Privacy notice: prospective, current and former student data

The University needs to hold and process personal data relating to its students in order to keep proper records, provide support and guidance to students and monitor academic progress.


Part 1: Generic Privacy Notice Information  

The University of Sheffield has a responsibility under data protection legislation to provide individuals with information about how we process their personal data.

We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. the University of Sheffield will make the Privacy Notice available via the website and at the point we request personal data.

Our privacy notices comprise of two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.

Data Controller 

The Data Controller is the University of Sheffield. If you would like more information about how the University uses your personal data, please see the University’s Data Protection page or contact Data Protection Department:

The Data Protection Department also coordinates responses to individuals asserting their rights under the legislation. Please contact the Department in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Your rights in relation to your data

Privacy notices and/or consent

You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent.

Where you do not have a choice (for example, where we have a legal obligation to process the personal data), in both instances we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time.

Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s subject access page found here.

Right to rectification

If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data. Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances: 

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites)

Once we have determined whether we will erase the personal data, we will contact you to
let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.


The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University’s retention schedule found here.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO).

The ICO can be contacted at:

Part 2: Tailored Privacy Notice for students

Students: Type(s) of personal data collected and held by the University and method of collection

Personal data are normally initially provided to the University by a prospective student on a UCAS or Postgraduate application form.

For successful applicants, the University will add further data at registration and then during the course of the student’s education in line with the business purposes specified in its data protection notification.

After graduation/termination of studies, some data are passed to the Alumni function for approved purposes and then the records are retained and disposed of in line with the University’s Records Retention Schedule.

The personal data of unsuccessful applicants are also retained and disposed of in line with the University’s Records Retention Schedule.

The University holds special category data (eg, ethnicity, physical or mental health or disability) for the provision of student support services to individuals and for equal opportunities monitoring and statutory reporting.

Information on a student's health or disability may be required prior to admission to certain programmes of study, for purposes linked with academic progress and examinations, and in relation to the provision of accommodation.

Information on a student’s health may also be required by the University when a student undertakes fieldwork, such as for health and safety or insurance purposes.

Students: Lawful basis

The University processes your data prior to, during and for a period after a programme of study under a number of lawful bases, found in Article 6 of the General Data Protection Regulations, these bases are stated below:

  • You have given consent to the processing of your personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which you are the party or in order to take steps at your request prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the University is subject
  • Processing is necessary in order to protect your vital interests or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University
  • Processing is necessary for the purposes of the legitimate interests pursued by the University or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms

Students: How personal data is processed

  • Administering study, such as recording of achievements, determination of award and monitoring of attendance
  • Providing student support services, such as counselling or careers advice or services for students with disabilities
  • Providing facilities, such as the IT service and Library service
  • Contacting students electronically, to forward high priority or emergency information
  • Administering finance, such as payment of fees
  • Administering tenancies of University-owned properties
  • Monitoring equal opportunities
  • Preventing and detecting crime, such as using CCTV or attaching photos to ID cards
  • Maintaining contact with alumni and past employees
  • Fundraising and marketing
  • Processing student academic appeals and student discipline cases including the voice recording of meetings in relation to these where consent is given
  • Direct mailing of or about:
    • student benefits and opportunities offered by or through the University
    • University activities and events organised for students
  • Personal data released to professional and industrial bodies wishing to communicate with students about career opportunities and membership of their body

The University routinely logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage.

The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policies.

This information may also be used to allow the University to protect its staff and students from risk or any likelihood of risk.

An example would be, the University of Sheffield using location data, when you have logged on to the University’s WiFi, to inform you if you have been in contact with an individual who has been tested positive or confirmed they have Covid19.

Students: Who the University shares data with

The University may need to disclose students’ personal data to organisations contracted to work on its behalf, which could include its insurers or legal consultants.

The University may also disclose data to auditors undertaking investigations, selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published. Where we share data for academic research purposes, we will only do this where ethical approval has been granted and we will act in compliance with data protection law.

During the course of student support, data may be shared with external agencies, for example for medical or counselling support. Students will be asked for consent to share any data with an external agency if the purpose is to secure non-urgent but specialist student support.

If there is an urgent need for specialist medical help, the University will seek consent to share any data, but where consent cannot or will not be given it might act without consent.

The University may, in order to protect the vital interests of the student or another person, contact third parties, such as medical professionals or emergency contact, concerning the health of a student when it believes it is reasonable and/or in the best interests of the student to do so.

