What happens to your personal data

What does BPP do with my personal data?

The purposes for which we use your personal data may depend upon how you use our Products, the Websites other Social Media Channels or how else you communicate with us. These purposes may depend on the particular requirements of your course or programme and/or qualification and/or on how you may otherwise interact with BPP. The purposes may include (without limitation) the following:

  • Internal record keeping and audits;
  • Providing you with Products (including but not limited to courses and programmes that you have purchased or that have been purchased for you on your behalf) from BPP, any support that you may require in relation to those Products, which may include but is not limited to, IT services, learning support and registration for examinations, whether with BPP or with external examining and/or awarding bodies;
  • Administration of the Websites and our relationship with you including to provide Products to you which you may order from us and/or to provide and monitor our services to you;
  • Dealing with and responding to any communication, enquiry or application which you submit to us and to provide you with appropriate services which may include sending your further information (including via any third party agency that we have appointed to assist us with this function);
  • Checking any instructions given to us, for training purposes;
  • Providing information to your sponsor of a Product, such as your employer, where you have given us consent to do this or we are required to do so by law;
  • As and when we consider necessary, for the purpose of crime prevention;
  • In order to comply with legal requirements and obligations;
  • Contacting you for research purposes including market research and to help us plan and improve our Products. We may contact you ourselves or ask outside research agencies to do so on our behalf (please refer to the section Who do we share this information with below);
  • Conducting optional online surveys (e.g. to gauge the quality of our service, collect demographic information and other information that we may find useful);
  • Analysing patterns and trends of use and the uptake of our educational courses and facilities (if you are a student or delegate on one of our courses or programmes), to administer tests and examinations in which you participate, to verify your results and to have the course and/or your papers and/or award internally or externally assessed and verified;
  • Conducting credit checks where BPP or one its appointed agencies (governmental or private) is or may be offering you a form of credit;
  • Instructing debt collection agencies in the event that you owe BPP money and requiring debt collection agencies to follow up with you regarding the debt in question;
  • In relation to the recovery of debt in the event that we pass that debt on to a third party for collection;
  • Participating in surveys or similar research and analysis exercises undertaken by governmental or other agencies (including but not limited to the Department for Education, Higher Education Funding Council for England (HEFCE) or the Higher Education Statistics Agency (HESA)) (or any successor body to them) or by third parties engaged by such bodies;
  • Sending you reminders about events you have registered for or certain details of your courses by SMS, email, Social Media Channels or other electronic methods that may become relevant in the future;
  • Sending you direct marketing about our Products and services (but only when we have the appropriate consent(s) from you - please refer to the section on Direct Marketing);
  • Processing information relating to your purchase (actual or potential) of our Products via an agent or such other third parties as required if you are based outside of the United Kingdom, but wish to interact with BPP;
  • Enabling BPP and BPP’s Parent Group Companies which are companies based in the US and/or elsewhere outside of the EEA (BPP’s Parent Group Companies) to:
      • Provide information and marketing services related to our Products;
      • Carry out statistical analyses regarding the Products offered by us or BPP’s Parent Group Companies including analysing the profiles of customers, clients, students and staff together with the patterns and trends of use and the uptake of educational courses and facilities by and across BPP, including BPP’s Parent Group Companies based in the US;
      • Further develop the IT processes and systems used by BPP and its group companies including BPP’s Parent Group Companies based in the US;
      • Provide IT services by BPP’s Parent Group Companies Global IT;
      • Improve efficiency, results, communications, marketing, processes, standards and procedures as a result of such information and marketing services and statistical analyses referred to above across BPP and BPP’s Parent Group Companies and/or to use additional expertise, experience, resource and facilities available from BPP’s Parent Group Companies;
      • Fulfilling legal and/or contractual obligations to funding bodies; and/or
      • Ensuring compliance with legal, regulatory and other good governance obligations (please see “Compliance with US SOX Law, the UK Bribery Act and other relevant legislation” section below).

This list is not intended to be exhaustive and the purposes for which your personal data is and may be used include items not included on this list and may change or may be updated in accordance with the nature of our work and as legal, regulatory and other good governance requirements require. Your personal data may be kept in paper files and/or held in electronic form (e.g. on our IT systems, in emails, on the internet, on cloud computing or in databases).

What happens when I submit my personal data?

When your personal data is collected through the Websites, via Social Media Channels or by BPP through any other mechanism (including without limitation when you complete application forms, exam scripts or make any form of other submissions to BPP), it will be stored in the way BPP considers is most appropriate for that type of personal data and for the purpose for which BPP will need that personal data. The personal data may be directed into one or more IT systems in any format and/or may be held in hard copy. BPP may also monitor, record, store and use any telephone, email or other communication made with you.

