Skip to main content Skip to footer

Student Services statement of data protection roles and responsibilities


This statement sets out the roles and responsibilities of the NHS Business Services Authority (NHSBSA) under Data Protection Legislation as it relates to the NHS Student Services.

The NHSBSA will not enter into individual agreements for data protection with Higher Education Institutions (HEI). This statement coupled with the use of the NHS Student Services sets out the data processing relationship between the parties.

Dental and Medical Student Bursary data arrangements are detailed in the Health Education England agreement Schedule 4.

This statement meets the requirements of Data Protection Legislation and sets out the:

  • roles of the NHSBSA and HEI
  • legal basis for processing
  • subject matter processed
  • duration of the processing
  • type and categories of personal data held and processed
  • responsibilities for Data Subject Rights Requests
  • process for handling breaches
  • process for attributing liabilities

For a definition of some of the terms we use in this statement, go to the ‘Glossary of terms’ section of this page.

NHSBSA and HEI roles

The NHSBSA and HEI are joint controllers, as defined by Data Protection Legislation.

NHSBSA and HEI responsibilities 

The joint controllers have the responsibility of determining the legal basis of processing to comply with the General Data Protection Regulation (GDPR) Article 26 transparency requirement.  


Determine the legal basis of processing (GDPR Articles 6 and 9)

The NHSBSA has the legal basis of GDPR Article 6(1)(e). The processing is necessary for the performance of a lawful task or function carried out in the public interest or as part of a direction or regulation imparted on NHSBSA and GDPR Article 9(2)(h).

The HEI has the legal basis of GDPR Article 6(1)(b) necessary for the performance of a contract with the data subject and applied GDPR Article 9(2)(h).

Document the subject matter of the Processing (GDPR Article 30 (b))

The NHSBSA will administer the NHS Learning Support Fund, NHS Bursaries and Social Work Bursary Scheme in England to:

  • assess and validate applications from current and new students for the relevant authorised courses
  • make the appropriate payments to eligible students
  • detect and prevent fraud and mistakes
  • help plan and make improvements to NHS services, and direct patient care

The HEI will:

  • confirm enrolment of eligible students to the NHSBSA at the start of the course and each subsequent academic year
  • validate and authorise Travel and Dual Accommodation claim forms and Exceptional Hardship forms
  • quickly advise the NHSBSA if an enrolled student defers or leaves the course before the end of the academic year
  • co-operate and share relevant information in relation with any investigation into potential fraud and mistakes relating to payments made by the NHSBSA

Document the duration of the Processing (GDPR Article 30 (f))

The NHSBSA will process the data as detailed in the Student Services privacy notice.

The HEI will determine their own duration and retention in line with their own policies and procedures.

Document the nature and purpose of the Processing (GDPR Article 30 (b))

The NHSBSA will centrally administer the:

  • NHS Bursary Scheme
  • NHS Learning Support Fund
  • Social Work Bursary Scheme
  • Education Support Grant

The HEI will locally administer the:

  • NHS Bursary Scheme
  • NHS Learning Support Fund
  • Social Work Bursary Scheme

Document the type of Personal Data (GDPR Article 30 (c))

The NHSBSA will document:

  • family, lifestyle and social circumstances
  • financial details
  • employment and education details
  • visual images, personal appearance and behaviour
  • physical or mental health details

Document the categories of Data Subjects (GDPR Article 30 (c))

The NHSBSA will document:

  • students
  • family members of applicants, include partners, children
  • connected persons

Responding to Data Subject Rights Requests

This includes:

  • Right of Access (GDPR Article 15)
  • Right to Rectification (GDPR Article 16)
  • Right to Erasure (GDPR Article 17)

The NHSBSA will action these rights for the requests it receives based on the personal data it holds.

The HEI will action these rights for the requests it receives and the personal data it holds rather than what is held by the NHSBSA.

Providing Privacy Notices to Data Subjects (GDPR Articles 13 - 14)

The NHSBSA has a privacy notice and will remind students of this in correspondence and forms that prospective or new students complete.

The roles and responsibilities document is available in the HEI Portal and available to students from the NHSBSA Privacy notice.

Handling Personal Data Breaches (GDPR Articles 33 to 34)

If a personal data breach happens for information held by the NHSBSA we will make sure that all necessary actions are taken to meet our legal obligations including, where appropriate, contacting the Information Commissioners Office (ICO).

If the NHSBSA becomes aware that a breach was caused by the actions or omissions of the HEI then the NHSBSA will advise the HEI. Should such a breach result in compensation claims then the NHSBSA Data Protection Officer (DPO) will discuss this with the HEIs DPO.

The HEI will handle personal data breaches relating to the relevant student data they hold.

Data Subjects right to compensation and liability (GDPR Article 82)

The NHSBSA and the HEI will initially aim to agree who is responsible, and the responsible party will need to determine and pay any compensation. Where there is shared responsibility, the parties will aim to agree the proportions of responsibility attributed to each party and any liability or compensation payment will be shared in such proportions.

The parties will also agree who is responsible for defending any claim from a Data Subject.

If responsibility cannot be agreed between the parties then reference to the Data Protection Legislation will determine who is responsible and the value of any liability or compensation to be paid.

Contact point for Data Subjects (GDPR Article 38)

The DPO of either NHSBSA or the HEI will be the contact points.

Glossary of terms

Connected Persons

This is a person authorised in writing by a Data Subject to act on their behalf, or a person appointed under a valid power of attorney to act on behalf of a Data Subject.


Has the meaning given in Data Protection Legislation and "Joint Controllers" has the meaning given in Article 26 GDPR.

Data Protection Legislation  

The Data Protection Act 2018 (DPA), the General Data Protection Regulation (Regulation (EU) 2016 / 679 of the European Parliament and of the Council (GDPR), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002 / 58 / EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner.

Data Subject

Has the meaning given in Data Protection Legislation.

Data subjects rights request

This is a request made by a Data Subject in accordance with rights outlined in Data Protection Legislation to access his or her Personal Data as set out in Articles 15 to 22 of GDPR.

Personal Data

Has the meaning given in Data Protection Legislation.


Has the meaning given in Data Protection Legislation and “Processed” and “Processing” shall be construed accordingly.

Legal basis

These are the reasons that allow us by law to process personal data, and special category personal data, as listed under Data Protection legislation.