration privacy notice

See HESA Staff data

For the OfS Register:

• Provider’s contact details (address, email address, and telephone number), where this relates to an identified or identifiable individual rather than generic information.

To undertake ‘fit and proper person’ checks, we need the following information about the accountable officer, chair of the governing body, all directors/trustees and individual shareholders:

• Legal first name
• Surname
• Role title
• Month and year of birth

• For publication on the Register, where contact details for general enquiries relate to an identifiable individual
• To show who developed and authorised the submissions to meet registration conditions – for our internal use only
• To maintain contact between the OfS and the provider regarding its entry on the Register - for our internal use only
• To add contact details to the OfS database which we will use to consult with providers to inform funding, policy development, policy analysis and research
• To assess your application for registration and the status of registration, as well as your provider’s continuing compliance with any ongoing conditions of any subsequent registration
• Using personal information collected to undertake ‘fit and proper person' tests when necessary.

• Article 6(1)(c) – where the processing is necessary for compliance with a legal obligation to which the controller is subject
• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Please refer to the specific privacy notice for further information on the relevant legal obligations and public tasks.

Other than the personal information collected from you directly, we also obtain personal information about you from other sources, if needed, for fit and proper person checks:  

• Government departments or other public sector bodies (such as Companies House or the Insolvency Service)
• Agents or service providers.

We will share your personal information to some other organisations for specific reasons, as explained below:  

• Synectics Solutions Ltd
• Government departments or other public sector bodies
• Agents or service providers

The OfS uses a third party organisation, Synectics Solutions Ltd, to assist with ‘fit and proper person’ checks.

Please refer to the specific privacy notice for further information about how we use Synectics Solutions. We will not disclose your information to any other organisation other than those listed except where required to do so as part of our functions or by law.

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. 

• For continuing providers, we will retain details of key individuals as long as they are required for the registration process and for a further seven years.
• For deregistered providers, we will retain details of key individuals for seven years following deregistration.
• For unapproved providers, we will retain details of key individuals for seven years following the decision not to register.

After these points, your personal information will be confidentially and securely disposed of.  

We will also keep information published on the Register for as long you are registered. As part of The National Archives fulfilment of the Public Records Act, the published Register will be archived twice a year.

See Synectics Solution’s privacy policy

The specific information held and used

• Title and name
• Work email
• Work telephone number
• Name, email and telephone number of Personal executive assistant (if provided)
• Dietary requirements and access needs where necessary for meetings held in person

As an independent regulator, the OfS needs to communicate regularly with its stakeholders in the higher education sector, government departments and other sector bodies. These stakeholders include chief executive officers of sector bodies that we work with and officers in government departments.

In order to ensure that we can communicate with our stakeholders effectively, the OfS maintains a database of contact information for stakeholders. In addition:

• Processing allows the OfS to inform members about activities, meeting dates and send documents relating to group matters
• To maintain a record of working groups and members involved with student support networks.

Our legal basis for processing your personal information

Our legal basis for holding this information depends on the reasons why we need to contact you:

• GDPR Article 6(1)(e) - We may need to contact you in order to meet our statutory functions as a regulator and because it is necessary to fulfil our public tasks)

Or

• GDPR Article 6(1)(f) - We may have another ‘legitimate interest’ in contacting you, for example if OfS staff are meeting with you, they will have a legitimate need for your contact details in order to arrange the meeting.

We obtain this information directly from stakeholders and their interactions from us.

There will also be circumstances where we need to obtain your contact information from another source, so that we can contact you to meet our public task or a specified legitimate interest. For example, if you have recently joined a sector body that we work with and we do not have your contact details, we may need to obtain your details from a public source, such as your organisation’s website.

Who we share the information with and the reason for this

We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law.

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

Board, committee and panel records are retained seven years from date of last document.

A link to a more specific privacy notice (if applicable)

The categories of personal information collected will vary depending on the specific consultation or survey. However, the information needed will include some or all of the following:

• Name
• Email address
• Organisation
• Job role

Demographic data such as:

• Sex
• Age

Special category data such as:  

• Racial or ethnic origin

The specific information collected will be set out in the individual privacy notice for each consultation and survey.

We use personal information about you in order to understand who has responded to the consultation or survey, and respondents’ views with the aim of being able to understand the different perspectives of stakeholders. We may also contact you for any queries relating to your responses.

