The Erasmus+ Programme (Data Processing) Regulations 2026 were made on 28 April 2026, laid before Parliament on 30 April 2026 and will come into force on 1 June 2026. Signed by Smith of Malvern at the Department for Education, the statutory instrument creates a defined legal basis for personal data processing connected to UK participation in Erasmus+. The regulations extend across England and Wales, Scotland and Northern Ireland. Their purpose is administrative rather than symbolic: they identify who may handle personal data, the purposes for which that data may be used, and the circumstances in which information may be shared inside the UK delivery structure and with named European bodies.
The legal basis is section 31 and Schedule 5 to the European Union (Future Relationship) Act 2020. The instrument states that Erasmus+ is the European Union programme in which the United Kingdom will participate and to which it will contribute under Article 1(1a) of Protocol I to the Trade and Cooperation Agreement. That places the regulations within a wider UK-EU governance arrangement rather than a purely domestic education scheme. The Explanatory Note traces the route from the Specialised Committee decision of 4 December 2023 adopting Protocol I to Decision No 1/26 of 15 April 2026, which amended Protocol I to add Erasmus+, making this instrument part of the domestic machinery needed for participation to operate.
The drafting establishes three programme bodies. The Secretary of State is the National Authority, notified to the European Commission as the person responsible for monitoring and supervising Erasmus+ management in the United Kingdom. One or more designated organisations may act as the National Agency, which manages implementation, while a separately designated Independent Audit Body issues an audit opinion on the National Agency’s yearly management declaration. The regulations also use the Data Protection Act 2018 definitions of personal data and processing. That keeps the instrument tied to existing UK data protection language rather than creating a separate set of scheme-specific meanings.
Regulation 3 allows an Erasmus+ Programme Body to process personal data where that is necessary to enable or facilitate its own functions, or another programme body’s functions, under Erasmus+. It also permits disclosure to persons undertaking functions in respect of the programme, including another programme body, the European Commission, the Court of Auditors of the European Union and the European Public Prosecutor’s Office. The regulation then gives each body a tailored disclosure route. The National Authority may share data where needed for monitoring and supervision in the United Kingdom; the National Agency may share data where needed to manage implementation or assist another person’s Erasmus+ functions; and the Independent Audit Body may share data where needed to produce and support its audit opinion. The inclusion of EU audit and prosecutorial bodies shows that programme accountability is designed on a cross-border basis.
Regulation 4 extends the framework beyond the core programme bodies. The Secretary of State, Scottish Ministers, Welsh Ministers, a Northern Ireland department, the National Agency and the Independent Audit Body are all treated as relevant persons for limited purposes. They may process personal data where necessary to support statistical analysis, research and performance monitoring, or to support the National Agency in carrying out specified functions. For the devolved administrations, the powers are territorial and functional. Scottish Ministers may analyse the impact of UK participation in or as regards Scotland and support National Agency functions in relation to a person in Scotland; the regulations make equivalent provision for Wales and Northern Ireland. The effect is to give each administration a formal role in evidence gathering and operational support without altering the Secretary of State’s position as National Authority.
The specified functions listed in the regulations cover the working parts of programme delivery: communication and promotion, support with funding applications, customer relationship management, handling enquiries, awarding grants and managing grants already awarded. For universities, colleges, schools, youth organisations and other beneficiaries, the immediate effect is to place these administrative activities on an express statutory footing when personal data is involved. The Department for Education’s Explanatory Note indicates that the measure is intended to enable processing as part of the Erasmus+ Programme, not to establish a free-standing new data regime. Regulation 5 reinforces that point by stating that nothing in the instrument affects any power to disclose personal data that exists apart from these regulations.
The regulations are time-limited. Regulation 6 states that they cease to have effect on 31 December 2027, but preserves their effect where necessary for activities that began before that date. That matters for grants, audits, monitoring work and research that may continue beyond the formal end date of the power. The Explanatory Note also records that no full impact assessment has been produced because no significant effect on the private, voluntary or public sector is foreseen. Even so, the instrument does important technical work: it supplies the data-handling framework that allows UK participation in Erasmus+ to be administered, supervised and audited across domestic and EU institutions.