Hedd.ac.uk - Enquirer Terms and Conditions

Background

You (the "Enquirer") wish to use the Hedd.ac.uk verification service to verify the award of one or more individuals' (the "Data Subject[s]") qualifications and/or related information.

Jisc Services Limited ("JSL") ("we" or "us" or "our" or similar pronoun), developers and operators of the Hedd.ac.uk services, will provide such access under the following conditions.

These Terms and Conditions (the "Terms") represent the entire agreement between us and you and shall become effective immediately upon acceptance by you, enduring in perpetuity. No other conditions will be binding unless agreed in writing by JSL and you.

Legal Notices

  1. These Terms and any dispute or claim arising from them shall be construed under and governed by the laws of England and the exclusive jurisdiction of the English courts.
  2. If any provision of these Terms, or any document made in connection with these provisions, is determined by any court, tribunal or administrative body of a competent jurisdiction to be wholly or partly unenforceable for any reason, that unenforceability shall not affect the rest of the Terms, the unenforceable part being deemed severed and deleted and the remainder continuing in full force and effect.
  3. You may not resell, assign or transfer any rights under these Terms.
  4. You may, however, utilise the Hedd.ac.uk verification services on behalf of a third party (act as an "agency") where appropriate binding agreements between you and them exist and include obligations aligned with those of these Terms.
  5. These Terms shall not create any agency, partnership or joint venture between you and JSL.
  6. If performance of our obligations are delayed or hindered by circumstances outside of our control:
    1. we will, as soon as reasonably practicable, provide you with notice of the reasons for the delay but will not incur any liability for failure to provide such notice; and
    2. our duty to perform shall be suspended for as long as such circumstances continue; and
    3. the time for the performance of our obligations shall be extended by a period equal to the duration of those circumstances.
  7. Any notice or other document to be served under these Terms must be in writing, either by email or first class post and will be deemed to have been served within one Working Hour and the third day after postage, respectively.
  8. We will ensure appropriate agreements are in place and maintained with each of our advertised Awarding Authorities in separate agreements.
  9. Definitions

  10. For the purpose of these Terms, the following words have the meanings ascribed to them:
    1. Account Data shall mean the Personal Data contained in Authorised User accounts on the Hedd.ac.uk verification service;
    2. Authorised User[s] shall mean a user who has specifically been granted authorisation by their parent organisation, and verified by JSL, to access the Hedd.ac.uk verification service for performance of their duties within the parent organisation;
    3. Applicable Law means all applicable laws, statutes, regulations, decree directives, legislative enactments, orders, binding decisions of a competent Court or Tribunal, rule, regulatory policies, guidelines, codes, other binding restriction, regulatory permits and licences applicable under law which are in force from time to time during the term of these Terms to which a party and/or any Processing of Personal Data is subject from time to time;
    4. Awarding Authority[ies] shall mean the organisation or body responsible for the award or granting of a prescribed qualification;
    5. Data Protection Legislation shall mean (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated, or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a party is subject for the purposes of these Terms, including the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data) ("EU GDPR") as each is amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, as amended to be referred to as DPA 2018 and the UK GDPR respectively; and (b) any code of practice or guidance published by the UK Information Commissioner's Office (or equivalent regulatory body) from time to time;
    6. Data Subject Request means an actual or purported request or notice or complaint from or on behalf of a Data Subject exercising his or her rights under the Data Protection Legislation in relation to Personal Data including without limitation: the right of access by the Data Subject, the right to rectification, the right to erasure, the right to restriction of Processing, the right to data portability and the right to object;
    7. Enquiry Data shall mean the data provided by you, concerning a Data Subject, for the purposes of submitting a Verification Request;
    8. HeddHelp shall mean the personnel employed by JSL who hold responsibility for the maintenance of the Hedd.ac.uk verification service, contactable via electronic mail at the address heddhelp@prospects.ac.uk during Working Hours;
    9. Permitted Country means any country, territory or jurisdiction that is outside of the UK which is the subject of an adequacy determination by the UK Secretary of State or which is contained in Schedule 21, Part 3, Paragraph 5 of the Data Protection Act 2018;
    10. Permitted Purpose means the purpose of the Processing as specified in Appendix 1 (Data Processing Particulars);
    11. Regulator means the Information Commissioner's Office (ICO) and any other independent public authority which has jurisdiction over a party, including any regulator or supervisory authority which is responsible for the monitoring and application of the Data Protection Legislation;
    12. Regulator Correspondence means any correspondence from a Regulator in relation to the Processing of Personal Data under or in connection with this Agreement;
    13. Response Data shall mean the data provided by JSL or an Awarding Authority in response to a submitted Verification Request;
    14. Third Party Request means a written request from any third party for disclosure of Personal Data where compliance with such a request is required or purported to be required by law or regulation;
    15. Verification Credit[s] shall mean credit purchased on a Hedd.ac.uk account for the purpose of submitting Verification Requests;
    16. Verification Request[s] shall mean the Enquiry Data, evidence of consent, Response Data and any additional information submitted for the purpose of verifying the award of, or progress toward, any qualification, pertaining to a Data Subject;
    17. Working Day[s] and Working Hour[s] shall mean those periods Monday to Friday between 09:00 and 17:00 hours, excluding UK public holidays and the period 21 December to 03 January inclusive;
  11. The terms Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process (and Processing) and Supervisory Authority shall assume the meanings ascribed to them in the UK GDPR.
  12. Access to Hedd.ac.uk Verification Services

