General terms and conditions

General terms and conditions for HESA Identity System Accounts (the "Terms")

You accepted these terms when you registered an identity.

HESA Identity System General Terms and Conditions

  1. Background
    1. The Higher Education Statistics Agency Limited’s (HESA) goal is to operate a safe and secure environment for our services.  The Identity System (IDS) ensures an appropriate level of security and therefore we require all users to abide by these Terms when using our services.
  1. Agreement
    1. By registering a HESA Identity, you agree to abide by these Terms. If you do not agree, do not register a HESA Identity.
    2. HESA may, from time to time, change or amend these Terms. If we do, we will notify you, either through the user interface, in an email notification, or through other reasonable means. Your continued use of your HESA Identity, after notification, will be your consent to the changed Terms. If you do not agree to the changes, you must stop using your HESA Identity.
  1. HESA Identity
    1. You need a HESA Identity to access some of the services HESA provides. A HESA Identity provides the credentials for you to authenticate your use of these services. You are responsible for keeping your account information and password confidential. You are responsible for all activity that occurs under your account. You must inform HESA immediately if you believe that there has been any compromise of your HESA Identity.
    2. As such, HESA Identity accounts should not be linked to shared email addresses.
    3. Credentials used to access your account must remain confidential and not be used by other individuals.
    4. If you've forgotten your password or otherwise can't access your HESA Identity, you should use the ‘Forgot your password?’ link on the login screen to initiate the password reset process.
    5. Multifactor Authentication (MFA) must be enabled for your HESA Identity. The extra steps required as part of MFA forms part of the login process.  
    6. Where appropriate, you may request for a HESA Identity to be marked as a ‘Service Account’.  A request must be made in writing to the Liaison ([email protected]) which will be assessed. You are responsible for providing accurate information that forms part of the assessment, as well as for informing HESA if the nature of the service account changes. Where an account has been approved as a service account MFA will be disabled. 
  1. HESA Identity Organisation Role
    1. As well as requiring a HESA Identity to authenticate, access to some of our services is further restricted to only those people who act in a relevant capacity on behalf of an organisation and have appropriate authorisation. Such services will require your HESA Identity to show you as holding the appropriate HESA Identity System Role for your organisation before access to these services is authorised. You may be invited to hold such a role or you may request such a role. You must be authorised to act in such a capacity for that organisation before accepting or requesting a role. You will be required to accept any additional terms and conditions that holding a role may entail.
    2. If you cease to work for an organisation in the same capacity, you must remove the non-applicable roles from your HESA Identity. If you cease to work for an organisation completely, you must remove all the roles you hold for that organisation from your HESA Identity and notify HESA where transfer of roles to another colleague is required.
  1. Privacy
    1. Uses of your personal data are described in the HESA privacy policy which can be found at
    2. We may pass your personal data to third parties who need your personal information in order for us to provide our services to you. For example:
      • If you request or accept a HESA Identity System Role in order to act on behalf of an organisation, we will provide information about you to members of that organisation so that they may contact you, manage their role delegation and review your activity.
      • If you hold a role that means you approve or reject role requests for an organisation, we will provide information about you to people requesting roles so that they may contact you in connection with their request.
      • We may use your personal data to inform you about changes and improvements to our systems, operational documentation, and website.
    3. Access to HESA’s systems from outside the UK is not permitted unless prior permission has been granted by HESA for such access.  Requests for access to HESA’s systems from outside of the UK must be made in writing to Liaison ([email protected]).
  1. Cancellation
    1. If you do not comply with these Terms, we may take action against you, including suspending your HESA Identity, suspending or removing roles, asking you to refrain from certain activities and referring your activity to your organisation or other appropriate authority e.g. The Information Commissioner's Office.
    2. Where your organisation is known to be suffering from a cyber event, HESA reserves the right to temporarily suspend your HESA Identity and all HESA Identities at your organisation. HESA may require Identity credentials to be changed following resolution of the event/satisfactory assurances from appropriate individual(s) at your organisation.
    3. At our sole discretion, we may permanently delete your HESA Identity and prevent you from further registration. You accept that any delay or inability to carry out your activities caused by any such action is your responsibility.
    4. If your HESA Identity is not used for 395 days, it will be deleted.