Privacy and GDPR

Privacy and GDPR

Updated March 2024

Introduction

This Privacy Notice sets out how we use the personal data of website users, enquirers, and visitors collected by phone, email, webforms, live chat, social media, post, and voicemail in line with Data Protection legislation (UK GDPR and Data Protection Act 2018). We have separate Privacy Notices for applicantsstudentsalumnistaffgovernors, and research participants.

The current data protection legislation came into force on 25 May 2018.  This governs the way that organisations use personal data.  Personal data is information relating to an identifiable living individual.

Transparency is a key element of the data protection legislation, and this Privacy Notice is designed to inform you:

  • how and why the University uses your personal data,
  • what your rights are under UK GDPR, and,
  • how to contact us so that you can exercise those rights.

Download our Privacy Notice for External Stakeholders (PDF, 140.8KB)

  

What are the legal conditions/lawful bases for processing?

The legal conditions/lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever the University and other organisations process personal data:

  • (a) Consent: you, the data subject have given clear consent for the University to process your personal data for a specific purpose.
  • (b) Contract: the processing is necessary for a contract that the University has with you, or because you have asked the University to take specific steps before entering into a contract.
  • (c) Legal obligation: the processing is necessary for the University to comply with the law (not including contractual obligations).
  • (d) Vital interests: the processing is necessary to protect someone’s life.
  • (e) Public task: the processing is necessary for the University to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • (f) Legitimate interests: the processing is necessary for the University’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.

Why are we processing your personal data? 

We process your personal data to:

  • Respond to enquiries from potential student applicants (Legal Basis-Consent) such as responding to requests for information about our courses including prospectus requests.  To answer enquiries the University may use a customer relationship management system (CRM). It is in the University's legitimate interests to provide you with further information which we believe is relevant to your enquiry.  You will have the opportunity to manage your preferences which includes the right to object to this processing and unsubscribe from further communications at any time.  The University will respond promptly to any such request. In any case you will be removed from our mailing lists after two years
  • Respond to enquiries from students in the South Yorkshire region hosted by our Uni Connect partnership, HEPPSY who provide impartial advice and guidance as part of outreach activities (Legal Basis-Consent). The University and its HEPPSY Partners will also use this information to evaluate and improve HEPPSY provision and services. (Legal Basis-Legitimate Interests) and with your consent may send a follow-up survey to evaluate the quality of the support given.  More information about the HEPPSY partnership and programme is available here.
  • Registration for events (Legal Basis-Consent). We collect data that you provide to the University to enable us to register you for our events such as Open Days and other University sponsored events.  Where you provide special categories of personal data/sensitive personal data e.g. access requirements/disability/reasonable adjustments, we process this data on the basis of your explicit consent.  It is in the University's legitimate interests to provide you with further information which we believe is relevant to your enquiry.  You will have the opportunity to manage your preferences which includes the right to object to this processing and unsubscribe from further communications at any time. The University will respond promptly to any such request.
  • Subscription Services (Legal Basis-Consent) such as SMS text messages with regular updates.  Any information you supply for this is used only to deliver messages based on the subject you choose, to the email address or phone number you specify.  You may unsubscribe at any time.  The University will respond promptly to any such request. Your data will be retained until you unsubscribe from this service.
  • Registering you to use University online services (Legal Basis-Consent) such as video conference events and access to other online services. Information will only be used to enable you to access the online service you are registered for.  Data will be retained while your registration on the service remains current and will be removed should your registration be removed.  Data you post to an online service will remain after your registration is removed, for example meeting recordings, phots or text.
  • Enable you to enter prize draws. (Legal Basis - Consent) Information on the personal data required to enter and how long we will retain this data will be made available in the terms and conditions for each prize draw.
  • To process orders made through the University's online store (Legal Basis-Necessary for the Performance of a Contract) such as merchandise, events, and conferences.  The University store offers a variety of services which you will need to register for to order goods and services from the University.  You may be asked to supply different types of personal data depending on the goods or services you have requested such as:

You can find more information on the SHUStore Terms and Conditions. Information related to financial transactions will be retained for 7 years for tax and audit purposes.