  13. You must be an Authorised User to submit Verification Requests.
  14. Upon registering for an account, the HeddHelp team will review your details and confirm that you have a genuine requirement to use the Hedd.ac.uk verification service. That is to say that you are employed in an official capacity by an organisation, agency, university, embassy or council and need to verify whether a candidate is a current or past student of a university or college, the award and grade they received, and the dates of attendance in the performance of your role.
  15. Once we are satisfied that you meet the requirements of Clause 12 above, we will enable your user account and notify you so that you may access your account.
  16. If we are unable to confirm the requirements of Clause 12 above, we will notify you and provide you with appropriate guidance.
  17. Verification Credits

  18. In order to submit a Verification Request for processing, you must purchase sufficient Verification Credits.
  19. Verification Credits may be purchased in advance or at the time of submitting the Verification Request.
  20. All purchases under these Terms are made in pounds sterling (GBP) and are exclusive of any applicable taxes. You shall be responsible for and shall indemnify us against any value added or sales taxes.
  21. Advanced purchase of Verification Credits may be made by Credit or Debit Card or, for purchases of 120GBP or greater, by invoice, subject to approval by our finance team.
  22. Where purchasing Verification Credits by invoice:
    1. Full payment must be received by us within thirty (30) days of the invoice date;
    2. Where you fail to pay us by the due date then, without limit to our other rights and remedies in these Terms, we shall, at our sole discretion have the right to suspend access to your account, suspend the processing of any outstanding Verification Requests and/or charge you interest on the amount paid late at the rate of four percent (4%) above the base rate of National Westminster Bank PLC accruing from day to day (after as well as before judgement) until payment in full has been received.
  23. Your Verification Credit balance is displayed in the top-right corner of your account dashboard once logged-in.
  24. Once Verification Credits have been purchased, they are non-refundable and non-transferable.
  25. You are not permitted to sell accounts or Verification Credits to third parties.
  26. Submission of Enquiry Data