We may publish a summary of the consultation responses and, in some cases, the responses themselves. The specific information that will be published will be set out in the individual privacy notice for each consultation and survey.

Unless otherwise specified the legal basis for processing your information is Article 6(1)(e) public task. The legal basis for processing your personal information is that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Unless otherwise specified, responses are collected via SmartSurvey. Information collected through SmartSurvey is stored on secure servers in the UK or EU and does not leave Europe at any point. See the SmartSurvey privacy notice

To support the analysis of consultations, we occasionally share the information collected through consultations with external organisations. Unless otherwise specified, analysis is undertaken by Pye Tait Consulting. Read the Pye Tait Consulting privacy notice for further information.

Each consultation and survey will indicate a time period as to how long personal information will be held for. After that point, your personal information will be confidentially and securely disposed of.

A link to a more specific privacy notice or information page (if applicable)

See the SmartSurvey privacy notice

See the Pye Tait Consulting privacy notice

If you choose to attend one of our events, you will be asked for the following:

• Name
• Job title
• Organisation
• Contact details (email address, telephone number and postal address)
• The capacity in which you will attend the event
• How you heard about the event

Our purpose for collecting this information is so that we can manage our conferences and events, including event invitations, acceptances, contact details of invitees and delegates, dietary and access requirements.

We use Eventbrite to manage our conferences and events. If you prefer not to use Eventbrite to respond to a conference or event invitation, you may respond directly using the contact details provided in the invitation.

When you register for an OfS event using an Eventbrite form, you will be presented with a summary of how any personal information submitted will be used. The summary privacy information also includes a link to a more detailed privacy notice.

We usually provide a list of delegates as part of the delegate pack for the conference or event. We will give you an opportunity to indicate if you do not wish your name, job title and institution or organisation to be included on the delegate list.

Our key policy events may have a member of staff taking informal photos of the event, some of which may be published on our social media feeds. Photos will focus on speakers, but delegates may be captured incidentally. If you do not wish to be included in any photos, please make this known to a member of staff at the beginning of the event.

To ensure the effective management and running of OfS events:

• Article 6(1)(f) legitimate interests

Access and dietary requirements:

• Article 9(2)(a) explicit consent

We share information on numbers of delegates as well as access and dietary requirements (where supplied) with the conference venue or other event suppliers but not in way that identifies individuals.

Information about access and dietary requirements - Withdrawal of consent
Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected]

Whether we intend to transfer information to another country

Eventbrite processes data (including any personal data submitted by booking one of our events) in the USA.

Because this means your information will be held outside the UK we have assessed the risks with storing your personal information in this country and are satisfied that it will not be put at any undue risk as a result. The reasons for this are there is an appropriate transfer mechanism in place (Standard Contractual Clauses) and an adequate level of protection for the nature of the personal data to be transferred.  

Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy.

If you prefer not to use Eventbrite for responding to a conference or event invitation, you may respond directly to the OfS by contacting the event organiser using the details provided in the invitation.

How long we will retain your personal data for

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. The personal information you have submitted will be kept for one month after the event. After that point, your personal information will be confidentially and securely disposed of. Eventbrite keeps registrations indefinitely.

A link to a more specific privacy notice or information page (if applicable)

See Eventbrite’s privacy policy

See OfS events page

The specific personal information held and used

• Name
• Email address
• Job title
• Organisation
• Collecting device and location information
• IP address
• Local IP (IP of device)
• Network type
• Type of microphone (for presenters)
• Data centre
• Collection type (joining and leaving webinar reasons and times)

Our purpose for processing the information

The OfS holds webinars, events, workshops and conferences to promote its work as a regulator and to support its statutory functions.

We usually use Zoom and Microsoft Teams to deliver and manage webinars, allowing participants to log in and attend webinars at the time or view the webinar later.

Our legal basis for using the information

• Article 6(1)(f) - legitimate interests

We have a legitimate interest in collecting your personal information to ensure that the OfS has the necessary information to host webinars effectively, and to also ensure only invited individuals attend webinars or view webinars later.

Any information we obtain from other sources

 We usually use Zoom and Teams to deliver and manage webinars. We also use Teams to host external meetings and events.

On occasion, we use Eventbrite to allow attendees to register for online events we host.

