Privacy notice for current students

We could not exercise our responsibilities and fulfil our education, training and support obligations to you without collecting, holding and using your personal data. This guide explains what we do with your personal information and why. When you use specific University services, like our careers service, we will give you further information at that time.

This page provides information on:

  • Who the Data Controller is
  • Why we collect and use your personal data
  • Who your information may be shared with and why?
  • International data transfers?
  • Automated decision making
  • How long we keep your personal data?

Who is the Data Controller

Heriot-Watt University is the Data Controller for personal data we hold about you. Where we use the term ‘our University’, this includes all members of the Heriot-Watt University Group. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulations and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates. Heriot-Watt University Student Union is a data controller in its own right. You can read the Student Union Privacy Policy.

What personal information we collect and use

We collect and hold personal information in all formats for the purposes set out in this guide:

  • Personal and family details
  • Lifestyle and social circumstances
  • Education and student records
  • Relevant employment details 
  • Financial information
  • Disciplinary and attendance records
  • Goods and services provided
  • Visual images, personal appearance and behaviour

Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also know as special categories of data, which may include:

  • Racial or ethnic origin
  • Trades Union membership
  • Religious or other similar beliefs
  • Physical or mental health details
  • Sexual life
  • Offences and alleged offences
  • Criminal proceedings, outcomes and sentences

Why we collect and use your personal data

For academic purposes: to provide you with teaching, learning and support services, assess your work, record your progress and confer awards

What's our legal basis?

  • For most of these activities the University Charter and Statutes gives us legal authority to process your personal data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University as Data Controller;
  • If you use optional free services like careers advice you can opt into these and withdraw your consent to them at any time.

If you have applied to us through the Universities and Colleges Admissions Service (UCAS), a partner institution or one of our agents we will have received the information that you have provided to these bodies.

We collect and use your information to:

  • Enrol you as a student
  • Administer our programmes of study and research and associated funding and fee arrangements
  • Monitor performance and attendance, supervise, conduct assessments and examinations, confer and provide confirmation of awards
  • To give you access to student support, accommodation, IT, library, careers, mentoring, social, sport, catering, archive, on-line course materials and forums, and other services to the University community
  • Deal with appeals, complaints and disciplinary matters promptly and fairly
  • Provide academic guidance and enable you to communicate with staff, your student representative and fellow students on your programme of study
  • Seek your feedback on our programmes and facilities

For administrative and financial management purposes: to administer fees and paid-for services

What's our legal basis? If you pay fees or use paid for services like accommodation, catering and sports and exercise services we need to process your data to fulfil a contract you have entered into with us.

These may include:

  • Fees and payments
  • Accommodation services
  • Graphics and printing services
  • Catering services
  • Club and facility memberships
  • Disciplinary fines

To meet our duty of care to you and our legal obligations

What's our legal basis?

  • Comply with a legal obligation
  • Protect vital interests in an emergency
  • Exercise or defend legal claims or comply with court judgements
  • Provide medical and health services
  • Protect public health

Where this is necessary:

  • To meet our legal duty of care to you under health and safety and safeguarding laws
  • To provide counselling and health services
  • To protect your vital interests or someone else’s in, for example, a medical emergency
  • To comply with a statutory obligation, for example under tax or immigration law
  • To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and students on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like the Higher Education Statistics Agency (HESA). You can choose whether you want to provide information for this purpose. If a student or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential

For public safety and the prevention and detection of crime

What's our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images
  • Monitoring use of IT facilities
  • Applying security, welfare and other procedural measures where necessary for the safety and security of students and the wider University community under health and safety and other relevant laws

To promote the University Group

What's our legal basis?

  • Where we have your consent
  • Where necessary for archiving purposes in the public interest

We may take photographs, and other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of University life down the years.

For alumni engagement

What's our legal basis?

  • For alumni engagement, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller
  • For marketing and fundraising, only where we have your consent
  • Where necessary for archiving purposes in the public interest

Our University Charter and Statutes give us a positive duty to engage with our alumni and enable them to exercise their rights to be members of our graduates' association, the Watt Club. We will send electronic communications for marketing and fundraising purposes to alumni only with their individual consent. You can read more about the privacy notice for alumni. We keep records of Watt Club activities in the University Archive as a record of University life down the years.

For archiving and research

What's our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

While always protecting your rights to privacy we will:

  • Keep a permanent archival record of your time studying with us
  • Retain copies of promotional material and other records of University community life that may include images and other data about students and alumni
  • Support academic research under strict confidentiality
  • Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment

Who your information may be shared with and why

We may publish or share your personal data only where we have your consent or where one of the following conditions are met.

We may appoint people and organisations to work for us and contract with them to act as data processors on our behalf for any of the above purposes. Examples include training, setting and administering examinations, payment and debt collection services, plagiarism detection systems, provision of email and other IT services, e-book platform providers, hosting communications services, IT systems maintenance, safety and incident management systems.