  27. In order for a Verification Request to be accepted and processed, a lawful basis for Processing the request must be established.
  28. We anticipate that the lawful basis for Processing the majority of Verification Requests will be with the consent of the Data Subject. Where this is the case:
    1. Consent must be obtained in accordance with all applicable legislation including, but not limited to the Data Protection Legislation. Namely, that is shall be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of Personal Data relating to him or her;
    2. You must provide evidence that the Data Subject has given their consent to the Verification Request prior to submission of the Enquiry Data. Such evidence must include appropriate references to us, you, the Awarding Authority and the nature of the Processing being conducted as part of the Verification Request. Suitable consent pro-forma can be provided by contacting HeddHelp; and
    3. JSL and the Awarding Authority each reserve the right to refuse to process a Verification Request where evidence of consent of the Data Subject has not been provided or where there is sufficient doubt as to its validity. Such refusal will be promptly notified to you in writing by HeddHelp with justification for the decision not to process the Verification Request.
  29. Where you consider the lawful basis for Processing a Verification Request to be anything other than with the consent of the Data Subject, you agree to contact HeddHelp for guidance prior to submitting any Enquiry Data.
  30. If the lawful basis for Processing the Verification Request changes prior to the completion of the Verification Request, such as if the Data Subject withdraws their consent, you agree to notify HeddHelp immediately. Once such notice has been received by us, we will notify the Awarding Authority as appropriate and any further Processing will cease. In such circumstances, you may also apply to HeddHelp for consideration of a credit being granted to your account, at our discretion.
  31. Processing of Verification Requests

  32. Upon receipt of the Enquiry Data and a valid consent statement, or other established lawful basis for Processing, your Verification Request will be progressed.
  33. Wherever possible, your Verification Request will be processed automatically by our systems.
  34. Where our systems are not able to immediately verify the Enquiry Data, your Verification Request will be automatically forwarded to the Awarding Authority for manual fulfilment.
  35. Delivery Timescales

  36. The amount of time each Awarding Authority requires to respond to Verification Requests varies for each authority. We will publish the anticipated completion date alongside the status of your Verification Request(s) but these should be treated as an approximation only. We are unable to guarantee a response within the published period for each Verification Request.
  37. Where Enquiry Data is able to be automatically verified, we should provide a response within a few minutes of submission.
  38. Typically, where manual intervention is required, you should expect your Verification Request(s) to be completed within five (5) Working Days however this is likely to increase during peak periods such as during graduation season and outside term-time.
  39. Our HeddHelp team monitor the progress of Verification Requests and intervene as appropriate. In the event that your Verification Request becomes overdue we will notify you via email and work with the Awarding Authority to complete the request at the earliest opportunity.
  40. If any individual Verification Request has exceeded its approximate completion date and you have not received any communication from us, please contact HeddHelp for further guidance.
  41. Verification Request Responses

  42. Responses to Verification Requests will include one of the following outcomes:
    1. The Enquiry Data has been "verified" - An exact match has been found. The Enquiry Data is accurate; or
    2. The Enquiry Data has been "manually verified" - The Enquiry Data sufficiently matches the details held by the Awarding Authority to be considered a "match" but discrepancies exist in one or more data field; or
    3. The Enquiry Data is "not verified" - No close match exists between the Enquiry Data and the data held by the Awarding Authority; or
    4. The Enquiry Data is "unable to be verified" - The Awarding Authority is unable to process the Verification Request due to some factor outside the verification process.
  43. Where Enquiry Data has been manually verified, the Awarding Authority may provide Response Data detailing any discrepancies.
  44. Where Enquiry Data is unable to be verified, the Awarding Authority may provide Response Data detailing the reason(s) for not processing the Verification Request. This may include a requirement for the Data Subject to contact them directly prior to submission of any further requests. You agree to provide the Data Subject with such information, as appropriate.
  45. Where Response Data has been provided to you, you agree to protect it in accordance with all applicable legislation.
  46. If you object to the outcome of your Verification Request(s), or have any queries regarding such outcomes, please contact HeddHelp for further guidance.
  47. Data Protection

