UCAS contextual offers

Privacy Policy

The Independent Schools Council (‘ISC’) is a membership association made up of independent schools within membership of one of the five Heads’ associations. We are a not-for-profit company limited by guarantee, registered with Companies House (registered number 1103760), whose registered office is at First Floor, 27 Queen Anne’s Gate, London SW1H 9BU.

This privacy notice is intended to cover data we quality check as part of a contextual data service to support UCAS applications for the 2022/2023 universities admissions cycle. It is intended for students (and their parents) who have applied for contextual data to support their UCAS application.

What we collect and what we use it for

ISC receives the following information:
- Full name of child (applicant)
- Postcode of applicant’s residence and (if different) of applicants parents
- Name of the applicant’s school, and
- A flag to confirm whether the applicants eligibility has been validated.

No special category data is received or processed by the ISC.

The above data is collected by Bursary Assessment Associates (‘BAA’) when an applicant makes an application for a contextual offer. BAA will pass the data to the ISC as a reputable, trusted and long-established body in the independent schools sector to externally verify it. The ISC will use the above data for quality assurance purposes prior to subsequently transferring it to UCAS. UCAS will then make the data available to the universities of the applicants choice.

In addition, the ISC may, exceptionally and under circumstances of confidentiality, from time to time further inspect or audit the work of BAA in providing the Service for quality assurance purposes. This may require the ISC to have some secure purpose-limited access to underlying documents and evidence that may include additional categories of data of applicant families.

How we collect your data

The ISC receives this data from BAA via SharePoint. Please see BAA’s privacy notice and website here for further information on how they collect and handle this data. Information on SharePoint encryption is available here.

Access to the designated folders within SharePoint is only possible for named ISC staff who have received a sharing link via their ISC email address. A Data Sharing Protocol exists for those organisations involved in this sharing of data. Further information on the Protocol is set out under ‘Sharing your data’ below.

Where is the data stored and for how long?

The data is stored on the secure ISC servers in a password protected area. Access is limited to the ISC Research team. The servers are subject to an annual Cyber Essentials accreditation test which includes testing that server and networks are secure.

We will keep your contact data for up to one year following the application cycle you are submitting for, at which point it will be hard deleted meaning that it cannot be retrieved.

Sharing your data

A Data Sharing Protocol is in place between UCAS, ISC and BAA which sets out the data protection obligations of these organisations when sharing your data. The Protocol makes clear that our intention is that your data is kept confidential and not used in any form which might identify an individual except for the limited purposes of this data sharing.

Once we have verified your data, we will share it with UCAS only so they can process your university application with the supporting contextual data as appropriate. UCAS’s privacy policy can be found here. We will share your data via UCAS’s own secure file transfer service called MOVEit, used for the purposes of secure data transfer. This webpage has the service’s privacy policy and End User License Agreement.

No data will be shared with UCAS if we, in conjunction with BAA, are unable to validate your data.

Lawful basis under the UK GDPR and retention

ISC is relying on ‘legitimate interests’ to hold your data as you have provided your data to support a UCAS application. This is in your legitimate interests and in the interests of the university applications process more generally on important public interest grounds, e.g. to ensure more contextualised and fair admissions decisions.

ISC will not use your data for other purposes including for marketing purposes.

Your rights in relation to this data

Under the UK General Data Protection Regulation (EU 2016/679) and the UK Data Protection Act 2018, you have certain rights associated with the use of your data:

  • to obtain access to, and copies of, the personal data that we hold about you;
  • to require us to correct the personal data we hold about you if it is incorrect;
  • to require us (in certain circumstances) to erase your personal data;
  • to request that we restrict our data processing activities;
  • to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
  • to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.

Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. ISC will endeavour to respond to any such requests as soon as is reasonably practicable and in any event within statutory time-limits (which is generally one month, but actually fulfilling more complex or multiple requests, e.g. those involving third party information, may take 1-2 months longer).


ISC will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to ISC systems. All staff will be made aware of this notice and their duties under Data Protection Law and receive relevant training.

The ISC stores and transfers all data securely and we are committed to ensuring that we only use data processors who are UK GDPR compliant.

For more information on security and ISC’s third party processors, please contact research@isc.co.uk

How to contact us

If you believe that the ISC has not complied with this privacy notice or has acted otherwise than in accordance with Data Protection Law, please send your concerns to legal@isc.co.uk or The Independent Schools Council, First Floor 27 Queen Anne’s Gate, London SW1H 9BU. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with ISC before involving the regulator.

If you would like your details to be removed, please email research@isc.co.uk or write to The Independent Schools Council, First Floor 27 Queen Anne’s Gate, London SW1H 9BU.

ISC will update this privacy notice from time to time. Please check this policy periodically for details of any changes.