Data protection and GDPR

Mobile devices

The University of Sheffield needs to collect, retain and process information about employees, students and other people to allow it to perform academic and administrative functions and to meet legal and regulatory obligations to sector bodies and government.

Where it is necessary for the University to hold and process personally identifiable information it will do so in compliance with its statutory obligations to the data subjects.

All University of Sheffield staff have a responsibility to protect personal information; you must abide by all relevant policies and procedures. Any actual or suspected breaches must be reported immediately.

You can view the roles, responsibilities and structure for information management governance at the University:

Roles and responsibilities (PDF, 327KB)

From 25 May 2018 the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). We are updating our policies and guidance to adopt this new legislation, if you have any queries then please contact our Data Protection team.


Student at computer

How we handle your personal information

We take our responsibility to protect your data protection rights seriously. Find out how your personal information is processed and how we protect your rights.

Privacy notices | Cookie policy

Subject Access Request form (PDF, 56KB)

Person in library

How to manage personal information

Anyone who deals with personal information is required to handle that information appropriately. This applies to all individuals and organisations processing personal information on behalf of the University.

Policies and procedures

Mandatory training for staff | Guidelines for staff

Information Commons

Support and enquiries

If you have questions or concerns about personal information at the University please contact our Data Protection Officer:

Data protection queries

Information Champions – for staff (via your Muse/staff Google account)

Laptop and notes

Report a breach

To report a breach, or a suspected breach please follow the Information Security Incident Policy.

Information Security Incident Policy

PhD student

For researchers

Please follow the guidance from the University Research Ethics Committee (UREC).

The Health Research Authority (HRA) has also issued guidance on meeting GDPR requirements for research studies with HRA approval.

UREC guidance on data protection

HRA guidance on data protection