UCAS' policy on access to personal data
UCAS is a charity that provides the undergraduate admissions service for the UK. To provide this service, we collect personal data from over 700,000 applicants each year. We take our responsibilities around data seriously and fully comply with the requirements of the Data Protection Act.
Following a review of our approach to sharing personal information in 2015, we have agreed a formal policy setting out with whom we share personal information and under what circumstances.
From the 2016 UCAS Undergraduate cycle, our policy is to limit access to the personal information contained within your application to the universities, colleges and other organisations involved in the admissions process, certain organisations who have statutory or regulatory responsibilities, and to trusted, non-commercial organisations to enable research about higher education. We have adopted this policy to ensure that we can maintain the trust that applicants place in UCAS and their confidence in using our services.
We also know that many applicants are happy to use their personal information, including their status as a UCAS applicant, for purposes not directly related to their application to higher education, such as to help them access products and services aimed at students. However, we will only share personal information for these purposes where applicants have actively confirmed that they are happy for us to do so.
Our policy is in line with what applicants have told us about how they want their personal data to be treated, and reflects growing public awareness about the value and potential uses of personal data. Recent studies show that providing information to people about the benefits of data sharing, and giving them choices about how their own data is used, is key to retaining a high level of trust.
Understanding the applicant perspective
To understand applicants’ views, UCAS surveyed UK undergraduate applicants in 2015 about their attitudes to data sharing, basing our questions on those developed by the Royal Statistical Society for similar purposes.
Our survey, which generated 37,000 responses in total, found that sharing and use of personal data is important to university applicants. Overwhelmingly, students told us that they want to be in control over who has access to their personal data and for what purposes.
A large majority, 90%, of respondents said they wanted to be asked for their consent before their personal data is shared with anyone outside of the admissions service. A majority wanted to be asked for their consent before sharing across a range of data uses.
Support for researchers
We recognise the value of our data for research into higher education and want to support researchers working in this area.
We provide a wide range of anonymous data (where individuals cannot be identified) resources and services that cover all applicants and can support most research questions about admissions into higher education. These include:
- analysis reports and notes where the anonymous data for results is published in a reusable form
- providing extensive anonymised data resources in an open data format for reuse by anyone
- offering analytical services using anonymous data. These include the creation of new anonymous data sets to particular specifications, and anonymised tracking of the outcomes for groups of individuals
Most research uses can be supported through these anonymous data resources and services, but there are some uses (such as matching individual applicant records to records in other data sources), that require personal information. For these uses, we will make personal information available to accredited researchers through the Administrative Data Research Network (ADRN).
The ADRN provides a secure environment to give accredited researchers access to data, where information which could be used to immediately identify an individual has been removed (termed “de-identified” data by the ADRN). Research proposals are subject to a rigorous approvals process and are reviewed by an independent panel which considers, amongst other things, whether the proposed research is lawful, ethical, and of potential benefit to society. The linking of data is done through encrypted keys and controls are in place which are designed to ensure individuals are not identified from any published results. Linked datasets are destroyed after five years and researchers accessing data through the ADRN are trained to use data safely, legally and responsibly. Further information can be found at the Administrative Data Research Network.