Subsequently, personal data is stored and used by the relevant entity of the BPP’s Parent Group Companies for reasons including, without limitation, your request for information to be processed, for you to be registered on a training course or to receive a Product to which you are entitled or for you to receive course materials.

Your personal data may be held on the IT system of BPP, BPP’s Parent Group Companies (e.g. for the purpose of providing training or educational services to you) and/or on the IT system of another third party company (within or outside of BPP) within or outside the UK which is providing IT hosting or other data processing services, in accordance with BPP's arrangement in place with that company.

All information that you provide to us is stored on secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Within the Virtual Learning Environment (‘VLE’) the following data sharing is in operation:

  • Your name, last log-in date, campus location and study programme may be shared with other users of the VLE;
  • Your details will be searchable to other VLE users, and you can be messaged through the VLE by other users based on your VLE user name;
  • You may also elect to share your photo, a short biography and personal email address with other VLE users;
  • Your participation in online sessions, including your text, audio or video content may be recorded and shared with other VLE users;
  • Third Parties chosen by BPP may review your interaction with the VLE to help BPP continuously improve the service. BPP will ensure that adequate protection is in place over any personal data shared with any third parties for this purpose.
  • Performance results in the VLE may also be combined to derive benchmarks of performance to allow students to assess their performance in their chosen programme. These will only be presented in aggregate and individual results will not be disclosed.
  • Any assignment uploaded through VLE will be protected in line with BPP policies and only disclosed to appropriate VLE users for the purposes of assessment. Assignments may be sent to third parties for the purpose of ensuring the work is original, attributes sources correctly and does not infringe on any existing copyright. BPP will ensure that any assessments passed to third parties for this purpose will be protected in line with BPP policies.
  • VLE data relevant to assessing your progress within the programme may be shared with your sponsoring organisation.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Who do you share my information with?

BPP may transfer your personal data to:

  • Any company within BPP; and
  • BPP’s Parent Group Companies.

BPP or BPP’s Parent Group Companies may make your personal data available to other businesses and third parties which we engage to help us run our business, for example, to provide services to us. Such third parties may include (but are not limited to) market research companies, providers of direct marketing services, advertisers and advertising networks, customer services, credit checking or debt collection agencies, customer relationship management, training providers, suppliers of services relating to whistleblowing (please see the “Compliance with US SOX Law” section below), IT hosting, service, helpdesk, service, development and maintenance providers and third party regulators, bodies and authorities. We may also exchange your personal data with other companies and organisations for the purposes of fraud protection and credit risk protection.

In addition (if you are a student or delegate on one of our courses or programmes), we may make your personal data available to external awarding bodies and auditors which verify your test and examination results, in order to obtain accreditations for you. We may also make your personal data available to central government departments or other external bodies which oversee the quality of the services we provide and the process of awarding qualifications and accreditations.

We may also have a contractual or other obligation to provide certain parts of your personal data (including, but not limited to, attendance records or examination results) to your employer if your employer is sponsoring you on one of BPP’s courses or programmes, i.e. a third party undertakes to pay for your purchase of a Product, course or programme. By receiving that sponsorship and undertaking the sponsored course or programme with BPP, you consent to BPP providing information about you in relation to that course or programme to your sponsoring employer or such other third party that your sponsoring third party nominates.

Where required in accordance with the requirement of the Act, we impose restrictions and standards in our written contracts with third party recipients of your personal data in order to ensure they keep your personal data secure and that they use it only for the purpose for which we provide it to them and in accordance with the instructions of BPP, including BPP’s Parent Group Companies based in the US. If these businesses are outside of the UK, the section “Will my personal data be transferred outside the UK and/or Europe?” section below will be relevant.

We may be required by law or for tax or other purposes to disclose your personal data to local or central government authorities or official agencies (either inside or outside of the EEA). This may include participating in surveys or similar exercises undertaken by governmental or other bodies or third parties engaged by those bodies or for the purposes of audit, investigation or any regulatory requirements.

If you are studying a higher education programme with us, we may provide some of your personal data, including your sensitive personal data, to organisations carrying out public functions connected with education in the United Kingdom, including (without limitation) the Department for Education, HEFCE or HESA (or any successor body to them), or contractors engaged by them, for the purposes set out in the Student Collection Notice and the Destination of Leavers from HE Collection Notice.