We will also disclose limited personal data where this is necessary for the following reasons:

For academic purposes:

  • With a partner institution to deliver a programme collaboratively or jointly between the University and the partner institution. For example, an Approved Learning Partner (ALP)
  • With our external examiners: to check that our assessment of your work is fair
  • For official independent assessment of our programmes, for example by the QAA

and to:

  • Verify your attendance and qualifications, for example in a reference for a potential employer or agency, or using the Higher Education Degree Datacheck (Hedd) online service
  • Confirm your attendance, progress and assessment marks to your sponsor or the institution through which you are studying (if this is not Heriot-Watt University)
  • Arrange a suitable industrial placement if this is part of your course
  • Administer your right to be a member of the Heriot-Watt University Student Union and vote in its elections (UK on-campus students)
  • Publicise your award in our graduation programme and in the list of awards we provide in press releases to news media and your previous school or college. You have the right to opt out of this
  • Enable you to participate in the National Student Survey, the International Student Barometer or other official surveys that give us your feedback on our academic quality and your student experience

If you have taken part in the Lothians Equal Access Programme for Schools (LEAPS), which provides advice and support to help eligible students to enter higher education, we may share limited information with LEAPS about your progress and outcome of your studies, in order to improve the LEAPS service for future participants.

To meet our legal obligations to you and other organisation

We will:

  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s, for example in a medical emergency
  • Submit statistical returns to the government or its agencies, including the Scottish Funding Council, and other official bodies, such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. You can find a copy of the HESA Data collection notice
  • Inform the Joint Information Systems Committee (JISC) that you are a student, to allow you to participate in the use of JISC software
  • Meet a statutory or regulatory obligation, for example a court order
  • Confirm fee payments you may make using our online payment service provider Confirm your eligibility for tuition fee funding with agencies including the Student Awards Agency for Scotland (SAAS), the Student Loans Company or your sponsor
  • Disclose the contact details of UK campus students who may be eligible to vote to the Electoral Registration Office, in order to contact them to encourage them to register to vote
  • Provide information to local councils for exemption of Council Tax (if you are in the UK)
  • Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and students to UK campuses who are subject to immigration law and about students and applicants to our Dubai and Malaysia campuses to the relevant government authorities
  • Provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement

Graduate Apprentices Data Sharing with Employers 

The employer – University – student dynamic is a key part of the Graduate Apprenticeship process. To facilitate this the University needs to share personal data with the employer in a variety of scenarios to ensure that the student is supported through the programme.  

Data is only shared if the employer is providing the student with 20% of working time for learning as well as a work-based mentor who supports the student.  

The data sharing set out below will normally take place over email.  

Routine Sharing  

Heriot Watt will share a progress report on a semesterly basis with employers which will include (or be based upon) the following data: 

  • Student name 
  • The Student’s engagement with the GA Programme (which may include attendance data), and the student’s performance and progress (which may include assessments). 
Non-routine Sharing  

In certain situations Heriot Watt will contact an employer and share performance related data if they have concerns about the student. In all instances we would try and contact the student at the details provided for their place of employment before contacting the employer. The sort of situations this would occur in are outlined below: 

  • Student is not responding to emails from their personal tutor for a period of 2 weeks when no absence is planned or exceptional circumstance have been shared with the University; 
  • If the Student has shown insufficient engagement with the Programme for a period of at least four  weeks when no exceptional circumstance has been shared with the University. 

Any major(non-academic) or Category A and B academic disciplinary proceedings that a student is involved in will also be shared with the employer.  

Lawful basis  

Our legal basis for sharing data is 

  • Performance of contract  
  • The performance of a task carried out in the public interest or in the exercise of official authority vested in the University. 

International data transfers

As a global organisation we need to process your personal information in a country other than the one you are studying in, when this is necessary to provide you with academic and support services, meet a legal obligation, fulfil a contract with you, or we have your consent. For example if you apply to Go Global or another exchange programme, staff at the campus or institution you are applying to will need to process your data. If you are studying on our Dubai or Malaysia campus, with one of our international partners or by Independent Distance Learning, staff at our UK campuses will need to process your data to administer your studies.

When doing so, we will:

  • Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law
  • Apply the same high standards of privacy and security wherever we process your data

Automated decision making

We do not take any decisions about you that would affect your studies based solely on automated processing or profiling.

How long we keep your personal data

We keep information about you only for as long as needed to provide you with academic and support services and meet our legal obligations and rights. Almost all your personal data is destroyed securely 6 years after you leave the University. We keep a limited permanent record of your attendance, what you studied and your award so that we can verify this as needed and for archival purposes. If you stay in touch with us as a member of the Watt Club, our alumni association, we will keep your contact details and other information that you share with us up to date. More information about how long we keep your personal data and why is here.

Your rights

You have the right to:

  • Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information
  • Ask us to correct inaccurate or incomplete data

If you think we are acting unfairly or unlawfully you can:

Under certain conditions you also have the right to ask us to:

  • Restrict the use of your data, for example if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns
  • Erase your information or tell us to stop using it to make decisions about you
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing
  • Provide you with a portable electronic copy of data you’ve given us

Data Protection Officer and contact details

If you have any questions about what we do with your personal information or your rights under privacy laws, you can contact us at the addresses below:

Find out more about your rights under privacy law

In our Data Protection Policy and our webpages

Find out about our Information Security policies and procedures.

On the website of the UK Information Commissioner’s Office

Key information

Ann Jones

Data Protection