GDPR and data protection
The University of Sheffield processes information about individuals, for our own administrative purposes and to comply with our legal obligations. This includes personal data concerning current, prospective and former employees, students, suppliers, research partners and others in order to carry out our function as a university.
We detail our processing within our data protection policy (PDF).
The University of Sheffield is committed to protecting the rights and privacy of individuals in accordance with appropriate UK and European legislation. This includes:
- EU General Data Protection Regulations (GDPR)
- Data Protection Act 2018 - The GDPR provides some opportunity for national governments within the EU Member States to make certain provisions for how they apply the GDPR. The Data Protection Act 2018 formally repealed the Data Protection Act 1998 and addresses these Member State options of the GDPR.
- 1. Privacy notices
- 2. Data Protection Principles
Data protection legislation embodies strict rules for protection and management of information within Principles. These Principles are the foundation of good information management.
The General Data Protection Regulation (GDPR) outlines the Principles within Article 5, which states that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
GDPR further requires within the Principles that the controller shall be responsible for, and be able to demonstrate compliance with, the above Principles ('accountability').
- 3. ICO Notification
The University of Sheffield has notified the Information Commissioner's Office (ICO) of the purposes for which it processes personal data. This notification is renewed annually and recorded in the Data Protection Public Register. The University's Registration Number is Z681065X
The University must ensure that its notification remains up-to-date. Any member of staff who wishes to carry out processing additional to the current notification must contact email@example.com prior to doing so.
Additional processing includes:
- Processing personal data for an additional purpose
- Collecting an additional class of data
- Collecting personal data from an additional class of data subject
- Disclosing personal data to a new recipient
- 4. Subject Access Requests
What is a subject access request?
Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
- Confirmation that their personal data is being processed
- Access to their personal data
- Other supplementary information about the processing of their personal data.
A Subject Access Request (SAR) is simply a request made by, or on behalf of, an individual. Some requests are directly outside the scope of the subject access request regime and are handled by other processes:
Exam scripts and SARS
A specific exemption exists in data protection legislation for access to information recorded by students during academic, professional or other exams. A SAR would not result in the provision of the work that the student submitted, however a copy of the comments recorded by examiners when marking scripts may be made available.
How do I make a Subject Access Request
A subject access request can be submitted verbally or in writing, but must describe the personal data required. Using the University's Subject Access Form (PDF) will aid you in providing as much detail as possible relating to the request and will reduce the potential for delays pending clarification. If you are unable to make a request in writing, telephone the Data Protection Department on +44 114 222 1117 and we will make arrangements to help you submit a request.
Proof of identification must be provided, comprising a copy of an official document containing photographic identification, e.g. passport or driving licence.
You can submit the form and/or proof of identification by email to firstname.lastname@example.org, but note that the University will only begin to process a request once it is in receipt of all items.
We may need to provide the response in an accessible format and will work with you to establish what is appropriate.
What happens once I have submitted a request?
The University will send you an acknowledgement of the request. If we need any clarification, or if proof of ID, we will contact you as soon as possible. Once we are in receipt of a clear request and proof of ID we will begin to locate and collate the relevant personal data.
What information will I receive?
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
Can I access the personal data of other individuals?
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered.
When will I receive a response to my request?
Under data protection legislation, the University must respond within one calendar month of receiving a request and proof of ID, unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where the University needs to extend a deadline we will inform the requester of this.
How will I receive copies of personal data in response to my request?
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption) or in hard copy (by the Royal Mail's 'Signed For' service). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
What if I am dissatisfied with the University's response to my request?
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Data Protection Officer in the first instance (email@example.com) so that the University is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner's Office (ICO) to carry out an assessment to see whether it is likely or unlikely that the University has responded properly. The ICO can be contacted at:
Information Commissioner's Office
Tel: 0303 1231113
Making a third party request for personal data
There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
- The requestor is the parent of a child aged 12 years or under
- The requestor has the written permission to make a request on behalf of another individual
- The requestor has Power of Attorney or an order from the Court of Protection to act on behalf of another individual
- The University believes that it is in the best interests of an individual who does not have the capacity to make a request themselves
- The University deems that release can be justified under crime and taxation provisions.