The University will attempt to gain the prior consent from the student to do so but where consent cannot or will not be given it might act without consent.

The University will share your information where legally obliged to, for example with law enforcement agencies, and may not be able to inform you of the sharing, for example where this may compromise any investigation.

The University is legally obliged to provide student personal data to Council Tax Registration Officers and, where applicable, to the UK Visas and Immigration (UKVI).

The University has a statutory requirement to disclose student personal data to the following and/or their nominees/successors:

  • Office for Students (OfS)
  • The Higher Education Statistics Agency (HESA)
  • The Learning and Skills Council; the Quality Assurance Agency
  • The Department for Innovation, Universities and Skills
  • The European Audit Commission
  • Local authorities
  • The Student Loans Company
  • Electoral Registration Officers

Further information about disclosures to HESA

The University will send some of the information it holds about its students to the Higher Education Statistics Agency (HESA).

Statutory functions

The HESA record is used by the organisations listed below, or agents acting on their behalf,
to carry out their public functions connected with education in the UK:

  • Department for Business, Energy and Industrial Strategy
  • Welsh Assembly Government
  • Scottish Government
  • Department for the Economy, HE Division
  • Office for Students
  • Higher Education Funding Council for Wales
  • Scottish Further and Higher Education Funding Council
    • National College for Teaching and Leadership
    • Health and Care Professions Council
  • United Kingdom Research and Innovation and associated Research Councils

The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.

Equivalent and lower qualifications – the University and the Higher Education Funding Council for England may compare student data to educational records from previous years to help determine the levels of current qualifications.

This may, in turn, affect the fees required to pay by students.

A student’s HESA record will not otherwise be used in any way that affects them personally.

Student contact details may be passed to survey contractors to carry out the National Student Survey and surveys of student finances on behalf of the education organisations listed above. These organisations and their contractors will use student contact details only for that purpose and will then delete them.

Towards the end of a student’s course of study, the University will pass the student’s contact details to the organisation contracted to carry out the National Student Survey.

HESA publications

HESA use the HESA record to produce anonymised data in annual statistical publications.

These include some National Statistics publications and online management information services.

Research, equal opportunity, journalism, other legitimate interest/public function

HESA will also supply anonymised data to third parties for the following purposes:

  • Equal opportunities monitoring – the HESA record may contain details of ethnic group and any disabilities. This data is only used where it is needed to promote or maintain equality of opportunity or treatment between persons of different racial or ethnic origins, religious beliefs or different states of physical or mental conditions
  • Research – this may be academic research, commercial research or other statistical research into education where this is of benefit to the public interest
  • Journalism – where the relevant publications would be in the public interest eg league tables

Anonymised data for the above purposes is supplied by HESA to the following types of user:

  • Local, regional and national government bodies who have an interest in higher education
  • Higher education sector bodies
  • Higher education institutions
  • Academic researchers and students
  • Commercial organisations (eg, recruitment firms, housing providers, graduate employers)
  • Unions
  • Non-governmental organisations and charities
  • Journalists

The HESA Student Collection Notice is reviewed annually and any amendments to the current version will be available on the HESA website, along with links to earlier versions.

HESA will take precautions to ensure that individuals are not identified from the anonymised data which they process.

Under the GDPR, students have the right to a copy of the information HESA holds about them. Please make requests directly to HESA by emailing

A student who has concerns about their information being used for the purposes outlined above or in the Collections Notice should contact HESA directly.

Students on Initial Teacher Training (ITT) Courses at Institutions in England

HESA will pass the records of students on an ITT course at an institution in England to the National College for Teaching and Leadership (NCTL).

The NCTL is a data controller under GDPR. The NCTL will process personal data in order to fulfil its remit and its statutory obligations, including the administration of provisional registration.

Except where there is a legal obligation, the NCTL will not share data with any third party, except those fulfilling a service on their behalf and under their expressed instructions.

Student and Leaver Surveys

After you graduate you may be contacted and asked to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys are used to create statistics to meet the public interest in the outcomes of higher education.

Information from third parties (such a parent, or the University if you’re in further study) might be used to complete sections of the surveys if you can’t be contacted. The surveys may be undertaken by the University or by an organisation contracted for that purpose.

The University will hold your contact details after you graduate in order for you to be contacted to complete a graduate outcomes survey.

Your contact details may be passed to HESA and/or an organisation contracted to undertake a graduate outcomes survey. The survey contractor will only use your contact details for the survey and will delete them when the survey is closed.