Who we share the information with and the reason for this

• As your personal information will be submitted by registering or logging in to Zoom or Microsoft Teams, any personal information you submit will be stored by, and accessible to, Zoom and Microsoft.
• Zoom and Microsoft process personal data in accordance with their own privacy policies.
• In addition, if you use an Eventbrite form to register for an OfS event hosted on Teams, any personal information submitted in the form will be stored by, and accessible to, Eventbrite.
• Eventbrite processes personal data in accordance with its own privacy policy.

We will not disclose your information to any other organisation except where required to do so as part of our functions or by law.

Whether we intend to transfer to another country

Eventbrite and Zoom are based in the United States. If you choose to register for an event through Eventbrite, any personal information you submit will be transferred to the United States. Zoom, in certain cases, will transfer data to the United States, as well as to other countries outside of the EEA.

How long we will retain your personal data for

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for.

• If you choose to attend a webinar through Zoom or Teams, any personal data processed will be retained for as long as is considered necessary by Zoom or Microsoft, and in accordance with their privacy policies (see relevant links below).
• Your personal information will be stored by the OfS in the European Union/EEA. This means that your personal information is protected under the UK GDPR.
• Cloud recordings are retained for 30 days, and meeting metrics are retained for 12 months.
• If you choose to register for an event through Eventbrite, any personal data processed will also be retained for as long as is considered necessary by Eventbrite, and in accordance with their privacy policy (see relevant link below).

A link to a more specific privacy notice or information page (if applicable)

See Zoom's privacy notice

See the Eventbrite privacy notice

See Microsoft's privacy notice

• Public social media profiles
• Public social media posts
• Username
• Followers/networks
• Online behaviour, for instance likes and re-tweets.

In line with the OfS’s social media strategy and student engagement strategy, the purpose is to use social media to understand what the wider public is saying about the Office for Students and the sentiment and conversations around other topics relevant to students and the higher education sector.

• Article 6(1)(e) – public task

The OfS will not be sharing any personal data, as the data the tool provides is aggregated.

A link to a more specific privacy notice or information page (if applicable)

See the privacy notice for OfS analysis of social media

If you subscribe to our monthly newsletters, alerts, information and updates you will need to provide your name and email address.

We will use your information to send you our monthly newsletters, alerts, information about upcoming events and opportunities to be involved with OfS work.

Article 6(1)(a) - consent (by subscriber)

The OfS uses Mailchimp as our marketing platform. Your personal data will be shared with Mailchimp for processing in accordance with their privacy policy. 

When you subscribe to our newsletter, and any of our alerts or monthly updates, your name and email address will be stored by Mailchimp on servers in the United States.

Whether we intend to transfer to another country

Mailchimp is based in the United States and any personal data submitted when you subscribe will be processed in the United States according to Mailchimp’s own privacy policy.

Data will be held until consent is withdrawn.

See the privacy notice for OfS Student Spotlight alerts

• Name
• Job title
• Personal signature
• Organisation name
• Contact details (email, telephone)

As part of the credit checks (carried out by a third party, see ‘any information we obtain from other sources’), we process the following information of Persons of Significant Control:

• Title
• Name
• Date of birth (month and year)
• Address
• Job title
• Nationality
• Appointment date
• Occupation

• The OfS needs to collect personal data to help us communicate with you as part of the procurement process. We may also need to collect personal data to enable us to perform background checks (such as credit checks) on the bidding organisation, which can be necessary as part of the procurement process.
• The personal data you provide to the OfS as part of the procurement process is necessary to ensure that we are able to undertake the required due diligence processes for bidding organisations.
• We retain any personal data collected through the procurement process to support on-going contract management.

Article 6(1)(e) - public task

Article 6(1)(c) - legal obligation

We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. However, we are required to publish contract award notices on our website. This includes who the contract was awarded to, a contact name, phone number and email address.

How we store your personal data

We use a third-party company, BiP Solutions, for managing and storing procurement records.

Information related to your tender is accessible via a portal (Delta e-sourcing).

We will only retain your personal data for as long as it is necessary to fulfil the purpose it was collected for, including for the purpose to comply with any legal, reporting or accounting requirements.

