What is the GDPR?
The GDPR will affect how organisations collect and use personal data, and will apply directly to registered centres in the same way as existing data protection legislation does. It will be enforced by the Information Commissioner’s Office (ICO).
The new regulation places greater obligations on organisations that collect personal data, and provides individuals with more rights in respect of their personal data. You may therefore wish to review your own uses of personal data, as a registered centre, in accordance with published ICO guidance.
UCAS' approach
In our view, the GDPR should not significantly alter the existing arrangements we have with registered centres. UCAS’ terms and conditions for becoming a registered centre include clauses relating to data protection and data security.
Once you become a registered centre, students can link their UCAS Undergraduate applications to your centre, which allows you to view and receive updates on the progress of their applications through Apply for advisers and Adviser Track.
This access enables you to support your students throughout the application process. It is very important that you regularly review the permissions you have set for staff members, and when staff members either leave or change roles and no longer require access, accounts are deleted. UCAS has previously provided data protection guidelines for registered centres using Apply for advisers, which you can refer to.
Applicants are notified about our uses of personal data through our privacy information, which they accept when they apply through UCAS. This privacy information will be updated to fully reflect GDPR requirements.
We'll also be making some amendments to how we collect personal data in our admissions schemes, such as how applicants ‘opt in’ to receive further information from third parties. We’ll provide more information about this in the next few weeks.
In addition, the GDPR contains provisions making it mandatory for data controllers to report certain types of data protection breaches to the ICO. For this reason, in the unlikely event you become aware of a breach involving personal data provided by UCAS, or accessed via a UCAS product (e.g. seeing personal data about students not attending your registered centre), please let us know immediately at datagovernance@ucas.ac.uk.
Requests from registered centres
A data controller is an organisation that determines the purposes for which personal data is used. A data processor processes personal data on behalf of a controller. Some registered centres have sent UCAS requests to provide assurances about our processing of personal data, on the basis that UCAS acts as a data processor, on behalf of the registered centre.
While UCAS carefully assesses the requirements of our customers when considering how we process personal data, such as asking an additional question in the application, we remain the data controller responsible for making these decisions. We're therefore unable to accept these requests.
Some registered centres have also sent detailed questionnaires requesting information about how UCAS will comply with the GDPR, and the controls we have in place to keep personal data secure. As there are currently approximately 6,000 registered centres, we are unfortunately unable to respond to individual requests of this nature.
However, we can confirm that UCAS is accredited to the international security standard, ISO 27001:2013. As part of this accreditation, we're required to demonstrate that we maintain an information security management system, and deploy security controls, to manage information security and data protection risks. To maintain our accreditation, we're subject to regular external audits by the British Standards Institute (BSI).
What's next?
If you have any questions about how the GDPR affects the services UCAS provides to registered centres, please email us at datagovernance@ucas.ac.uk. We may not be able to reply to individual requests, but if there are common questions, we'll answer them through the adviser newsfeed.