Purpose
This statement sets out the roles and responsibilities of the NHS Business Services Authority (NHSBSA) under Data Protection Legislation as it relates to the NHS Student Services.
The NHSBSA will not enter into individual agreements for data protection with Higher Education Institutions (HEI). This statement coupled with the use of the NHS Student Services sets out the data processing relationship between the parties.
Dental and Medical Student Bursary data arrangements are detailed in the Health Education England agreement Schedule 4.
This statement meets the requirements of Data Protection Legislation and sets out the:
- roles of the NHSBSA and HEI
- legal basis for processing
- subject matter processed
- duration of the processing
- type and categories of personal data held and processed
- responsibilities for Data Subject Rights Requests
- process for handling breaches
- process for attributing liabilities
For a definition of some of the terms we use in this statement, go to the ‘Glossary of terms’ section of this page.
NHSBSA and HEI roles
The NHSBSA and HEI are joint controllers, as defined by Data Protection Legislation.
NHSBSA and HEI responsibilities
The joint controllers have the responsibility of determining the legal basis of processing to comply with the General Data Protection Regulation (GDPR) Article 26 transparency requirement.
Responsibilities
Determine the legal basis of processing (GDPR Articles 6 and 9)
The NHSBSA has the legal basis of GDPR Article 6(1)(e). The processing is necessary for the performance of a lawful task or function carried out in the public interest or as part of a direction or regulation imparted on NHSBSA and GDPR Article 9(2)(h).
The HEI has the legal basis of GDPR Article 6(1)(b) necessary for the performance of a contract with the data subject and applied GDPR Article 9(2)(h).
Document the subject matter of the Processing (GDPR Article 30 (b))
The NHSBSA will administer the NHS Learning Support Fund, NHS Bursaries and Social Work Bursary Scheme in England to:
- assess and validate applications from current and new students for the relevant authorised courses
- make the appropriate payments to eligible students
- detect and prevent fraud and mistakes
- help plan and make improvements to NHS services, and direct patient care
The HEI will:
- confirm enrolment of eligible students to the NHSBSA at the start of the course and each subsequent academic year
- validate and authorise Travel and Dual Accommodation claim forms and Exceptional Hardship forms
- quickly advise the NHSBSA if an enrolled student defers or leaves the course before the end of the academic year
- co-operate and share relevant information in relation with any investigation into potential fraud and mistakes relating to payments made by the NHSBSA
Document the duration of the Processing (GDPR Article 30 (f))
The NHSBSA will process the data as detailed in the Student Services privacy notice.
The HEI will determine their own duration and retention in line with their own policies and procedures.
Document the nature and purpose of the Processing (GDPR Article 30 (b))
The NHSBSA will centrally administer the:
- NHS Bursary Scheme
- NHS Learning Support Fund
- Social Work Bursary Scheme
- Education Support Grant
The HEI will locally administer the:
- NHS Bursary Scheme
- NHS Learning Support Fund
- Social Work Bursary Scheme
Document the type of Personal Data (GDPR Article 30 (c))
The NHSBSA will document:
- family, lifestyle and social circumstances
- financial details
- employment and education details
- visual images, personal appearance and behaviour
- physical or mental health details
Document the categories of Data Subjects (GDPR Article 30 (c))
The NHSBSA will document:
- students
- family members of applicants, include partners, children
- connected persons
Responding to Data Subject Rights Requests
This includes:
- Right of Access (GDPR Article 15)
- Right to Rectification (GDPR Article 16)
- Right to Erasure (GDPR Article 17)
The NHSBSA will action these rights for the requests it receives based on the personal data it holds.
The HEI will action these rights for the requests it receives and the personal data it holds rather than what is held by the NHSBSA.
Providing Privacy Notices to Data Subjects (GDPR Articles 13 - 14)
The NHSBSA has a privacy notice and will remind students of this in correspondence and forms that prospective or new students complete.
The roles and responsibilities document is available in the HEI Portal and available to students from the NHSBSA Privacy notice.
Handling Personal Data Breaches (GDPR Articles 33 to 34)
If a personal data breach happens for information held by the NHSBSA we will make sure that all necessary actions are taken to meet our legal obligations including, where appropriate, contacting the Information Commissioners Office (ICO).
If the NHSBSA becomes aware that a breach was caused by the actions or omissions of the HEI then the NHSBSA will advise the HEI. Should such a breach result in compensation claims then the NHSBSA Data Protection Officer (DPO) will discuss this with the HEIs DPO.
The HEI will handle personal data breaches relating to the relevant student data they hold.
Data Subjects right to compensation and liability (GDPR Article 82)
The NHSBSA and the HEI will initially aim to agree who is responsible, and the responsible party will need to determine and pay any compensation. Where there is shared responsibility, the parties will aim to agree the proportions of responsibility attributed to each party and any liability or compensation payment will be shared in such proportions.
The parties will also agree who is responsible for defending any claim from a Data Subject.
If responsibility cannot be agreed between the parties then reference to the Data Protection Legislation will determine who is responsible and the value of any liability or compensation to be paid.
Contact point for Data Subjects (GDPR Article 38)
The DPO of either NHSBSA or the HEI will be the contact points.