Contracts not under seal: Seven years from end of contract

Invitation to tender; successful tender documents: Seven years from date of last document

Unsuccessful tender documents; tender evaluation documents: Three years from date of last document

The personal information we will collect and use as part of the application process is:

• Name
• Address
• Telephone number
• Email address
• Qualifications
• Work history

Optional special category data (you can select ‘prefer not to say’ for all these categories):

• Ethnicity
• Disability
• Gender identity
• Religious belief
• Sex
• Sexual orientation
• Unpaid caring responsibilities

If we invite you to an interview, we will ask if you require any reasonable adjustments to be made in relation to the interview process. This information will be held and used separately from the application form. Some roles require you to take an online assessment.

If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks and health questionnaire:

• Name
• Address
• Date of birth
• Proof of identity
• Proof of your qualifications
• Criminal records declaration

Some roles require a higher level of security clearance and, if this is the case, we will let you know.

If we make a final offer, we will also ask for the following:

• Bank details
• Emergency contact details
• NI number
• Any membership of a Civil Service Pension scheme.

We will use your information for the following purposes:

• to process your application
• to invite you to interview (if relevant)
• for referencing, pre-employment checks and onboarding on appointment
• to monitor applicant pools for our equality and diversity data (you may prefer not to supply this data)
• we publish non-identifiable data under our Public Sector Equality Duty
• we are a Disability Confident employer and may ask for certain information to enable us to carry out our responsibilities in this area - for example, making reasonable adjustments for the interview process.

Our hiring managers shortlist applications for interview.

You must successfully complete pre-employment checks to progress to a final offer. We are legally required to confirm your identity and right to work in the UK.

If you choose to supply equality and diversity data, we will not make this information available to any staff outside our recruitment team (including hiring managers) in a way that can identify you. Your application will not be affected if you choose not to supply equality and diversity data.

• Legitimate interests – the OfS has a legitimate interest in processing your personal data to administer and consider your application.
• Explicit consent – for special category data (e.g. ethnicity, gender, disability) should you choose to submit such information.
• Contract – where processing is necessary to perform a contract or take steps, at your request, before entering a contract.
• Legal obligation – for us to establish and record the right to work, security checks, if you provide us with any information about reasonable adjustments so that we can comply with our obligations under the Equality Act 2010.

Other than the personal information collected from you directly, we also obtain personal information about you from other sources:

• Pre-employment checks, including references and DBS check on appointment only.

Other than the organisations listed below, we will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. (In exceptional circumstances, your information may be shared with someone who is not an OfS employee but is working with us to recruit to an OfS role, or a committee or panel.)

• We use Workday Recruiting to manage the application and selection process.

Pre-employment checks:

• DBS checks are carried out for us by Atlantic Data
• We use Maximus Health Management to administer health questionnaires.

Equality and diversity data - withdrawal of consent

Consent must be a clear positive action that you have given your agreement to the use of your personal information, and consent can also be withdrawn at any point if you are no longer happy with the use of your personal information for a specific reason. If you to wish to withdraw consent, please do so by emailing: [email protected] 

Once consent is withdrawn, we will destroy all relevant personal information unless we are relying on a different legal basis to justify keeping your personal information. If that is the case, we will tell you in writing. However, withdrawing your consent does not affect the lawfulness of processing based on consent before you withdrew consent.

Your personal information held on Workday will be stored securely within the European Economic Area (in Ireland and backed up in Germany) and will not be transferred outside that territory unless required by a court order.

The UK has agreed that countries within the EEA provide an equivalent level of safeguards for the processing of personal data.

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. Unless you are appointed, the personal information you have submitted will be kept for one year after the job has closed. After that point, your personal information will be confidentially and securely disposed of.

Our careers site (Workday) uses strictly necessary cookies to allow the site to function properly and to enable the successful communication between the end-user and the service, as follows:

• Session management cookies - User, device and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session.
• Routing cookies - To forward requests for a single session to the same server for consistency of service. These cookies expire at the end of the session.
• Application Security Management (ASM) cookies - To help protect web applications and infrastructure from security attacks. These cookies expire at the end of the session.

A link to a more specific privacy notice or information page (if applicable)

 Information about the measures that Workday has in place to keep your information secure. See Workday security information

See Atlantic data's privacy statement (DBS checks)

See Maximus health management privacy policy (Health questionnaire)

Information about working for the OfS can be found on our careers page.

