Privacy notice for prospective students


This guide is for prospective students, applicants and their families. In order to respond to your enquiries about the University and process your application to study with us, we need to collect, hold and use your personal information. This guide explains what we do with your data and why. If you go on to enrol as a student with us, you can find further information.

This page provides you with information on:

Who is the Data Controller

Heriot-Watt University is the Data Controller for personal data we hold about you. 

Where we use the term ‘University’, this includes all members of the Heriot-Watt University Group. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates.

What personal information do we collect and use

If you are interested in studying with us
We may collect and hold some or all of the following personal information to answer your enquiries and help you decide if you would like to study with us:
  • Personal and family details including date of birth and contact information;
  • Your enquiries about the University
  • Attendance at open days on campus or participation in online chat rooms and social media events
  • Any goods or services provided e.g. catering at open days
  • Visual images, personal appearance and behaviour if captured on CCTV or film at open days and events on our campuses
  • Any information you choose to give us about your personal circumstances that may be relevant to your enquiry or application; this may include your interests, educational background, any dietary, health, welfare or access needs; this may include sensitive personal data
  • If you visit our website we may use cookies to store information about your visit to recognise your preferences, track progress through online applications and make content and our online advertisements more relevant to you. More information about our use of cookies

If you apply to study with us

In addition to the above information we also need to collect and hold the following personal information for the purposes set out in this guide:

  • Education and student records including transcripts, examination certificates and references
  • Any relevant employment details
  • Financial information; eligibility for fees and financial support
  • Nationality

We may also need to process sensitive information, also known as special categories of data, where this is necessary:

  • To accommodate a special need you have disclosed to us such as dietary requirements or a disability
  • To meet a legal obligation such as immigration, health and safety law
  • For monitoring our compliance with equality law, only for applicants to UK courses, and where we have your consent

This data may include:

  • Racial or ethnic origin
  • Religious or other similar beliefs
  • Physical or mental health details
  • Offences and alleged offences
  • Criminal proceedings, outcomes and sentences
  • Sexual life

Why we collect and use personal data

For each purpose we will need to explain our legal basis for using your data. The ‘legal basis’ means the conditions set out by law under which we will process your personal data.
1.  For student recruitment purposes: to tell you about our programmes and courses, answer your queries and invite you to study with us
What's our legal basis?
  • Where we have your consent. You can withdraw your consent at any time
  • Where we need to take steps at your request prior to entering into a contract, if you apply to any of our programmes or are considering purchasing one of our online distance learning courses
2.  For student admission purposes: to consider your application to study with us
What's our legal basis?
  • For academic purposes, the University Charter and Statutes gives us legal authority to process your data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University  as the Data Controller 
  • To fulfil our contract with you, if you have purchased one of our online distance learning courses

If you apply to us through the Universities and Colleges Admissions Service (UCAS), a partner institution, like one of our international learning partners or one of our agents, we will receive the information that you have provided to these bodies.

We collect and use your information to:

  • Consider and respond to your application and enrol you as a student if you are successful
  • Contact you about an incomplete application
  • Give you access to services on-campus and/or online
  • Seek your feedback on our programmes and facilities Give access to distance learning courses
  • Process scholarship applications

3.  For administrative and financial management purposes: to administer fees and paid-for services

What's our legal basis?

  • If you pay fees for any of our services or the use of our facilities we need to process your data to fulfil a contract you have entered into with us

4.  To meet our duty of care to you and our legal obligations when you visit one of our campuses

What's our legal basis? Where this is necessary to:

  • Comply with a legal obligation
  • Protect vital interests in an emergency
  • Exercise or defend legal claims or comply with court judgements
  • Provide medical and health services
  • Protect public health

We collect and use your information to:

  • To meet our legal duty of care to you under health and safety and safeguarding laws
  • To protect your vital interests or someone else’s e.g. in a medical emergency
  • To comply with a statutory obligation e.g. under tax or immigration law To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and students on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like HESA. You can choose whether you want to provide information for this purpose. If a student or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential.

5. For public safety and the prevention and detection of crime

What's our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images
  • Monitoring use of IT facilities
  • Applying security, welfare and other procedural measures where necessary for the safety and security of visitors, students and the wider University community under health and safety and other relevant laws.