Student Collection Notice

We will send some of the information we hold abut you to the Higher Education Statistics Agency (HESA). This information forms your HESA record, which does not include your contact details.

Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS) and surveys of student finances, on behalf of some of the organisations listed below under Purpose 1. These organisations and their contractors will use your details only for that purpose, and will then delete them.

After you graduate we may contact you to ask you to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys may be undertaken by us or by another specialist organisation contracted for that purpose. If a specialist organisation is used that organisation will receive your contact details, but will only use your details for the purpose of asking you to complete the survey, and will then delete them. You may also be contacted as part of an audit to check that we or any contracted organisation have undertaken these surveys properly.

If you do not want to take part in any of these surveys, please let us know.


Every year we will send some of the information we hold about you to HESA (“your HESA information”). HESA is the official source of data about UK universities, higher education colleges, alternative HE providers, and recognised higher education courses taught at further education institutions in Wales www.hesa.ac.uk. HESA collects, and is responsible for, the database in which your HESA information is stored. HESA is a registered charity and operates on a not-for-profit basis. HESA uses your HESA information itself for its own purposes. HESA also shares information from your HESA information with third parties. It may charge other organisations to whom it provides services and data. HESA's use of your HESA information may include linking information from it to other information, as described further below. HESA information is retained indefinitely by HESA for statistical research purposes. All uses of HESA information must comply with the Data Protection Act 1998 www.legislation.gov.uk/ukpga/1998/29/contents.

Sensitive information

If you give us information about your disability status, ethnicity, sexual orientation, gender reassignment or religion these may be included in your HESA information and used to assist with monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act. Some other sensitive information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver.

If you are enrolled at a higher education provider in England regulated by the Higher Education Funding Council for England your HESA information will include details of any financial support you may receive from us.

Your sensitive information will not be used to make decisions about you.

Purposes for collecting your HESA information

Your HESA information including linked data is used for four broad purposes.

Purpose 1 - Public functions

Education statistics and data

Your HESA information is used by some organisations to help carry out public functions connected with education in the UK. These organisations are data controllers in common of your HESA information under the terms of the Data Protection Act (this link explains what this means ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ ). Such organisations may include:

  • Department for Business, Innovation and Skills
  • Welsh Government
  • Scottish Government
  • Department for the Economy, Northern Ireland
  • Higher Education Funding Council for England
  • Higher Education Funding Council for Wales
  • Scottish Further and Higher Education Funding Council
  • Department for Education
  • Research Councils
  • Education Funding Agency
  • Skills Funding Agency
  • National College for Teaching and Leadership
  • National Health Service bodies and organisations working with them e.g. Health Education England
  • General Medical Council
  • Office For Fair Access
  • Quality Assurance Agency for Higher Education

and any successor bodies. These bodies may retain HESA information indefinitely for statistical research purposes, or for fixed terms depending on the terms of their data sharing agreements with HESA.

Other uses

Your HESA information may also be used by some organisations who are also data controllers in common to help carry out public functions that are not connected with education. Such uses may include the following:

  • Measurement of population levels and migration by the Office for National Statistics, National Records of Scotland and the Northern Ireland Statistics and Research Agency
  • Monitoring of public expenditure by the National Audit Office
  • Monitoring of the accuracy of electoral registers by Electoral Registration Officials.

Purpose 2 - Administrative uses

Fraud detection and prevention - Your HESA information may be used to audit claims to public funding and student finance, and to detect and prevent fraud.

Previous study - If you are enrolled at a higher education provider in England: The Higher Education Funding Council for England (HEFCE) may share your previous education records with us, including HESA information submitted by other institutions, to determine the nature of any prior higher education study, including your current qualifications. This may be used to make decisions about the fees you are required to pay, the support available to you or the availability of a place for you to study with us.

Your HESA information will not be used to make decisions about you other than for those uses outlined under Purpose 2.

Purpose 3 - HESA publications

HESA uses your HESA information to produce and publish information and statistics. This includes some National Statistics publications (www.statisticsauthority.gov.uk/national-statistician/types-of-official-statistics) and online business intelligence and research services. HESA will take precautions to ensure that individuals are not identified from any information which is processed for Purpose 3.