Further details about how we process the personal information of our employees is provided in a separate privacy notice.

• Name
• Contact details
• Form of identification (where required)

We use your name and contact details so that we can respond to your request for information.

If you are making a subject access request, we may require identification so that we can verify your identity.

Article 6(1)(c) - compliance with our legal obligations under information rights legislation

We will not routinely share your personal information; however, in some circumstances we may need share your details with third parties so that we can respond to your request.

Information will be kept in line with our retention policy. This means that information related to your request or subsequent appeals will be retained for five years from date created.

See information about making a request

See our Retention Schedules

• Name
• Email address
• Telephone number
• Any other personal information you choose to provide as part of the notification

• A notification is a way for students, staff members or others to let us know about an issue at university or college
• Notifications are sent to us by email
• When we receive a notification, we will review it and we may decide to investigate further, to take regulatory action, or both.

Our legal basis:

• DPA 2018
• GDPR
• Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.

When the OfS is obliged to process the personal data to comply with the law:

• Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The legal basis for processing your information for notifications is because it is necessary for the performance of the task carried out, in the public interest:

• Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data.

All notifications will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000. The information will be kept strictly confidential.

We may share information obtained in the course of our review or other activity with other bodies, including:

• The Department for Education
• Providers
• To support Law Enforcement if the complaint relates to a crime or incident
• Advertising Standards Agency
• PSRB – professional statutory or regulatory body.

As stated in the OfS Retention Schedules (May 2021 version):

• Disposal action: Retain permanently

• Name
• Contact details
• Email address
• Any other personal information you choose to provide as part of your complaint.

Where complaints are submitted to us by email at [email protected] or via other routes, we will use and retain the information supplied to us to handle the complaint and any subsequent issues, but also to check on the level of service we provide:

• To enable us to carry out investigations into your complaint
• To provide a response and agree appropriate actions
• To learn from experience to inform change in policy and/or process.

Our complaints process follows and is subject to the Parliamentary and Health Service Ombudsman’s Principles of Good Complaint Handling.

We should act according to our statutory powers and duties as well as follow our own policy and procedural guidance.

The UK GDPR states:

• Article 6(1)(c) - legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.

When the OfS is obliged to process the personal data to comply with the law:

• Article 6(1)(e) - public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We are required to have a published complaints procedure to enable members of the public who are in receipt of any service to, should they feel their needs are not being met. Therefore, we are carrying out a public task which is carried out in the public interest and is also in the exercise of official authority vested in us as a Public Authority.

The legal basis for processing your information for enquiries is because it is necessary for the performance of the task carried out, in the public interest:

• Article 6(1)(f) - legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It is not sufficient for the OfS to simply decide that it is a legitimate interest and start processing personal data. We should be able to satisfy a three-part test prior to commencing personal data.

All complaints will be dealt with confidentially and in accordance with the requirements of the DPA 2018 and any subsequent data protection legislation and the Freedom of Information Act 2000.  

Information will be kept strictly confidential. It will be stored in a secure database on the OfS’s computer system.

From time to time we may be asked to share information with other organisations in the event of a complaint about the OfS itself, for example:

• To assist the Parliamentary and Health Service Ombudsman in their work
• To support law enforcement if the complaint relates to a crime or incident.

Information will be kept in line with our retention policy. This means that information related to your complaint or subsequent appeals will be retained for ten years.

The OfS Retention Schedule (May 2021) states:

• Appeals and complaints have a retention period of 10 years
• Disposal action: destroy 10 years from date created.

We routinely collect the following information:

• Name
• Signature
• Organisation
• Vehicle registration

The logbook is used for:

• Maintaining the security of property and premises
• Preventing and investigating crime
• Maintain safety and security of the OfS (and Research England) colleagues, stakeholders and members of the public/visitors
• Issuing visitors with a pass to manage access to the building
• Asking for car registration details to manage use of the car park.

Our legal basis:

• UK DPA 2018
• GDPR
• Article 6(1)(c) - legal obligation: The OfS is obliged to process the personal data to comply with the law
• Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime
• Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security and public health e.g. COVID-19 pandemic
• Article 9(2)(a) - explicit consent: an unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her
• For the interest of public safety: The Law Enforcement Directive (LED). This empowers the Police to process personal data for the purposes of preventing, detecting and investigating crime.