In these circumstances the University may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
A request for access to personal data made on behalf of a child
Children aged 13 and above are generally deemed mature enough to make decisions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 13 submits a subject access request on the child's behalf, the University may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent has the right to request access to their child's personal data, where the child is under 13 years old. The University will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and your child.
A request for access to personal data made on behalf of an adult
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject which contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request for themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, the University will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
A request for personal data for the purpose of law enforcement
The Data Protection Act 2018 contains some exemptions that permit the University to release personal data for the purpose of law enforcement:
- Safeguarding national security (section 110)
- The prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or of any imposition of a similar nature (schedule 2).
A request for the release of personal data under these provisions would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. The University is not obliged to release personal data unless is it satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation's own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to firstname.lastname@example.org. Requests will be acknowledged and a full response sent as soon as possible.
- 5. Guidance for employees
- 6. Appropriate Policy Document
As part of The University of Sheffield’s (TUoS) public function as a higher education provider, we process Special Category and Criminal Offence data in accordance with Article 9 of the General Data Protection Regulation (GDPR) and Schedule 1 of the Data Protection Act (2018) (DPA).
Schedule 1 Part 4 of the DPA requires us to have in place this document, called an ‘Appropriate Policy’, when we rely on certain conditions for processing Special Category and Criminal Offence data. This policy will tell you what Special Category and Criminal Offence data we process, our lawful basis (schedule 1 condition in the DPA) for processing it, the purposes for which we process it, and how we ensure compliance with the principles of data protection law provided in Article 5 of the GDPR.
We will also tell you how long we will hold the Special Category and Criminal Offence data. Some of the information is already held in other documents on the TUoS website, and we have linked to the relevant documents when it is necessary to do so.
2. Description of the data processed
We process the following types of Special Category and Criminal Offence data:
- Health and disability
- Religious/philosophical belief
- Ethnic/racial background
- Sexual life/sexual orientation
- Political views
- Trade Union membership
- Criminal Offence data
Our retention schedule sets out the correct disposal action once records containing special category data are no longer required.
3. Schedule 1 condition for processing
Below we have listed the Schedule 1 conditions on which we are relying, and which need to be covered by this document. In this list, Special Category Data is abbreviated as SC; Criminal Offence Data is abbreviated as CO.
Schedule 1 Part 1 para 1 (employment and social protection), where TUoS needs to process SC/CO data for the purposes of performing its obligations or rights as an employer, or for guaranteeing the social protection of individuals
Schedule 1 Part 2 para 8 (equality of opportunity), where TUoS needs to process SC/CO data for the purposes of monitoring equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
Schedule 1 Part 2 para 10 (prevention of crime), where TUoS needs to process CO data for the purpose of preventing or detecting unlawful acts
Schedule 1 Part 2 para 11 (protecting the public from dishonesty) where TUoS needs to process CO data to protect members of the public from malpractice, unfitness, incompetence or mismanagement in the administration of a body or organisation, and obtaining consent would prejudice the exercise of the protective function
Schedule 1 Part 2 para 12 (Regulatory requirements relating to unlawful acts and dishonesty) where TUoS needs to process CO data to comply with a requirement which involves taking steps to establish whether an individual has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.
Schedule 1 Part 2 para 17 (counselling), where TUoS needs to process SC/CO data in order to provide confidential counselling, advice or support or of another similar service provided confidentially, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining consent would prejudice the provision of the service, and is necessary for reasons of substantial public interest
Schedule 1 Part 2 para 18 (safeguarding), where TUoS needs to process SC/CO data in order to protect the physical, mental or emotional well-being of an individual under the age of 18, or over the age of 18 and at risk, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining the data subject’s consent would prejudice the provision of the protection, and is necessary for reasons of substantial public interest
4. How we comply with the data protection principles in Article 5 of the GDPR
Article 5(2) of the GDPR requires Data Controllers to demonstrate how they comply with the data protection principles provided in Article 5(1). This section illustrates the measures we have taken to demonstrate accountability for the personal data we process, and contains details about how we ensure compliance with the principles of the GDPR.