Purpose 4 - Equal opportunity, research, journalism and other processing in which there is a legitimate interest

HESA and the other data controllers in common (see Purpose 1) may also supply information to third parties where there is a legitimate interest in doing so. Examples of use for this purpose include:

  • Equal opportunities monitoring
  • Research - This may be academic research, commercial research or other statistical research where this is in the public interest
  • Journalism - Where the relevant publication would be in the public interest e.g. league tables
  • Provision of information to students and prospective students

Users to whom information may be supplied for Purpose 4 include:

  • Higher education sector bodies
  • Higher education providers
  • Academic researchers and students
  • Commercial organisations (e.g. recruitment firms, housing providers, graduate employers)
  • Unions
  • Non-governmental organisations and charities
  • Local, regional and national government bodies
  • Journalists

Information supplied by HESA to third parties within Purpose 4 is supplied under contracts which require that individuals shall not be identified from the supplied information. A copy of HESA’s current agreement for the supply of information is available at www.hesa.ac.uk/bds-details#e.

HESA student information may be linked to school and/or further education college information and supplied to researchers. A copy of the Agreement for the supply of linked data about pupils from schools in England is available at www.gov.uk/government/collections/national-pupil-database

Linking of your HESA information to other information

As indicated above, where HESA and organisations covered by Purpose 1 use HESA information this may include linking HESA information to other information for example:

Where HESA provides information from your HESA information to third parties under Purpose 4, the permitted uses of the information by a third party may include linking HESA information to other information held by the third party. Permission for such use is considered on a case by case basis. It is only given where the linking is for the purposes outlined in Purpose 4 and subject to the requirement not to carry out linking to identify individuals.

Destinations information for schools and colleges – If you attended a school or college in England linked data may be disclosed to the last school or college you attended (or its successor body) and to Ofsted to enable them to assess the outcomes of secondary education.


The HESA Student Collection Notice is regularly reviewed. The most up to date version can be found at www.hesa.ac.uk/fpn. Minor updates to the Student Collection Notice (including organisation name changes and clarification of previously specified purposes) may be made at any time. Major updates (such as a new purpose or administrative use) will be made no more than once per year.

Your Rights

For further information about data protection and your HESA information please see www.hesa.ac.uk/dataprot. If you have questions about how your HESA information is used please contact data.protection@hesa.ac.uk. Under the Data Protection Act 1998 you have rights of access to the information HESA holds about you. You will have to pay a small fee for this. If you think there is a problem with the way HESA are handling your data you have the right to complain to the Information Commissioner's Office: https://ico.org.uk/.

We may be required by law or legal process (i.e. by a court or tribunal) to release it to other external organisations or for the purposes of obtaining legal advice. We may also release it to parties to which you authorise us to release it to. In addition, there may be circumstances in which it is necessary for us to disclose your personal data to external companies or organisations in order to protect our customers or our own interests, and this will be carried out in compliance with applicable privacy laws.

If you have purchased a product through an approved BPP reseller, we may seek your consent to provide the third party with your examination results for the purposes of allowing the reseller to analyse their performance.

We will not sell your personal data to any third party except where necessary as part of our legitimate business processes (e.g. in the event that our management or administration is to be taken over by an external organisation or for the purpose of debt recovery). If we do this we will ensure the transfer is carried out in accordance with the Act.

Where you publish any feedback, opinion or statement on BPP and/or any BPP Website, course, programme and/or other product or services on any social media (including without limitation any of our websites, LinkedIn, Facebook or Twitter), you irrevocably consent to BPP using such feedback, opinion or statement for internal purposes only.

Will my personal data be transferred outside of the UK and/or European Economic Area?

We may transfer your personal data to the US to BPP’s Parent Group Companies for the purposes described above (including but not limited to the purpose of statistical analysis). Apollo Group Companies located in the US adhere to the requirements of the EU-US Privacy Shield Privacy Principles published by the US Department of Commerce (“Privacy Shield”) with respect to certain personal data about BPP students. Apollo Group Companies located in the US provide students in the European Economic Area with information regarding the data transfers that are covered by Privacy Shield via a separate Privacy Shield Privacy Policy.

The Websites and/or any Products and/or services may be hosted on servers located outside of the UK and/or the EEA and maintenance and support services for the Websites and/or those Products and/or services may be provided from outside the UK and/or the US and/or EEA. This means that your personal data may be transferred to, stored and processed in other countries apart from the UK, including outside of the EEA. By submitting your data, you agree to this. As a result, your personal data may be transferred to, stored and processed in countries which do not have the same privacy and data protection laws and standards as are applicable in the UK. However, in order to prevent unauthorised access or disclosure, damage or loss of your personal data, we will take suitable physical, electronic, organisational and technical measures in accordance with our obligations under the Act. In addition, any transfer of your personal data to another country will be carried out in accordance with the Act.