We also need to consider our obligations in relation to the following:

• Freedom of Information Act 2000
• Human Rights Act 1998

Any information we obtain from other sources

Images captured using CCTV: static or moving imagery is recorded of those who visit the OfS building and staff.

The facilities management team will maintain and operate procedures relating to the logbook, to ensure the OfS performs in accordance with legislation.  

The lawful justification for collecting personal data by way of a logbook is that there are legitimate reasons to do so. The information may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public:

• OfS personnel
• Local authorities
• Police/law enforcement
• Fire and rescue services.

The data obtained through the logbook may be shared with third parties such as the police and local authorities. They may use this information for investigating and/or detecting crime. These arrangements are covered by information sharing agreements and legislation, as mentioned above.

Images captured using CCTV: static or moving imagery.   

We may process special category data.

To ensure we do not breach privacy law, all CCTV cameras are focused on OfS property.

All recorded images can be found on viewing monitors, locked in a server room and can only be viewed by authorised staff.

CCTV does have the ability to record sound although this function is currently switched off.

CCTV is used for:

• Maintaining the security of property and premises
• Preventing and investigating crime
• Maintaining the safety and security of OfS (and Research England) colleagues, stakeholders and members of the public/visitors.

Our legal basis:

• UK DPA 2018
• GDPR
  • Article 6(1)(c) - legal obligation: The OfS is obliged to process personal data to comply with the law.
  • Article 6(1)(e) - public task: Maintaining security and safety of members of the public and/or for the prevention and detection of crime.
  • Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security.
• The Law Enforcement Directive (LED). For the interest of public safety, we must ensure we process personal data for security purposes. The information also empowers the police to process personal data for the purposes of preventing, detecting and investigating crime.

We also need to consider our obligations in relation to the following:

• Freedom of Information Act 2000
• Protection of Freedoms Act (has an important role in regulating surveillance systems, creating the role of the Surveillance Camera Commissioner with which the ICO has a memorandum of understanding to ensure effective cooperation). It also provides advice and guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available.
• Human Rights Act 1998
• Surveillance Camera Code of Practice (issued under the Protection of Freedoms Act).

Any information we obtain from other sources

The visitors' logbook: a register (of personal data) of those who visit the OfS building and staff.

The facilities management team will maintain and operate procedures intended to implement the CCTV policy. These procedures will ensure the CCTV system will be operated in accordance with legislation. 

The lawful justification for collecting and using CCTV imagery is that there are legitimate reasons to do so. CCTV imagery may be handled and used by the following recipients to maintain a safe, secure, efficient and compliant environment for our colleagues, stakeholders and members of the public:

• OfS personnel
• Local authorities
• Police/law enforcement
• Fire and rescue services
• Insurance companies (only when authorised).

Our camera infrastructure is shared with third parties such as the police and local authorities. They may take control of cameras and use them for security or crime prevention activities. These arrangements are covered by information sharing agreements and legislation as mentioned above.

The system overwrites itself. This means that CCTV images will typically be kept for up to 6-8 weeks.

See the OfS CCTV policy

The specific information held and used

• Staff name

• Work number

• Work email

• Car registration

• Organisation

The OfS currently manages the Bristol office car park for OfS and Research England staff, using a vehicle register, which lists all vehicles, and vehicle passes.

The vehicle passes for OfS vehicles will be placed on vehicle windscreens, and will contain the extension number to call by staff who block in the vehicle during busy car parking times (referred to as double parking).

Facilities Management will inform Research England drivers if they are blocked in by another vehicle.

Our legal basis for processing your personal information

Our legal basis:

• UK DPA 2018
• GDPR
  • Article 6(1)(f) - legitimate interest: Processing personal data is a legitimate interest of OfS and/or public security.

Email addresses, and work numbers from OfS Outlook

Who we share the information with and the reason for this

The Facilities Management team will maintain and operate the vehicle register and vehicle passes.

The lawful justification for collecting and using vehicle information is that there are legitimate reasons to do so. This information may be handled and used by the following recipients to maintain a safe, secure, efficient, and compliant environment for our colleagues, stakeholders and members of the public:

• OfS and Research England personnel
• Local authorities
• Police/law enforcement
• Fire and rescue services

Insurance companies (only when authorised).

For the duration of time the staff member works for the OfS or Research England.