We demonstrate our compliance with the data protection principles provided in Article 5 of the GDPR through the following measures and documents:
We have appointed a Data Protection Officer whose role and responsibilities align with the provisions of Articles 37-39 of the GDPR.
Our Privacy Notices explain to individuals how and why their data is processed by TUoS, what their rights are, and how they can get in touch with our DPO and the regulatory authority.
When we routinely and/or regularly share data with third parties, we enter into written agreements with Data Controllers and Data Processors which meet the provisions of Articles 26 and 28 of the General Data Protection Regulation respectively.
We carry out Data Protection Impact Assessments (DPIA) for uses of personal data that are likely to result in a risk to individuals’ data protection rights and freedoms.
We implement appropriate security measures which are proportionate to the risk associated with the processing.
4.2 Lawful, fair and transparent processing
We provide clear and transparent information to individuals about why we process their personal data, including our lawful basis in our Privacy Notices. This includes information about why we process Special Category and Criminal Offence data.
As a public authority we need to process Special Category Data for the substantial public interest conditions outlined in section 3 of this policy to meet the requirements of legislation such as the Higher Education and Research Act (2017), the Equality Act (2010), the Health and Safety Act (1974), the CTSA (2015), and legislation relating to safeguarding.
We process employment data to meet our legal obligations as an employer.
4.3 Purpose limitation
We process Special Category and Criminal Offence data where it is necessary to meet the following purposes.
- Equal opportunities monitoring, including statutory returns to the Higher Education Statistics Agency
- Certain work placements or casual work opportunities where a DBS check is required
- Supporting special arrangements, such as building access plans, study inclusion plans, and mitigating circumstances applications
- Providing individuals with appropriate support in a counselling session
- To allow us to fully investigate a complaint or grievance
- To understand dietary requirements based on health or belief
- Recording sickness absence
- Complying with health and safety obligations
- Where processing is necessary to respond to an emergency situation
- Responding to binding requests or search warrants from courts, the government, regulatory or enforcement bodies
- To fully process job applications
- For the prevention and detection of unlawful acts (e.g. incidents captured on CCTV)
- To verify the good character, competence and integrity of senior managers and trustees
We will only process Special Category and Criminal Offence data for the listed purposes, and in accordance with a condition in Articles 9-10 of the GDPR and Schedule 1 Parts 1-3 of the DPA. We process some Special Category and Criminal Convictions data for purposes not covered in this policy document. These conditions are:
- where we ask for your explicit consent to process Special Category and Criminal Offence data
- for the purposes of preventative or occupational medicine,
- where processing is necessary to protect your vital interests, and
- for research, statistics and archival purposes.
We may process data collected for any one of these purposes (whether by us or another Data Controller), for any of the other listed purposes, so long as the processing is necessary and proportionate to that purpose.
We will not process any personal data for purposes which would be incompatible with the purpose for which the data was originally collected.
4.4 Data minimisation
We design our data collection forms and other data collection tools to ensure that we only collect the Special Category or Criminal Offence data necessary to achieve the purpose. Our purposes are set out in our Privacy Notices.
We are satisfied that we collect and retain Special Category and Criminal Offence data for long enough to fulfil our purposes. We collect enough but no more than we need in accordance with the data minimisation principle, and we only hold Special Category and Criminal Offence data for the period set out in our retention policies.
Our retention schedule sets out the correct disposal action once records containing special category data are no longer required.
When we identify data which is inaccurate or out of date, having due regard for the purpose for which the data was processed, we will take necessary steps to rectify, replace or erase it as soon as possible and within one month. If there is a specific reason we cannot rectify or erase the data, for instance because the lawful basis does not permit it, we will record the decision.
We provide interfaces for staff and students to keep their personal data up to date, as well as issuing regular reminders to update or provide equalities monitoring data.
