This is a new service

Statement of Data Protection Roles and Responsibilities


This statement sets out the roles and responsibilities of the NHS Business Services Authority (NHSBSA) under Data Protection Legislation as it relates to the NHS Student Services.

The NHSBSA will not enter into individual agreements for data protection with Higher Education Institutions (HEI). This statement coupled with the use of the NHS Student Services gives effect to the data processing relationship between the parties.

This statement meets the requirements of Data Protection Legislation and sets out the following:

  • Roles of the NHSBSA and a Higher Education Institution
  • The legal basis for processing
  • The subject matter processed
  • The duration of the processing
  • The type and categories of personal data held and processed
  • The responsibilities for Data Subject Rights Requests
  • The process for handling breaches
  • The process for attributing liabilities

Please note the terms used in this statement are defined in the definitions section at the end of this document.

NHSBSA and HEI roles

The NHSBSA and HEI have the following roles, as defined by Data Protection Legislation:

Party and roles table
Party Role
NHSBSA Joint Controller
Higher Education Institution Joint Controller

NHSBSA and Higher Education Institutions Responsibilities

The Joint Controllers have the responsibilities detailed in the section below to comply with the GDPR Article 26 transparency requirement.

Determine the legal basis of processing (GDPR Article 6)


GDPR Article 6(1)(b) necessary for compliance with legal obligations and GDPR Article 9(2)(h)

Higher Education Institution

The NHSBSA understands that the Higher Education Institution has the following legal basis: GDPR Article 6(1)(a) necessary for the performance of a contract with the data subject; Applied GDPR Article 9(2)(h)

Document the subject matter of the Processing (GDPR Article 30 (b))

NHSBSA will administer the NHS Learning Support Fund, NHS Bursaries and Social Work Bursary Scheme in England to:

  • assess and validate applications from current and new students for the relevant authorised courses
  • make the appropriate payments to eligible students
  • detect and prevent fraud and mistakes
  • help plan and make improvements to NHS services, and/or direct patient care

The Higher Education Institute will:

  • confirm enrolment of eligible students to the NHSBSA at the start of the course and each subsequent academic year.
  • validate and authorise Travel and Dual Accommodation claim forms and Exceptional Hardship forms
  • promptly advise the NHSBSA if an enrolled student defers or leaves the course before the end of the academic year
  • co-operate and share relevant information in relation with any investigation into potential fraud and mistakes relating to payments made by the NHSBSA

Document the duration of the Processing (GDPR Article 30 (f))

NHSBSA will process the data as detailed in the Student Services Privacy notice at

The Higher Education Institutions will determine their own duration and retention in line with their own policies and procedures.

Document the nature and purpose of the Processing (GDPR Article 30 (b))

NHSBSA will centrally administer the:

  • NHS Bursary Scheme
  • NHS Learning Support Fund
  • Social Work Bursary Scheme
  • Education Support Grant

The Higher Education Institution will locally administer the:

  • NHS Bursary Scheme
  • NHS Learning Support Fund
  • Social Work Bursary Scheme

Document the type of Personal Data (GDPR Article 30 (c))

The Higher Education Institution will administer the:

  • Family, lifestyle and social circumstances
  • Financial details
  • Employment and education details
  • Visual images, personal appearance and behaviour
  • Physical or mental health details

Document the categories of Data Subjects (GDPR Article 30 (c))

The Higher Education Institution will administer the:

  • Students
  • Family members of Applicants, include partners, children
  • Connected Persons

Responding to Data Subject Rights Requests: Right of Access (GDPR Article 15), Right to Rectification (GDPR Article 16), Right to Erasure (GDPR Article 17)

NHSBSA will action these rights for the requests it receives based on the personal data it holds.

The Higher Education Institutions will action these rights for the requests it receives and the personal data it holds rather than what is held by the NHSBSA.

Providing Privacy Notices to Data Subjects (GDPR Articles 13 - 14)

NHSBSA has provided a privacy notice at and will remind members of this in correspondence and forms that prospective or new students complete.

The roles and responsibilities document is available in the HEI Portal and available to students from the NHSBSA Privacy notice.

Handling Personal Data Breaches (GDPR Articles 33 - 34)

If a personal data breach takes place for information held by the NHSBSA we will ensure that all necessary actions are taken to meet our legal obligations including, where appropriate, contacting the Information Commissioners Office (ICO).

If the NHSBSA becomes aware that a breach was caused by the actions or omissions of the Higher Education Institution then the NHSBSA will advise the Higher Education Institution. Should such a breach result in compensation claims then the NHSBSA Data Protection Officer (DPO) will discuss this with the Higher Education Institution's DPO.

The Higher Education Institution will handle personal data breaches relating to the relevant student data they hold.

Data Subjects right to compensation and liability (GDPR Article 82)

The NHSBSA and the Higher Education Institutions will initially aim to agree who is responsible, and the responsible party will need to determine and pay any compensation. Where there is shared responsibility, the parties will aim to agree the proportions of responsibility attributed to each party and any liability or compensation payment will be shared in such proportions.

The parties will also agree who is responsible for defending any claim from a Data Subject.

If responsibility cannot be agreed between the parties then reference to the Data Protection Legislation will determine who is responsible and the value of any liability or compensation to be paid.

Contact point for Data Subjects (GDPR Article 38)

The Data Protection Officer of either NHSBSA or the Higher Education Institution will be the contact points.


"Concerned persons"

A person authorised in writing by a Data Subject to act on their behalf; or a person appointed under a valid power of attorney to act on behalf of a Data Subject.


Has the meaning given in Data Protection Legislation and "Joint Controllers" has the meaning given in Article 26 GDPR.

"Data Protection Legislation"

The Data Protection Act 2018 (DPA), the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner.

“Data Subject”

Has the meaning given in Data Protection Legislation.

“Data Subject Rights Request”

A request made by a Data Subject in accordance with rights granted pursuant to Data Protection Legislation to access his or her Personal Data as set out in Articles 15 to 22 of GDPR.

“European Law”

European Union or European Member State law (as referred to in the GDPR) or such other law as may be designated in its place when England (whether with Scotland, Wales and/or North Ireland or not), leaves the European Union.


The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council).

"Personal Data"

Has the meaning given in Data Protection Legislation.


Has the meaning given in Data Protection Legislation and “Processed” and “Processing” shall be construed accordingly.