  48. Both you and we acknowledge and agree to comply with our obligations under the Data Protection Legislation.
  49. You warrant to us that you have the legal right to disclose all Personal Data that you do in fact disclose to us under or in connection with these Terms.
  50. In the Processing of Enquiry Data, you assume the role and responsibilities of Controller and JSL and the Awarding Authority each assume the role and responsibilities of Processor.
  51. To the extent that JSL processes Enquiry Data on your behalf, it shall:
    1. only Process the Enquiry Data for and on behalf of you for the purposes of performing its obligations under these Terms, and only in accordance with these Terms and your documented instructions;
    2. keep a record of any Processing of the Enquiry Data it carries out on your behalf;
    3. unless prohibited by law, notify you immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable Law to act other than in accordance with your instructions, including where it believes that any of your instructions under Clause 43a) infringe Data Protection Legislation;
    4. within thirty (30) calendar days of your request, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by you (and/ or your representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Clause 43, and provide reasonable information, assistance and co-operation to you, including access to relevant personnel and/ or, on the your request, provide you with written evidence of its compliance with the requirements of this Clause 43;
    5. (subject to Clause 44) not disclose Enquiry Data to a third party (including a sub-contractor) in any circumstances without your prior written consent, save in relation to Third Party Requests where JSL is prohibited by law or regulation from notifying you, in which case it shall use reasonable endeavours to advise you in advance of such disclosure and in any event as soon as practicable thereafter;
    6. promptly comply with any request from you to amend, transfer or delete any Enquiry Data;
    7. notify you promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or Regulator Correspondence and shall:
      1. not disclose any Enquiry Data in response to any Data Subject Request or Regulator Correspondence without first consulting with and obtaining your prior written consent; and
      2. provide you with all reasonable co-operation and assistance required by you in relation to any such Data Subject Request or Regulator Correspondence;
    8. notify you promptly (and in any event within twenty-four (24) hours) upon becoming aware of any actual or suspected, threatened or 'near miss' Personal Data Breach in relation to the Enquiry Data (and follow-up in writing) and shall:
      1. conduct or support you in conducting such investigations and analysis that you reasonably require in respect of such Personal Data Breach;
      2. implement any actions or remedial measures necessary to restore the security of compromised Enquiry Data; and
      3. assist you to make any notifications to the Regulator and affected Data Subjects;
    9. comply with the obligations imposed upon a Processor under the Data Protection Legislation;
    10. Upon the date on which Enquiry Data is no longer relevant to, or necessary for, the Permitted Purpose, JSL shall cease Processing all Enquiry Data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by you) all Enquiry Data and all copies in its possession or control and, where requested by you, certify that such destruction has taken place (promptly, and in any event within forty-eight (48) hours of the request) except to the extent required by Applicable Law to retain the Enquiry Data;
    11. not make (nor instruct or permit a third party to make) a transfer of any Enquiry Data outside a Permitted Country except with your prior written consent and in accordance with any terms that you may impose on such transfer as you deem necessary to satisfy the requirements to ensure that transfers of Enquiry Data outside of the UK or EEA are subject to appropriate safeguards and have adequate protections in place as set out in the Data Protection Legislation.
  52. JSL is hereby authorised by you to engage, as sub-processors with respect to Enquiry Data, the third parties identified in Appendix 1.
  53. In the Processing of Account Data, JSL assumes the role and responsibilities of Controller.
  54. In the Processing of Response Data, the Awarding Authority and you assume the role and responsibilities of Controller and JSL assumes the role and responsibilities of being the Awarding Authority's Processor.
  55. You shall implement appropriate technical and organisational measures to ensure an appropriate level of security for the Enquiry Data and the Response Data.
  56. JSL shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Account Data, the Enquiry Data and the Response Data.
  57. In addition to the obligations imposed upon you under the Data Protection Legislation, you warrant that:
    1. You are responsible for ensuring the accuracy and completeness of any information provided by you, including Enquiry Data;
    2. You will notify us as soon as practicable should any information require amendment; and
    3. Where acting as an agent for your own client, you will promptly notify us of any actions required as a result of transferred obligations (i.e. data protection obligations imposed on us but originated by your client, such as removal of information).
  58. You and we warrant to each other that:
    1. Should either of us become aware of any breach or potential breach of Enquiry Data or Response Data, we will promptly notify the other and the Supervisory Authority as required by the Data Protection Legislation, as soon as practicable; and
    2. Both you and we will, upon request, provide cooperation and assistance to the other with the fulfilment of their data protection obligations in relation to Enquiry Data and Response Data.
  59. JSL will ensure similar, appropriate agreements in respect of data protection are entered into with each Awarding Authority.
  60. You shall only supply to JSL, and JSL shall only Process, in each case under or in relation to these Terms:
    1. the Enquiry Data of Data Subjects falling within the categories specified in Appendix 1 (Data Processing Particulars) (or such other categories as may be agreed by the parties in writing); and
    2. Enquiry Data of the types specified in Appendix 1 (Data Processing Particulars) (or such other types as may be agreed by the parties in writing).
  61. JSL shall only Process the Enquiry Personal Data for the purposes specified in Appendix 1 (Data Processing Particulars).
  62. Disclosure