4.6 Storage limitation
Special Category and Criminal Offence data processed by us for the purpose of employment or substantial public interest, will be retained for the periods set out in our retention schedule. The retention policy for record categories is determined by our legal and regulatory obligations, and our business requirements. The retention schedule is available to view here: https://www.sheffield.ac.uk/polopoly_fs/1.821413!/file/2019_UoS_retention_schedule_rewrite_v2.3.pdf
Electronic data is hosted on a secure network, and on the secure servers of third party cloud storage providers with whom we have contractual agreements.
5. Retention and erasure policies
Our retention period and disposal actions for records containing Special Category Data can be found on our corporate retention schedule here: https://www.sheffield.ac.uk/polopoly_fs/1.821413!/file/2019_UoS_retention_schedule_rewrite_v2.3.pdf
6. Appropriate Policy review date
This policy will be retained for the duration of the processing, and for a minimum of 6 months thereafter.
The policy will be reviewed annually, or revised more frequently if necessary.
7. Additional Special Category and Criminal Offence data
We also process special category data and criminal offence data where an Appropriate Policy Document is not required e.g. for archival, research and statistical purposes. In these circumstances we will respect the rights and interest of our data subjects by informing them about the processing in our Privacy Notices
- 7. Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a key component of a 'Privacy by design' approach to a project or other personal data processing activity (hereafter referred to as an 'initiative'). 'Privacy by design' is an essential tool in minimising privacy risks and building trust. The Information Commissioner's Office (ICO) encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any initiative, and then throughout its lifecycle.
This guidance is devised to help you determine whether a DPIA is required for your initiative and if so, explains how to complete the assessment.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a structured approach to identifying the privacy risks associated with the processing of personal data and for implementing appropriate controls to manage those risks. The process comprises eight steps, discussed below:
Why conduct a DPIA?
Key benefits of conducting a DPIA are:
- Fulfilling the University's legislative, statutory and contractual obligations, particularly those under data protection legislation in relation to data processing activities
- Contributing towards effective risk management and increased privacy and data protection awareness across the institution
- Giving individuals confidence that the University is taking steps to safeguard their privacy, and a better understanding of the ways in which their personal data are being used
- Taking actions which are less likely to be privacy intrusive and have a negative impact on individuals
- Increasing the likelihood that the initiative is more successful because privacy risks are identified early, allowing controls to be designed in at less cost and with less impact on delivery.
Is a DPIA required?
A DPIA should be completed for any initiative that involves the processing of personal data or any other activity that could impact the privacy of individuals. Examples are:
- Building a new IT system for storing or accessing staff personal data
- Implementing surveillance technology in a building, such as a CCTV system
- Using a cloud service for the storage of research data
- Developing policies or strategies that have privacy implications.
A DPIA should be completed for new initiatives, for changes to existing systems or processes or for contract renewals where there is a data processing element. It may also be a recommended outcome from a formal investigation into an information security incident or weakness at the University.
The first step in conducting a DPIA is a screening process to decide whether the detailed work in the subsequent steps will be required.
A DPIA must be completed for all research projects that may impact the privacy of individuals and/or involve the use of personal data.
When should a DPIA be undertaken?
Ideally, a DPIA should be undertaken in the early stages of an initiative. The earlier a DPIA is completed, the easier it is likely to be to address any privacy risks identified.
Who should conduct a DPIA?
The University Data Protection Officer has overall accountability for ensuring that DPIAs are completed for personal data processing initiatives.
Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:
- The project sponsor
- The information asset owner
- The lead for a research project.
Who should hold the completed DPIA?
The individual responsible for the initiative should retain the master copy of the completed DPIA for audit purposes and to be able to demonstrate compliance with legislative requirements should a query be raised. The University's Data Protection Officer or Information Governance Unit may request copies of DPIAs for monitoring and reporting purposes.
The University's DPIA template
Please use the University's standard Data Protection Impact Assessment Template found here.
Please note that in the case of research projects, the DPIA template is not mandatory; the assessment can be recorded in the project’s Data Management Plan instead.
