Data protection policy statement
The University's policy is to comply with the requirements of the Data Protection Act 1998.
The University will operate procedures in accordance with the Data Protection Act 1998, ie personal data held by the University shall:
- be obtained and processed fairly and lawfully.
- be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.
- be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
- be accurate and, where necessary, kept up to date.
- be held no longer than is necessary for the purpose(s).
- be processed in accordance with the rights of the data subjects under the Act.
- be surrounded by proper security.
- shall not be transferred outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of the data subject.
The University and all staff and others who process or use any personal information must ensure that they follow these principles at all times.
The University will register as a Data Controller and will notify the Information Commissioner of:
- the personal data being or to be processed
- the category or categories of data subject to which they relate.
- the purposes for which the data are being or are to be processed.
- the people with whom the University may wish to share the information.
- international transfers of personal data outside the European Economic Area.
Responsibilities for ensuring the University's full compliance with the Act are with:
a) the Secretary and Registrar has Executive responsibility for data protection within the University.
b) the Information Governance (IG) team in Governance and Planning Services (GPS) assists in implementing the requirements of the Act as follows:
- advises and supports Faculties/Directorates on all matters relating to compliance with the Act
- disseminates information relating to the Act
- responds to requests, queries and complaints from data subjects
- publishes statements concerning the use of personal data to students, staff, and other stakeholders
- develops, maintains, reviews and publishes policies, procedures and guidance for staff concerning the use of personal data
- provides appropriate training to staff on data protection
- takes part in University staff induction events
- ensures that the University completes the annual notification process for the Information Commissioner's Office
- manages and coordinates the University's response to data security breach incidents involving personal data
- liaises with the Information Commissioner's Office and other relevant external bodies
- coordinates, advises and supports a network of local IG contacts in faculties and directorates.
c) Individual Faculties/Directorates will nominate a representative/Local Contact to:
- act as the key communication link between the GPS IG team and the Faculty or Directorate in terms of disseminating information about Data Protection issues.
- giving basic advice to colleagues on Data Protection as it relates to local work practices; and referring queries to the GPS IG team where necessary.
- help to promote awareness of Data Protection within the Faculty or Directorate.
- ensure all local marketing material, surveys, mail-outs etc. include an appropriate data protection statement, offering an opt-out or opt-in facility as required; and that there is a local process in place to record those people who opt out or choose not to opt in, so that the University complies with DPA.
- notify the GPS IG team immediately of any data subject access request (SAR) or query submitted to their Faculty or Directorate.
- co-ordinate the searches for personal data in the Faculty or Directorate in the event of a SAR being submitted to the University.
- inform the GPS IG team in advance of any planned changes in data processing which may require alteration of the University's Notification lodged with the Information Commissioner; and reviewing the register entry annually in respect of the Faculty or Directorate's activities.
- work with the Information Governance Officer where required to manage and investigate any security breach incidents and to implement recommended action plans.
d) All staff and students have a responsibility to comply fully with the requirements of the Data Protection Act.
Sheffield Hallam University's Data Protection Policy (PDF, 556KB) states the University's commitment to comply with the Data Protection Act 1998.