Privacy notice: people who are neither staff nor students

The University needs to hold and process personal data relating to many people in order to keep proper records, provide advice and guidance to the public and to provide goods and services.

On

We hold financial information so that we can process payments; information on health and disability so that we can provide support and assistance to visitors and guests; and many other categories of information – which are listed below – in order to both run the business and activities of the University, and in order to fulfil our legal obligations.

The University takes the security and integrity of all the personal data it holds very seriously. We have an Information Security Policy and all staff our trained in Data Protection. We believe our systems are secure. We do not release information about anyone to any third parties outside the University unless we have a legal obligation to do so, or in very specific and limited circumstances; which are listed below.

If you are a person whose personal data is used by the University in order to carry out research, we take the processing of your data particularly seriously. All research at the University involving human participants is subject to extremely rigorous scrutiny and must be sanctioned by the University Research Ethics procedures.

Find out about our research ethics processes:

Research ethics processes

The handling of personal data is controlled by the General Data Protection Regulation (GDPR) and associated legislation. The University is obliged to provide you with the following information which explains in detail how and why we are processing your personal data and explains your legal rights. General information on Data Protection law is available from the Information Commissioner’s Office.


Data Controller: The University of Sheffield, Western Bank, Sheffield S10 2TN

Data Protection Officer: Luke Thompson

Supervisory Authority:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 or 01625 545745


How and why we are processing your personal data and your legal rights


Categories of information 

  • Personal data: eg names, addresses, dates of birth, emergency contacts
  • Educational records: eg entry qualifications, progression and achievements, extra-curricular activities
  • Financial information: bank details, credit card information
  • Health and Disability information
  • CCTV images
  • IP Addresses

Special data

'Special categories of personal data' are defined as information relating to the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trades union membership
  • Genetic or biometric data
  • Health Sex life or sexual orientation

The University may use this data, but only in specific and restricted circumstances, and always in accordance with Article 9 of the GDPR.


Sources of information 

  • Provided by data subjects
  • Agents and recruitment consultants
  • Partner institutions
  • Insurance brokers and suppliers
  • Publicly available sources (eg the media)
  • External tracing agents

Purposes of processing 

  • Advertising and promotion of the University, its goods and services
  • Issuing of publications
  • Undertaking research
  • Fundraising
  • Awarding honorary degrees
  • Managing accounts and records
  • Commercial activities
  • Security, prevention and detection of crime
  • Health and Safety
  • Prevent Strategy functions
  • Debt recovery

Legal basis for processing 

The legal basis for processing (including specific General Data Protection Regulation articles):

Managing accounts and records:

  • Article 6(1)b: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract
  • Article 6(1)d: processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Article 6(1)e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Commercial activities:

  • Article 6(1)f: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Advertising and promotion of the University, its goods and services, fundraising:

  • Article 6(1)a: the data subject has given consent to the processing of his or her personal data for one or more specific purpose

Alumni relations, issuing of publications, security, prevention and detection of crime; awarding of honorary degrees:

  • Article 6(1)c: processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)d: processing is necessary to protect the vital interests of the data subject or other natural persons
  • Article 6(1)e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Health and safety:

  • Article 6(1)c: processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)d: processing is necessary to protect the vital interests of the data subject or other natural persons
  • Article 6(1)e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 6(1)f: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Prevent Strategy functions:

Article 6(1)c: processing is necessary for compliance with a legal obligation to which the controller is subject
Article 6(1)e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Research

Research involving living humans:

  • Article 6 (1) e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 9 (j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Recipients of data

Research subjects: research sponsors, partner institutions; insurance brokers, agents and suppliers; debt collection agencies; auditors.


Transfers outside the EU

Debt collection agents (Switzerland).


Retention periods

If you are attending an event at the University, or have purchased goods or services from the University, your personal data will be retained only for as long as is required to fulfil those purposes.

Research data will be anonymised at the earliest opportunity, and in all cases in accordance with the information provided to research subjects when their data was collected.


Access rights

You are entitled to a copy of all the information the University holds about you, although you may not be able to receive information which identifies or relates to anybody else. If you would like a copy of your records, please contact the University Data Protection Officer. In order to help us provide you with the information as quickly as possible, it would be very helpful if you could provide us with as much information as possible, particularly if you can specify which sort of information you are interested in. You will be required to provide proof of identity, such as a photograph and a signature.


Portability

You have the right to move your personal data to another data controller: however this right is limited to the following circumstance:

Data which you have provided directly to the University yourself; data which is used in order to fulfil a contract or is in preparation for a contract; the data is automated (ie this right does not apply to paper records).

In order to exercise this right, please contact the University Data Protection Officer.


Erasure (right to be forgotten)

Personal data held solely for the purpose of marketing can be erased. In order to exercise this right, please contact the University Data Protection Officer.


Restriction/Objection

The law gives you the right to object to processing of your personal data carried out by the University and/or to ask the University to restrict processing of your personal data. These are not absolute rights (except for the right to prevent use of your personal data for marketing and fundraising purposes) and apply only in limited circumstances. You can object to your data being used for research or statistical purposes, but not where the research is being carried out in the public interest.

You can also ask the University to restrict any processing of your data if you think the data we hold about you is inaccurate.

The rights of objection and restriction are complicated and each instance will be assessed individually. If you wish to exercise either of these rights, please contact the University Data Protection Officer.


Withdrawal of consent

You have the right to stop any processing which is based solely on your consent: Advertising and promotion of the University, its goods and services, Fundraising. Please contact the University Data Protection Officer, or the appropriate University department (Accommodation and Campus Services, Sport Sheffield etc).


Complaints to ICO

If you feel that the University has not dealt correctly with your personal data you can complain to the Information Commissioner’s Office.


Consequences of not providing data

The University relies on having up to date and correct information. The University will only ask you to provide information for which it has a genuine need.

If you fail to provide any requested information, there is a chance that your University records could be incorrect, or incomplete and this could lead to problems which take time and trouble to sort out, and could result in the University not being able to provide you with the best service.

A global reputation

Sheffield is a research university with a global reputation for excellence. We're a member of the Russell Group: one of the 24 leading UK universities for research and teaching.