Conducting a DPIA
Step One - Identify the need for a DPA
1. Will the project involve the processing of new (or additional) types of information about individuals
2. Will the project result in the processing of personal data that would have previously required a DPIA?
3. Is the data transferred internationally?
4. Does the project involve datasets that have been matched or combined?
5. Does the project involve evaluating or scoring individuals (including profiling and predicting)?
6. Does the project involve automated decision-making that may have a significant effect on an individual?
7. Does the project involve the use or application of innovative technological or organisational solutions?
8. Does the project involve systematic monitoring?
9. Does the project involve processing personal data on a large scale?
10. Does the project involve the personal data of vulnerable people?
11. Does the project involve processing sensitive (“Special Category”) personal data?
12. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used.
13. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information including third party processors
14. Will the project compel individuals to provide information about themselves, before they can make use of the service provided
Step Two - Describe the processing
Record the following in the DPIA template:
- How personal data will be obtained
- How personal data will be processed (including potential future uses)
- How personal data will be stored
- To whom personal data will be disclosed (individuals or organisations, if any).
Step Three - Consultation process
Consultation serves many purposes throughout the DPIA process, such as:
- Explaining the initiative to stakeholders
- Explaining to stakeholders how the DPIA process will be used within the initiative to manage privacy risks
- Establishing current working practices that the initiative aims to update or replace
- Establishing how the new system or process is likely to be used in practice and in the case of general purpose facilities, their likely purpose
- Establishing the privacy concerns of stakeholders
- Soliciting suggestions for controls
- Explaining identified controls to stakeholders.
Key stakeholders are likely to include:
- Individuals who understand the initiative from a technical point of view and in terms of personal data processing
- Individuals who will be using the new system or process
- Individuals whose personal data will be processed by the new system or process
- Collaborative partners
- The suppliers of a system
- The University's Information Governance Unit, Computing and Information Services (CIS) and Legal Services.
Step Four – Assess necessity and proportionality
Describe the proportionality and compliance measures that are being considered. In particular:
- What is your lawful basis for processing. These are contained within Article 5 GDPR for personal data and an Article 9 basis will need to be established in addition to Article 5 where Special Category Data is being processed?
- Ensure good data quality
- Provide individuals the support they need to act on their rights as data subjects
- Consider the risk of any international data transfer
Step Five - Identify and assess the privacy risks
Record the identified risks in the DPIA template. This forms the core of the DPIA process. The aim is to compile a comprehensive list of all of the privacy risks associated with the initiative, whether or not the risks require action.
For each privacy risk identified, the following should be recorded:
- A unique identifier
- A description of the risk
- An assessment of the impact of the risk (severe, major, moderate, minor, insignificant)
- An assessment of the likelihood of the risk (very likely, likely, neither likely nor unlikely, unlikely, very unlikely).
Step Six - Identify and approve the controls
Identify controls to mitigate the risks and record them in the DPIA template. The aim is to identify sufficient controls to eliminate each of the risks identified in Step Three, or to reduce them to a level which is acceptable to the University. For some identified risks, no controls may be required because the likelihood is so low and/or the impact so small that the risks are acceptable to the University.
Controls may take many forms, such as:
- Additional terms and conditions in a contract
- A privacy notice
- Documented operational procedures
- Disabling certain product features
- User training
- Technical controls, such as encryption.
Once a control is identified, the expected result of its implementation should be recorded i.e. whether it is likely to:
- Eliminate the risk
- Reduce the risk to an acceptable level
- Require acceptance as there is no reasonable control to eliminate or reduce it.
Proposed controls should then be approved by an appropriate individual. Normally this should be the information asset owner or their nominated delegate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
Step Seven - Sign off and record outcomes
After the controls have been implemented, re-assess the risks and record the outcome in the DPIA template. The risks then need to be accepted by an appropriate individual. Normally this should be the information asset owner or their nominated delegate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
The University’s Data Protection Officer will either approve or reject the processing based on the residual risk, adding relevant commentary to the document. Where the proposal is rejected, the DPIA rejected, the DPIA can then be escalated to the University’s Senior Information Risk Owner for consideration.
A world top-100 university
We're a world top-100 university renowned for the excellence, impact and distinctiveness of our research-led learning and teaching.