6.  To promote the University Group

What's our legal basis? Where we have your consent

  • Where necessary for archiving purposes in the public interest.

We may take photographs, and other images and recordings of open days, recruitment fairs and other University activities for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of some promotional material in the University Archive as a record of University life down the years.

7.  For archiving and research

What's our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

While always protecting your rights to privacy we may:

  • Retain copies of promotional material and other records of University community life that may include images and other data about prospective students and other visitors
  • Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment; or for academic research. Wherever possible we will anonymise this information and will maintain strict confidentiality of any statistical data that could potentially identify individuals. We will not use this data to take measures or decisions that could affect you

Who your information may be shared with and why

We may publish or share your personal data only where we have your consent or where one of the following conditions are met.
We may appoint people and organisations and contract with them to act as data processors on our behalf for any of the above purposes. Examples include student recruitment agents, payment and debt collection services, provision of IT services, hosting communications services, IT and systems maintenance, safety and incident management systems.
We will also disclose or exchange limited personal data where this is necessary for the following reasons:
1.  For recruitment and admissions purposes
  • Recruit students to a programme or course via a recruitment agent or regional manager
  • Recruit students to a programme or course managed collaboratively or jointly between the University and a partner institution, such as an approved learning partner or collaborative partner (information about our partners is available)
  • Confirm your attendance, progress and attainment at your current or previous place of study
  • Verify your academic qualifications, and to obtain references
  • Confirm your sponsorship status of funding arrangements where relevant

If you have taken part in one of our widening access programmes such as the Lothians Equal Access Programme for Schools (LEAPS) or the Scottish Wider Access Programme (SWAP) which provide advice and support to help eligible students to enter Higher Education, we may share limited information with such organisations about your progress and outcome of your studies, in order to improve services for future participants.

2.  To meet our legal obligation to you and other organisaitions, we will:

  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency
  • Submit statistical returns to governments or their agencies, such as the Scottish Funding Council, and other official bodies, such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. You can find a copy of the HESA Data collection notice
  • Meet a statutory or regulatory obligation, e.g. a court order
  • Confirm your eligibility for tuition fee funding with agencies including the Student Awards Agency for Scotland, the Student Loans Company or your sponsor
  • Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and students to UK campuses who are subject to immigration law and about students and applicants to our Dubai and Malaysia campuses to the relevant government authorities
  • Provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement

International data transfers

As a global organisation we may need to process your personal information in a country other than the one you in, when this is necessary to answer your enquiries or process your application, to meet a legal obligation, fulfil a contract with you, or we have your consent. For example if you ask us about or apply to programmes at a particular campus or partner organisation, staff at that campus or institution will need to process your data. If you apply to study on our Dubai or Malaysia campus, with one of our international partners or by Independent Distance Learning, staff at our UK campuses will also need to process your application. When doing so:
  • Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law
  • Apply the same high standards of privacy and security wherever we process your data

Automated decision making

We do not take any decisions about you that would affect your studies based solely on automated processing or profiling.

How long we keep your personal data

We keep information about you only for as long as:
  • You would like us to keep in touch with you if you are thinking about studying with us
  • We need to consider and respond to your application and comply with our legal and audit obligations

Our arrangements for keeping your personal data are as follows:

  • If you do not apply or enrol with us we will normally destroy your personal data securely a maximum of two years after you last contacted us
  • If you apply to us but do not enrol with us we will destroy your data within one year of the end of the academic year for which you applied
  • If you enrol with us we will use the information you have provided as the basis of your student record

More information about how long and why we keep your personal data.

Your rights

You have the right to:

  • Ask us to stop sending you information about the University if you don’t want to apply to us. You can do this any time by clicking the unsubscribe button at the end of our emails or contacting us using the details below
  • Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information;
  • Ask us to correct inaccurate or incomplete data.

If you think we are acting unfairly or unlawfully you can:

Under certain conditions you also have the right to ask us to:

  • Restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns;
  • Erase your information or tell us to stop using it to make decisions about you; 
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing;
  • Provide you with a portable electronic copy of data you’ve given us.

Key information

Ann Jones

Data Protection