Privacy notice: prospective, current and former student data

The University needs to hold and process personal data relating to its students in order to keep proper records, provide support and guidance to students and monitor academic progress. We hold financial, sponsorship and fees data so that we can invoice students correctly and record payments; information on health and disability so that we can properly support students; academic information so we can track progress and provide appropriate learning and teaching support and opportunities; and many other categories of information – which are listed below – in order to both run the business and activities of the University, to help and support students and in order to fulfil our legal obligations.

In addition, the University needs to hold and process personal data relating to those seeking to become students (prospective students and applicants), in order to support and guide prospective students, assess academic suitability for admission, and facilitate the admission process, including assessing fee status and, for International students, arranging the CAS number used in visa applications. We also hold data on prospective students' socio-economic and family background to support the University's mission to widen access to higher education and responsibilities relating to the Office for Students.

The University takes the security and integrity of all the personal data it holds very seriously. We have an Information Security Policy and all staff are trained in Data Protection. We believe our systems are secure. We do not release information about students to any third parties outside the University unless we have a legal obligation to do so, or in very specific and limited circumstances; which are listed below. We do not release information about students to family members or fee payers without the consent of the individual student, except in very serious emergency situations.

The handling of personal data is controlled by the General Data Protection Regulation (GDPR) and associated legislation. The University is obliged to provide you with the following information which explains in detail how and why we are processing your personal data and explains your legal rights. General information on Data Protection law is available from the Information Commissioner's Office.

Data Controller: The University of Sheffield, Western Bank, Sheffield S10

Data Protection Officer: Anne Cutler

Supervisory Authority:

The Information Commissioner
Wycliffe House
Water Lane
Telephone: 0303 123 1113 or 01625 545745

How and why we are processing your personal data and your legal rights

Categories of information

Please see:

Categories for students (Google Drive)

Special data

'Special categories of personal data' are defined as information relating to the following:

  • Racial or ethnic origin
  • Sex life or sexual orientation
  • Genetic or biometric data
  • Health (or health conditions/disability)
  • Political opinions
  • Voter registration
  • Religious or philosophical beliefs
  • Trades union membership

The University may use this data, but only in specific and restricted circumstances, and always in accordance with Article 9 of the GDPR.

Sources of information

  • Provided by students
  • UCAS
  • Agents and recruitment consultants
  • Partner institutions (including USIC)
  • University appointed insurers and brokers
  • Financial Sponsors
  • Research Councils

Purposes of processing

Please see:

Purposes of processing (Google Drive)

Legal basis for processing

For information about the legal basis for processing (including specific General Data Protection Regulation articles) please see:

Legal basis for processing (view on Google Drive)

Transfers outside the EU

The University does not as a rule transfer student data outside the European Union.

The exceptions to this is a) in relation to those students who are studying at other institutions, either for all or part of their studies. In order to properly administer these studies and provide appropriate support, the University will share personal data with partner institutions. The legal basis for these transfers is contained within clause 6(1)b and c(1)f of the General Data Protection Regulation; and b) sharing of information with overseas agents, sponsors and embassies (Article 61.(a)); and c)

Retention periods

The University needs to be able to confirm who has been a student: whether they have successfully completed their studies or not, and needs to be able to do this for all previous years. Therefore certain information about former students will be retained permanently. Detailed personal data relating to students will be retained for six years after the completion of studies.

Access rights

You are entitled to a copy of all the information the University holds about you, although you may not be able to receive information which identifies or relates to anybody else. If you would like a copy of your records, please contact the University Data Protection Officer.

In order to help us provide you with the information as quickly as possible, it would be very helpful if you could provide us with as much information as possible, particularly if you can specify which sort of information you are interested in. You will be required to provide proof of identity, such as a photograph and a signature.


You have the right to move your personal data to another data controller. However, this right is limited to the following circumstance:

  • data which you have provided directly to the University yourself
  • data which is used in order to fulfil a contract or is in preparation for a contract
  • the data is automated (ie this right does not apply to paper records).

In order to exercise this right, please contact the University Data Protection Officer.

Erasure (right to be forgotten)

The rights of erasure (the right to be forgotten) does not apply to student data held by the University for most purposes. However, any personal data held solely for the purpose of marketing can be erased.

In order to exercise this right, please contact the University Data Protection Officer.


The law gives you the right to object to processing of your personal data carried out by the University and/or to ask the University to restrict processing of your personal data. These are not absolute rights (except for the right to prevent use of your personal data for marketing and fundraising purposes) and apply only in limited circumstances. You can object to your data being used for research or statistical purposes, but not where the research is being carried out in the public interest.

You can also ask the University to restrict any processing of your data if you think the data we hold about you is inaccurate.

The rights of objection and restriction are complicated and each instance will be assessed individually.

If you wish to exercise either of these rights, please contact the University Data Protection Officer.

Withdrawal of consent

You have the right to stop any processing which is based solely on your consent:

  • advertising and promotion of the University, its goods and services
  • fundraising (this does not include information relating to applications which will include information about your prospective department, opportunities to visit and scholarships).

Please contact the University Data Protection Officer, or the appropriate University department (Accommodation and Campus Services, Sport Sheffield, etc)

Complaints to ICO

If you feel that the University has not dealt correctly with your personal data you can complain to the Information Commissioner's Office.

Consequences of not providing data

The University relies on having up to date and correct information about its students. Students have a responsibility to inform the University if we are holding incorrect information, and giving us a chance to put things right. The University will only ask you to provide information for which it has a genuine need. If you fail to provide any requested information, there is a chance that your University records could be incorrect, or incomplete and this could lead to problems which take time and trouble to sort out.