Guidelines for staff dealing with personal data

Anyone who deals with Personal Information is required to handle that information confidentially and sensitively. All personal information, whether held on computer or in hard copy, CCTV, audio or video recordings or email, is subject to the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.

What is meant by personal data?

Personal data is defined as any information relating to a living, identifiable individual. The University holds the data of a great many categories of people: past and present students and members of staff; potential students and job applicants; visitors; people who are studied as part of a research project; the list could go on. We need to ensure that information relating to all these people is treated correctly and with the appropriate degree of confidentiality. Please note that the definition of personal data includes information such as email addresses and full post-codes: if you are unsure whether particular information falls within the definition of personal data, please consult the University’s Data Protection Officer.

Some personal data needs to be handled with special care: details of ethnicity; religion; disability or health issues; political beliefs, are all examples of what GDPR describes as Special Data. Special Data is subject to special legal constraints, which will be described later.

The University and the GDPR

The GDPR includes measures to ensure that information is processed fairly and seeks to protect individuals' rights to confidentiality. Confidentiality of personal data will be maintained by not releasing information, except under particular circumstances, to third parties without the express consent of the data subject. These guidelines describe University policy and good practice and should help all staff stay within the law when dealing with personal information of any sort.

Collecting information

Individuals should be provided with sufficient information so that they understand why their data is being processed. Some processing will not be possible to perform without the consent of the individual data subject. Processing may only be carried out for the purpose for which it was originally collected: this means that 'fishing expeditions' for information, or collecting extraneous information 'just in case' is no longer permitted. For example, an admissions tutor may not ask a potential student if they have brothers or sisters of school age, and then send invitations to visit the University to the family address. This would break the law by using information (the family address) for a purpose other than that for which it was originally collected (to contact the original applicant to the University).

Consent

If no other legal condition applies to a particular purpose, then it is necessary to obtain the data subjects consent before processing can begin. This is most likely to apply in circumstances like marketing or fundraising (this is not likely to be an issue for administrative functions relating to staff or student information). In order for consent to be legitimate the GDPR sets stringent conditions: consent must be freely given, unambiguous and not incentivised. It must be a positive action; ie it cannot be inferred from failure to respond or from a failure to ‘opt-out’. Withdrawal of consent (at any stage of the processing) must be easy and simple to provide.

Telephone conversations and meetings

If personal information is collected by telephone, callers should be advised what that information will be used for and what their rights are according to the GDPR.

Personal/confidential information should preferably not be discussed in an open Reception area. Wherever possible, callers should be escorted to a private interview room or office and not be permitted to wander about an office on their own. If possible, visitors should subsequently be escorted out of the office when the meeting is over. All staff should be aware of the difficulties of ensuring confidentiality in an open plan area and respect the confidential nature of any information inadvertently overheard. Any notes taken during or after an interview should be relevant and appropriate. It is recommended that such notes are subsequently filed in a legible and coherent manner and that informal notes are retained for a short period, in a secure place before being placed in confidential waste. Please note that any personal data, including informal notes are potentially accessible to the Data Subject.

Personal files

It is part of our legal responsibility to retain material only for as long as it has a legitimate function. It is no longer permissible to hold on to information in case it is needed for unforeseen purposes in future, or to retain multiple copies of the same information.

Local records should be retained for no longer than six years following the end of the relationship between the University and the student. For further information regarding record retention and disposal please contact records@sheffield.ac.uk.

Special personal data

Sensitive information is defined by the GDPR as that relating to: ethnicity; political opinions; religious or philosophical beliefs; trade union membership or non-membership; physical or mental health; sex life; genetic data or biometric data. The data subject must give express consent to the processing of such data, except in genuine emergencies. Information required to monitor equal opportunities or socio-economic trends is already collected, under stringent conditions, by the relevant departments in the central administration. It is unlikely that other departments need to undertake similar exercises (if departments think they need to collect any of these details, they should first contact the University Data Protection Officer.

Special arrangements on health/disability grounds

If special arrangements are required to assist an individual with a disability or health issue then it is important that relevant information is shared with appropriate colleagues so that proper adjustments can be made. Information relating to health or condition should not be released to anyone unless they need it for University business.

Medical notes

Departments obviously need to be informed when staff or students are unable to attend the University on health grounds, or otherwise affected by ill-health. Great care needs to be taken when dealing with medical notes. This type of information should only be dealt with on a 'need to know' basis, and this may, for example, result in such matters being dealt with by a sub-section of an examination board or other group rather than the full membership. Any correspondence or documentation relating to health issues should only be posted under confidential cover, and details of illness should not as a rule be discussed over the telephone or via email. Medical notes should not be left lying around on desks, or placed in pigeon holes except under confidential cover. Care must be taken when transmitting this, or any other sensitive material by email. Please take every precaution to ensure that the recipient’s address is correct. Consider whether email is the correct medium for extremely sensitive information.

The use of fax machines to transmit personal information is not recommended.

Examination/assessment results

The provision of assessment results by academic departments is dealt with in detail in the documentation issued annually by the Taught Programmes Office. Departments should take every care that strict confidentiality and secure office practices are followed while papers are being marked and while results are being compiled. Please bear in mind that examination scripts and marks are personal data as defined in the GDPR and therefore students have the right of access to them. GDPR prevents the University from withholding marks or results pending the payment of outstanding fees, or the return of library books. Permissible sanctions in cases of student debts include withholding awards or permission to re-register.