 

  • To Process payments and direct debits made or set up by you on behalf of students. (Lawful Basis- Necessary for the performance of a contract.) Your payment and contact details will be processed to the administration of the payment. 
  • To process applications for employment (Legal Basis-Necessary for the performance of a contract)- In order to apply for a vacancy within the University, applicants are required to register their details on the e-recruitment portal before they can apply for a job. To process your application you will be required to submit additional personal details. Where we process special categories of personal data/sensitive personal data in relation to your employment application, we do so on the basis of the employment and substantial public interest conditions in Article 9 of the UK GDPR. You will always have the option of responding to the equality monitoring questions with "Prefer not to say". You can find more information about the use and retention of your data on the E-Recruitment Terms and Conditions.
  • Respond to enquiries and concerns raised by you about a Sheffield Hallam University student (Legal Basis – Consent). We  will always obtain your consent before sharing with a student that you have raised a concern, your personal data may be shared within the University to facilitate the investigation of the concerns raised. Please see the University’s Notice to Parents.
  • Respond to other enquiries (e.g. research, consultancy, business services) (Legal basis - consent, necessary for a contract, legitimate interests depending on the nature of your enquiry) - The University will use the data that you provide to respond to your enquiry. To answer enquiries the University may use a customer relationship management system (CRM). It is in the University's legitimate interests to provide you with further information which we believe is relevant to your enquiry. You will have the opportunity to manage your preferences which includes the right to object to this processing and unsubscribe from further communications at any time. In these cases the University will respond promptly to any such request. Retention will depend on the nature of your enquiry.
  • Manage the nomination process for University Chancellor and Board of Governors (Legal basis – consent, public task) – the University will process the personal data of individuals submitting nominations solely for the purpose of managing the nomination process. If you are a nominee, additional personal data may be collected from publicly available sources. 
    The University has a separate Privacy Notice for Governors.
  • Respond to Freedom of Information requests (Legal basis - legal obligation) - in order to make a valid FOI request, you must provide your name and an address /email address for correspondence. These are used for the purpose of managing your request and complying with our legal obligations. Data that you supply and our response to you will be retained for 6 years to fulfil legal obligations.
  • Subscription Services (Legal Basis-Consent) such as SMS text messages with regular updates. Any information you supply for this is used only to deliver messages based on the subject you choose to the email address or phone number you specify. You may unsubscribe at any time. In these cases the University will respond promptly to any such request. Your data will be retained until you unsubscribe from this service.
  • Vital Interests To protect the vital interests of our stakeholders in emergencies/life or death situations/ where we believe that a stakeholder or another individual is at significant risk of harm.

Who do we share your data with?

You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so.  The University NEVER sells personal data to third parties.

Your data may be shared with:

  • University staff who need the information to process your request, purchase, or application, to make improvements to our service and to maintain the security and systems of our premises.
  • Contractors and suppliers, where the University uses external services or has outsourced work which involves the use of your personal data on our behalf. The University will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the current data protection legislation and other applicable legislation.  Examples of suppliers include WPM who host our Online Store, Global Payments who process payments on behalf of the University, IT services and support, confidential waste disposal, mailing services.  If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • Emergency Services, and/or other support organisations called upon in case of an emergency where the disclosure of personal data is considered in the data subject’s vital interests or pertinent to their safety and well-being.
  • Police, and/or other organisations responsible for safeguarding or investigating a crime where a data subject may be involved.
  • Government bodies and departments, in the UK and overseas, responsible for statistical analysis, monitoring and auditing.
  • University insurers, legal advisors and auditors
  • The Information Commissioner's Office to respond to complaints, challenges and audits
  • Students, where the information is required to contact you about a learning opportunity, project or placement, you are providing which forms part of the student’s module or course, or where you have provided consent for the University to share information about concerns you have raised

We may also ask for your consent to use your personal data for other purposes. You will be given additional information for each purpose and have the right to withdraw your consent at any time.

Security

The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity. 

Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.

Data Subject Rights

One of the aims of the Data Protection Legislation is to empower individuals and give them control over their personal data.
UKGDPR gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase 
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

For more information about these rights please see here and the Contact Us section at the end of this Privacy Notice.

Contact Us

  • If you would like to request copies of your personal data held by the University please see our info about SARs (subject access request).
  • If you would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing) please contact our Data Protection Officer. 

You should also contact the Data Protection Officer if:

  • you have a query about how your data is used by the University
  • you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
  • you would like to complain about how the University has used your personal data

Data Protection Officer
Governance, Legal & Sector Regulation
City Campus
Howard Street
Sheffield
S1 1WB

DPO@shu.ac.uk
Telephone: 0114 225 5555

Further Information and Support

Please see more information about how the University uses personal data here

The Information Commissioner is the regulator for UK GDPR.  The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:
https://ico.org.uk/for-the-public/

The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service.  You can also report concerns online.  For more information please see the Contact Us page of their website:
https://ico.org.uk/global/contact-us/

Sheffield Hallam University is not responsible for the content of external websites.