Privacy notice for current students

Data use for 2020 online graduation celebrations

The global COVID-19 pandemic means that the University will not be able to host graduation ceremonies as it has done in the past. However, we want to make things as special as we possibly can for all our graduating students. In July we will have a virtual celebration on-line.  We have appointed a company called StageClip who will design a virtual graduation ceremony.  The University will continue to be the Data Controller. StageClip will be our data processor and you can see what they do with your data in their privacy notice. Here is a summary of what will be involved.

  • Each celebration will stream live on You Tube Premium and the recording will be published and can be viewed online for 13 months (students will have an opt in/out option). Ownership of the celebration will then return to the University.
  • The University will publish the name and award of each graduating student in the online celebration (please tell us if you wish to opt out of this).  
  • Students can upload and share a short statement, photo and/or video (up to 10 seconds) to be shown in the celebration with your fellow graduates. Afterwards, students can also download their contribution to share online with family, friends and potential employers.
  • The University may moderate and edit content where necessary in line with the University Values and to ensure that the event runs to time.
  • The University will reuse extracts of recordings to promote the Watt Club and the University and may select some recordings for our permanent Archive of University life in these unprecedented times.

If you have any questions about how Heriot-Watt University will use your personal information you can find out more by reading our privacy notice for alumni or contacting

How we use your data

We could not exercise our responsibilities and fulfil our education, training and support obligations to you without collecting, holding and using your personal data. This guide explains what we do with your personal information and why. When you use specific University services, like our careers service, we will give you further information at that time.

This page provides information on:

  • Who the Data Controller is
  • Why we collect and use your personal data
  • Who your information may be shared with and why?
  • International data transfers?
  • Automated decision making
  • How long we keep your personal data?
Who is the Data Controller

Heriot-Watt University is the Data Controller for personal data we hold about you. Where we use the term ‘our University’, this includes all members of the Heriot-Watt University Group. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulations and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates. Heriot-Watt University Student Union is a data controller in its own right. You can read the Student Union Privacy Policy.

What personal information we collect and use

We collect and hold personal information in all formats for the purposes set out in this guide:

  • Personal and family details
  • Lifestyle and social circumstances
  • Education and student records
  • Relevant employment details 
  • Financial information
  • Disciplinary and attendence records
  • Goods and services provided
  • Visual images, personal appearance and behaviour

Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also know as special categories of data, which may include:

  • Racial or ethnic origin
  • Trades Union membership
  • Religious or other similar beliefs
  • Physical or mental health details
  • Sexual life
  • Offences and alleged offences
  • Criminal proceedings, outcomes and sentences
Why we collect and use your personal data

For academic purposes: to provide you with teaching, learning and support services, assess your work, record your progress and confer awards

What's our legal basis?

  • For most of these activities the University Charter and Statutes gives us legal authority to process your personal data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University as Data Controller;
  • If you use optional free services like careers advice you can opt into these and withdraw your consent to them at any time.

If you have applied to us through the Universities and Colleges Admissions Service (UCAS), a partner institution or one of our agents we will have received the information that you have provided to these bodies.

We collect and use your information to:

  • Enrol you as a student
  • Administer our programmes of study and research and associated funding and fee arrangements
  • Monitor performance and attendance, supervise, conduct assessments and examinations, confer and provide confirmation of awards
  • To give you access to student support, accommodation, IT, library, careers, mentoring, social, sport, catering, archive, on-line course materials and forums, and other services to the University community
  • Deal with appeals, complaints and disciplinary matters promptly and fairly
  • Provide academic guidance and enable you to communicate with staff, your student representative and fellow students on your programme of study
  • Seek your feedback on our programmes and facilities

For administrative and financial management purposes: to administer fees and paid-for services

What's our legal basis? If you pay fees or use paid for services like accommodation, catering and sports and exercise services we need to process your data to fulfil a contract you have entered into with us.

These may include:

  • Fees and payments
  • Accommodation services
  • Graphics and printing services
  • Catering services
  • Club and facility memberships
  • Disciplinary fines

To meet our duty of care to you and our legal obligations

What's our legal basis?

  • Comply with a legal obligation
  • Protect vital interests in an emergency
  • Exercise or defend legal claims or comply with court judgements
  • Provide medical and health services
  • Protect public health

Where this is necessary:

  • To meet our legal duty of care to you under health and safety and safeguarding laws
  • To provide counselling and health services
  • To protect your vital interests or someone else’s in, for example, a medical emergency
  • To comply with a statutory obligation, for example under tax or immigration law
  • To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and students on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like the Higher Education Statistics Agency (HESA). You can choose whether you want to provide information for this purpose. If a student or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential

For public safety and the prevention and detection of crime

What's our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images
  • Monitoring use of IT facilities
  • Applying security, welfare and other procedural measures where necessary for the safety and security of students and the wider University community under health and safety and other relevant laws

To promote the University Group

What's our legal basis?

  • Where we have your consent
  • Where necessary for archiving purposes in the public interest

We may take photographs, and other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of University life down the years.

For alumni engagement

What's our legal basis?

