Privacy Statement



Why do we collect information from you?

The Swansea University DSA Assessment Centre (known henceforth in this document as “the assessment centre”) is a third party information processor in the Disabled Students’ Allowance data processing chain.

This means that we gather and processes relevant identifiable information on for (and to the specifications of) various DSA process data controllers. The data controller will always be the funding body who administers your DSA. It usually operates on behalf of the government body that funds your DSA. 

Examples of DSA data controllers:

  • Student Finance Wales (SFW).
  • Student Finance England (SFE).
  • NHS Wales.
  • Student Awards Agency for Scotland (SAAS).

We are passed, collect and process sufficient information from and about you to write a detailed report for your DSA data controller. This informs them how DSA funds should be allocated for you.

The Student Loans Company (which runs SFE and SFW) has confirmed it recognises us as a DSA data processor, and is drafting a data sharing agreement for us to enter into at present.

We only collect information from students who have been approved access to Disabled Students’ Allowance by the DSA data controller.

What information do we collect?

Note: For some disabilities or medical conditions (or other reasons relating to personal safety and welfare), it may be necessary to enter into a bespoke information agreement with you. If you feel it is essential that certain information in our care is redacted or limited, please let us know. We will always advise you if the information you wish to limit will impact on your ability to progress through the DSA process, or access DSA funds.

  • The data controller will ask you to provide us with your DSA1 or equivalent DSA approval letter. This is our instruction to carry out the needs assessment, and request relevant information from you.
  • We are also required to review a copy of any medical / diagnostic evidence that the data controller has used to approve your DSA.
  • Collection of  contact, study and disability details in a pre-assessment form must be undertaken at first point of contact. This will be added to our database, whilst identifying information will be included in other administrative documents and logs, which are required for DSA processes workflow management. These are securely stored on the University’s server system.
  • In order to gauge what DSA funds should be allocated to you, we will collect information regarding the historical and current impact of your disability, as well as your educational experience to date. We will only ask about impacts that are relevant to attending and completing relevant academic study.
  • The information that you choose to disclose is at your discretion. We will explain any circumstances where we need to request more information, and why this would be of benefit to you.
  • We may also contact your higher education provider (HEP) to gather information. In some circumstances, this can be completed without recourse to personally identifiable information. In other cases, we may advise that it would be of benefit for you to be personally identified. We would ask permission for this from you and explain why we feel it is necessary.
  • The information we collect for you will be presented in a formal DSA report. The personal data fields in this report are defined by the DSA data controller.
  • If you wish to transact with us in the medium of Welsh, we will hold this information in a log. Welsh language legislation may require that we share this with other parties within Swansea University in order to ensure compliance (e.g. translation units). We will advise you if identifiable information is involved in this process and request consent to proceed.

How long do we keep your information?

The DSA data controller may ask us to complete follow on work at any point during your academic course, or follow on academic courses.

  • Consequently, we need to hold your data:
  • as per the requirements of the data controller to facilitate the role above
  • or
  • for five years from the end of the last academic course we have been notified that you attended.
    • After this time, any indefinable information relating to you will be deleted. 
    • Paper based information is scanned and shredded at the first possible opportunity.

Who might we share your data with?

We will provide a copy of your completed DSA report to the funding body who is your DSA data controller. Your permission will be sought for this

  • Additionally you have the option of requesting that we send a copy of your completed DSA report to a relevant party in your university.
  • We may identify that it is beneficial to seek advice from a knowledgeable third party in order to ensure that the best possible support is recommended for you. We will always share the minimum possible information, and discuss what we intend to do (and why), whilst seeking your explicit consent for this.
  • On occasions we may need to brief a third party to carry out a review of ergonomic support requirements in your private accommodation. We may need to pass on narrative of disability related factors and impacts within this brief, as well as agreed contact details. Again, we will always share the minimum possible information, discuss what we intend to do (and why) and seek your explicit consent for this. We are seeking advice on entering into a processor to processor agreement to facilitate this. Until this is in place, we will provide you with a brief to share with the third party.
  • If you wish to transact with us in the medium of Welsh, we may need to share your information with other units within the university (e.g. translation support).
  • Some DSA data controllers require that assessment centres are members of the accrediting body DSA-QAG. This is a registered charity in England, Scotland and Wales, as well as being a company limited by guarantee. Where the DSA data controller requires membership of DSA-QAG, the DSA-QAG quality assurance framework applies. This means that many of our information gathering administrative processes and administrative forms are defined by the external DSA-QAG standards. As of 25/5/2018 we are not aware of formal data sharing agreements between DSA-QAG and primary DSA data controllers. Data sharing arrangements for the sharing of sufficient information for QAG to undertake its core function are currently in progress. Consent for this sharing may be requested in advance of, during or after your assessment.
  • Any sensitive data shared will be encrypted using PGP encryption, or passed to the third party using password protected PDFs. At other times, data is securely stored on our university based server. All staff are provisioned to handle data and written communications from within a secure zone, protected by a logon. Personal data is not allowed outside this secure zone without explanation and explicit agreement being sought from relevant parties. 
  • On occasions, we may identify a risk factor relating to a student in our care. If this occurs, we will let the student know the concern we have identified, and discuss how the student wishes us to proceed. There may be some circumstances where duty of care responsibility requires that we pass details on to third parties within or external to the University.
  • In exceptionally rare cases, we may identify a risk factor to third parties. In order to discharge our duty of care responsibility, we may need to discuss the risk factor with responsible parties within or external to Swansea University.

What are your rights?

For further information on how your information is used, how Swansea University maintains the security of your information and your rights to access information the University holds on you, please visit the University Data Protection website:   . Also see the Inclusive Student Support Services privacy statement ( which provides information on our overseeing department’s information policy. 

You may invoke the right to erasure, or the right to be forgotten by contacting us at:

Note: Invoking the right to erasure or the right to be forgotten with the assessment centre will only result in action in relation to information we hold on you. It will not extend to the DSA data controller, other DSA third party data processors or your university by default. We will ask the scope of your request upon receipt, and will advise you if further action is necessary. Similarly, if you invoke the right to erasure or the right to be forgotten with the DSA data controller, assessment centre data may not be included in the request by default.


Note: When different information and data sharing policies overlap, we will always prioritise the policy that offers you the maximum data protection, then request permission from you to operate at the level of the lesser protection.

Find this confusing, or need more explanation? Contact us at


Mae’r ddogfen hon ar gael yn Gymraeg hefyd


Last updated 04/06/2018