Departmental noticeboards/web pages

It is the practice in many departments, and in halls of residence, for noticeboards to include photographs of all the members of that department, or the staff and residents of a hall of residence. Many departments also include photographs of staff members on their departmental web pages, along with biographical information. It is strongly recommended that individuals are informed when this is planned: it is within the rights of any individual to refuse to have his or her photograph or personal information included on noticeboards or websites, even when access is limited to within the University. In order that the University is able to carry out its legitimate business, it is permissible to publish lists of staff with their responsibilities and contact details within the University; however it is not advisable to publish specific location information such as room numbers.

References

References are the personal data of both the referee and the subject of the reference. Therefore they could be released to either party as a result of a Subject Access Request. References should be factually accurate and fair.

Release of information

Non-sensitive personal information can be passed between departments and between individual members of staff in order for them to carry out the business of the University.

Utmost care must be taken with more sensitive information, such as details of disciplinary cases, promotion cases etc., where information should only be provided on a 'need to know' basis. Information can only be passed to third parties outside the University with the express permission of the data subject (for specific exemptions, see the sections on Statutory Bodies and Data Processors below). For example, addresses (including email addresses) or telephone numbers must not be released to any third parties, even if they claim to be close friends or family members. In emergencies, staff can contact the student or member of staff themselves, and pass on messages. If the request comes from the police, immigration service, inland revenue or similar official body, the enquirer should be referred to Student Services or Human Resources, as appropriate.

Please note: Information on students, or groups of students must not be released to other students, as it may be a breach of confidentiality and of the General Data Protection Regulation (GDPR).

Professional accreditation

It has been the practice in many departments to provide lists of final degree results to professional bodies to assist them in awarding professional accreditation to eligible candidates. We have been advised by the Office of the Information Commissioner that this practice is now illegal unless each individual listed has given express consent that their details may be passed on. Express consent is defined as a positive response to an enquiry and cannot be inferred by failure to object by a deadline. It is recognised that this will mean a significant change of practice for many departments.

Statutory bodies

The University is obliged to release information on all its students and staff to the Higher Education Statistics Agency. These returns are made by the departments of Corporate Information and Computing Services and Human Resources on behalf of the University. Information is provided on each individual member of staff or student, and is collected and processed by HESA so that educational statistics can be compiled and national trends monitored. The information collected and held by HESA, is of course, subject to the confidentiality conditions of the GDPR.

Information is also provided to such bodies as Research Councils, the Student Loans Company and Local Education Authorities. These reports are dealt with by the appropriate central administrative offices, and academic departments are asked to refer any requests for information from any statutory bodies (eg the police) to Student Services or Human Resources as appropriate.

Data processors

Third parties who carry out any personal data processing on behalf of, or under the instructions of the University are known as Data Processors. It is a legal requirement that an appropriate contract is in place: this contract needs to contain clauses which describe what the Data Processor is allowed to do with the personal data. Advice and guidance on Data Processor contracts is available from the Data Protection Officer.

Alumni records

As we are now obliged to discard material if it no longer meets a legitimate need, information held on past students needs to be edited so that only relevant details are retained. The University is often approached by former students wishing to contact their former colleagues. In these circumstances the usual confidentiality rules apply: personal details may not be passed on to any third party, but the University may agree to pass messages on to the students concerned. The Alumni Office is the central point of contact for all such requests, and all enquirers wishing to contact former students should be referred to it.

Disposal/retention policies

Departments are expected to develop and apply retention and disposal schedules for records they create and hold. The University will be developing guidance on retention and disposal of certain types of records.

For further information please refer to the records management web pages or contact records@sheffield.ac.uk.

Disposal of confidential material

Sensitive material should be placed in confidential waste bins/black bin bags and disposed of as confidential waste by the Estates and Facilities Management department. This would include anything relating to student records, exam matters or staffing matters. Spare copies of exam results listings or any other confidential material should be removed from meeting rooms after Exam Boards, Student Review Committees, Promotion Panels or similar meetings. Particular care should be taken to delete information from computer hard drives if a machine is to be disposed of or passed on to another member of staff.

Staff responsibilities

All staff should be aware of and follow the above guidelines, and seek further guidance where necessary.

Data protection queries

The University's Data Protection Officer acts as the University's liaison with the Information Commissioner’s Office and is the point of contact to whom any queries regarding data protection matters should be addressed. Requests from data subjects to access their own records under the terms of the GDPR should be addressed to:

Ms A Cutler
Data Protection Officer

The University Secretary's Office
Telephone: 0114 222 1117
Email: a.cutler@sheffield.ac.uk

Subject Access Requests should provide sufficient information to identify the relevant personal data, and should be accompanied by a hard copy signature. Further information may be requested to confirm the identity of the requestor.

Student information on the internet

Departments who wish to include personal information about students, including research students, on their departmental web pages need to remember that the internet is a public, international forum. Students may not expect that their information might be made public in this way, whereas the expectations of academic and senior staff might be different. Before their details are published on the internet, students should be informed that this is going to happen, and must be given the opportunity to have their details excluded.

Inclusion of students' personal information on departmental web pages must only be done with the students' express (ie preferably written) consent; please remember that consent can be withdrawn at any time. Personal information is basically anything that can be linked back to a living individual, including names, location, email addresses, etc. The details of any student who does object should be removed from the internet immediately.

Guidance on displaying pass lists

Departments planning to display pass lists, even if they are anonymised by replacing student names with registration or other id numbers, should inform students in advance, and must give students the opportunity to object. If any students do object to their inclusion on publicly displayed pass lists, their details must not be included.

GDPR guidance for marketing and communications staff

Q&A – for staff only (you'll need to be logged into your Muse/staff Google account).

This is a live document and will be updated on an ongoing basis. For any queries please email marketing@sheffield.ac.uk