  • For alumni engagement, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller
  • For marketing and fundraising, only where we have your consent
  • Where necessary for archiving purposes in the public interest

Our University Charter and Statutes give us a positive duty to engage with our alumni and enable them to exercise their rights to be members of our graduates' association, the Watt Club. We will send electronic communications for marketing and fundraising purposes to alumni only with their individual consent. You can read more about the privacy notice for alumni. We keep records of Watt Club activities in the University Archive as a record of University life down the years.

For archiving and research

What's our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

While always protecting your rights to privacy we will:

  • Keep a permanent archival record of your time studying with us
  • Retain copies of promotional material and other records of University community life that may include images and other data about students and alumni
  • Support academic research under strict confidentiality
  • Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment
Who your information may be shared with and why

We may publish or share your personal data only where we have your consent or where one of the following conditions are met.

We may appoint people and organisations to work for us and contract with them to act as data processors on our behalf for any of the above purposes. Examples include training, setting and administering examinations, payment and debt collection services, plagiarism detection systems, provision of email and other IT services, e-book platform providers, hosting communications services, IT systems maintenance, safety and incident management systems.

We will also disclose limited personal data where this is necessary for the following reasons:

For academic purposes:

  • With a partner institution to deliver a programme collaboratively or jointly between the University and the partner institution. For example, an Approved Learning Partner (ALP)
  • With our external examiners: to check that our assessment of your work is fair
  • For official independant assessment of our programmes, for example by the QAA

and to:

  • Verify your attendance and qualifications, for example in a reference for a potential employer or agency, or using the Higher Education Degree Datacheck (Hedd) online service
  • Confirm your attendance, progress and assessment marks to your sponsor or the institution through which you are studying (if this is not Heriot-Watt University)
  • Arrange a suitable industrial placement if this is part of your course
  • Administer your right to be a member of the Heriot-Watt University Student Union and vote in its elections (UK on-campus students)
  • Publicise your award in our graduation programme and in the list of awards we provide in press releases to news media and your previous school or college. You have the right to opt out of this
  • Enable you to participate in the National Student Survey, the International Student Barometer or other official surveys that give us your feedback on our academic quality and your student experience

If you have taken part in the Lothians Equal Access Programme for Schools (LEAPS), which provides advice and support to help eligible students to enter higher education, we may share limited information with LEAPS about your progress and outcome of your studies, in order to improve the LEAPS service for future participants.

To meet our legal obligations to you and other organisation

We will:

  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s, for example in a medical emergency
  • Submit statistical returns to the government or its agencies, including the Scottish Funding Council, and other official bodies, such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. You can find a copy of the HESA Data collection notice
  • Inform the Joint Information Systems Committee (JISC) that you are a student, to allow you to participate in the use of JISC software
  • Meet a statutory or regulatory obligation, for example a court order
  • Confirm fee payments you may make using our online payment service provider Confirm your eligibility for tuition fee funding with agencies including the Student Awards Agency for Scotland (SAAS), the Student Loans Company or your sponsor
  • Disclose the contact details of UK campus students who may be eligible to vote to the Electoral Registration Office, in order to contact them to encourage them to register to vote
  • Provide information to local councils for exemption of Council Tax (if you are in the UK)
  • Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and students to UK campuses who are subject to immigration law and about students and applicants to our Dubai and Malaysia campuses to the relevant government authorities
  • Provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement
International data transfers

As a global organisation we need to process your personal information in a country other than the one you are studying in, when this is necessary to provide you with academic and support services, meet a legal obligation, fulfil a contract with you, or we have your consent. For example if you apply to Go Global or another exchange programme, staff at the campus or institution you are applying to will need to process your data. If you are studying on our Dubai or Malaysia campus, with one of our international partners or by Independent Distance Learning, staff at our UK campuses will need to process your data to administer your studies.

When doing so, we will:

  • Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law
  • Apply the same high standards of privacy and security wherever we process your data
Automated decision making

We do not take any decisions about you that would affect your studies based solely on automated processing or profiling.

How long we keep your personal data

We keep information about you only for as long as needed to provide you with academic and support services and meet our legal obligations and rights. Almost all your personal data is destroyed securely 6 years after you leave the University. We keep a limited permanent record of your attendance, what you studied and your award so that we can verify this as needed and for archival purposes. If you stay in touch with us as a member of the Watt Club, our alumni association, we will keep your contact details and other information that you share with us up to date. More information about how long we keep your personal data and why is here.


Your rights

You have the right to:

  • Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information
  • Ask us to correct inaccurate or incomplete data

If you think we are acting unfairly or unlawfully you can:

Under certain conditions you also have the right to ask us to:

  • Restrict the use of your data, for example if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns
  • Erase your information or tell us to stop using it to make decisions about you
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing
  • Provide you with a portable electronic copy of data you’ve given us

Data Protection Officer and contact details

If you have any questions about what we do with your personal information or your rights under privacy laws, you can contact us at the addresses below:

Find out more about your rights under privacy law

In our Data Protection Policy and our webpages

Find out about our Information Security policies and procedures.

On the website of the UK Information Commissioner’s Office

Key information

Ann Jones