  63. Where acting on behalf of a third party under Clause 4 of these Terms, you may release Response Data to that party solely on the condition that they will not release, transfer, distribute share or otherwise re-disclose any of the information obtained to any other party or individual, whether for sale or free of charge, except to the Data Subject themselves or where otherwise required to by law.
  64. You warrant that you will indemnify and hold harmless JSL and the Awarding Authority for any data breach resulting from your disclosure under Clause 54 above.
  65. You further warrant that you will not otherwise release, transfer, distribute, share or redisclose any Response Data to any other entity or individual, whether for sale or free of charge, except to the Data Subject or where otherwise required to by law.
  66. Retention and Destruction of Data

  67. JSL will retain a copy of each Verification Request, including Enquiry Data, evidence of consent, Response Data and any other notifications made between you and us for evidential (including identification, accountability, non-repudiation etc.) and audit purposes, for up to three years.
  68. Once the period ascribed in Clause 57 above has elapsed, JSL will securely destroy the Verification Request.
  69. Termination

  70. In the event that you commit a material breach of these Terms, we may disable and prevent access to your account immediately on notice and without liability to you.
  71. In the event of any termination:
    1. Any incomplete, in progress Verification Requests will be charged; and
    2. All data pertaining to complete, incomplete and in progress Verification Requests will be retained in accordance with Clause 50 and Clause 51 above.
  72. Postal Correspondence

  73. Notifications served to JSL via the postal service should be addressed to:
  74. Hedd Team
    Jisc 4 Portwall Lane
    Bristol BS1 6NB

    Disclaimer

  75. JSL does not warrant or guarantee the completeness, accuracy or reliability of information in its Hedd.ac.uk database and disclaims any express or implied warranties or fitness for a particular purpose. JSL specifically disclaims any responsibility or liability for errors or omissions in information provided by Awarding Authorities, including direct, indirect, incidental, special, or consequential damages resulting from the use of information provided by the Awarding Authority and verified or released through Hedd.ac.uk under these Terms.
  76. Further to the obligations described above, both you and we agree to comply with all applicable laws and regulations governing the activities and services provided under these Terms.
  77. Changes to Terms and Conditions of Service

  78. JSL reserves the right to change the terms and conditions of use of their services, including the Hedd.ac.uk verification service, at any time.
  79. Changes to these Terms will be notified to you in writing and will apply to any Verification Requests submitted after such notification is deemed to have been received.
  80. Where changes to these Terms concern the handling of data, such changes will apply to all Verification Requests, including those submitted prior to the change, regardless of their completion status, from the date at which notification is deemed to have been served.
  81. Company Registration

  82. Hedd.ac.uk is a Jisc enterprise. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB.

Appendix 1 - Data Processing Particulars

Subject matter of the Processing Qualification award and educational attendance information provided by Authorised Users of the Hedd.ac.uk verification service and Awarding Authorities, defined as Enquiry Data and Response Data respectively.
Nature and purpose of the processing The management, administration and delivery of the Hedd.ac.uk verification service, enabling Authorised Users to authenticate the qualification information provided to them by the Data Subject.
Type of personal data Name(s), date of birth, course name, qualification, classification and years of attendance with the place of study. Contact details, account usage details.
Categories of Data Subject

Authorised Users

Employees and employment candidates of the Authorised User or their client.

Current and former students of Awarding Authorities of educational establishments.

Sub-processors Awarding Authorities