HESA may hold your contact details for further graduate outcomes surveys where these are in the public interest.

Your responses to the survey of graduate outcomes will be made available to the University, and we may choose to add additional questions to the survey for our own use.

Further privacy and data protection information will be provided if you are contacted for any of these surveys.

You might also be contacted as part of an audit to check that the survey has been undertaken properly.

Legal basis for processing your information to conduct national surveys

Processing of your information to conduct the student and graduate surveys is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

National Student Survey

Ipsos MORI - The University transfers contact details of final year students to the administrators of the National Student Survey, an independent market research agency named Ipsos MORI, who act on behalf of the Office for Students.

Prior to transfer the University contacts final year students about the survey and gives the opportunity to opt-out of participation.

Ipsos MORI do not disclose information to anyone else and destroy it as soon as it is no longer required for the purpose of administering the survey. Individual responses to the survey remain anonymous throughout.

For more information please see the Privacy Statement of Ipsos MORI.

Published Personal Data

A student’s name and email address will appear in the University's Global email system.

This is only available to users of the email system and is not publicly available.


Where a student’s funding organisation requests progress reports, the University will normally comply.

Any queries about the provision of such reports should be addressed to the funding organisation.

Fraud and Plagiarism, Disciplinary Procedures and Academic Appeals

The University may process a student’s personal data for the purpose of the prevention and detection of fraud, particularly plagiarism (this may involve disclosure to third parties, eg in the use of plagiarism detection software).

It may also process a student’s personal data in the course of disciplinary procedures or academic appeals (this may involve disclosure to third parties, eg to seek legal advice).

Study, Employment and Placements at another Organisation

Where a student’s course of study at the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad.

Students should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA.

Accreditation and Professional Bodies

The University of Sheffield will provide information to the following for the purpose of accreditation and
membership of the professional bodies.

  • Chartered Institute of Logistics and Transport (CILT)
  • Chartered Institute of Personnel and Development (CIPD)
  • Chartered Institute of Management Accountants (CIMA)
  • Chartered Institute of Marketing (CIM)
  • Institute of Chartered Accountants in England and Wales (ICAEW)
  • Association of MBAs (AMBA)
  • Association to Advance Collegiate Schools of Business (AACSB)

Collaborative Programmes

Where the University of Sheffield manages admissions procedures it will provide partners with details of the students attending courses. Where required, the University of Sheffield will provide progress reports to partners or other relevant bodies.

Where a student chooses to make use of the University’s complaints and academic appeals processes, the University will process personal data necessary for the purpose of administering the case and then retain such records in line with its University Records Retention Schedule.

Visual Images

Each student is required to provide a digital image of themselves for reproduction on their University campus card, which will be used for the purpose of identification. The digital image may also be:

  • Attached to electronic student records that can be viewed by any member of University staff
  • Attached to hard copy student personal records that are stored securely and accessible only to those members of staff who require access

The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material. Students may appear on the resulting images, and the resulting images may be published.

Sheffield Students Union

Sheffield Students Union (SSU) is a separate legal entity from the University of Sheffield and therefore a separate data controller.

The University shares student personal data with SSU in order for the Union to administer membership of SSU and its clubs and societies, to communicate with members, to hold elections of officers, to ensure the safety and security of members (including identification of individual members), to provide welfare services, to market services provided directly by SSU and to analyse SSU service provision and membership needs.

Disclosure and Barring Service (DBS)

The University is required to obtain information about past criminal convictions prior to offering a place on some of its programmes and as a condition of employment for certain posts. The University also undertakes DBS checks on those students who work with young and/or vulnerable people.

Students: How long personal data is held by the University

Personal data is kept, deleted or archived in accordance with the University Records Retention Schedule, which can be found here.

Students: Use of cookies

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie.

Cookies allow websites to remember user preferences, choices and selections. the University of Sheffield also make use of the Google Analytics service to understand how you navigate around our site.

the University of Sheffield do not use cookies to collect personal information about you.

For more information about the use of cookies on the University of Sheffield’s website, please see our Cookies Policy.

Students: Changes to this privacy notice

We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.

Students: Further Information

If you have any questions which you feel have not been covered by this Privacy Notice,
please contact us:

Students: Complaints

If you feel that the University has not dealt correctly with your personal data you can complain to the Information Commissioner's Office.

A global reputation

Sheffield is a research university with a global reputation for excellence. We're a member of the Russell Group: one of the 24 leading UK universities for research and teaching.