Privacy Notice for Events
Introduction
The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (and, where applicable, EU GDPR) govern the way that organisations use personal data. Personal data is information relating to an identifiable living individual.
Transparency is a key element of data protection legislation, and this Privacy Notice is designed to inform you:
- how and why the University uses your personal data,
- what your rights are in relation to the use of your personal data, and,
- how to contact us so that you can exercise those rights.
We keep our privacy policy under regular review. Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email or post.
Please check back frequently to see any updates or changes to our privacy policy.
Data Subject Rights
One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data.
The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
For more information about these rights please see https://www.shu.ac.uk/about-this-website/privacy-policy/data-subject-rights and the Contact Us section at the end of this Privacy Notice.
Why are we processing your personal data?
- Respond to enquiries from potential clients (Legal Basis-Consent) such as responding to requests for information about our services. It is in the University's legitimate interests to provide you with further information which we believe is relevant to your enquiry or our services. You will have the opportunity to manage your preferences which includes the right to object to this processing and unsubscribe from further communications at any time. In these cases, the University will respond promptly to any such request.
- It is necessary for the University to process your personal data in order to enter into a contract with you and fulfil that contract. (Legal Basis-Contract) To manage and assess enquiries, issue proposals, and prepare for your event, to process payments from you or made on your behalf and to identify you and manage access to our facilities and services.
- Registration for events (Legal Basis-Contract)- Data collected by the University directly from individuals or collected by the client and shared with us to enable us to register you for our events. Where you provide special categories of personal data/sensitive personal data, e.g., access requirements/disability/reasonable adjustments, we process this data based on your explicit consent. You will need to provide this information each time you register for an event. It is in the University's legitimate interests to provide you with further information which we believe is relevant to your registration.
- Subscription Services (Legal Basis-Consent) Any information you supply, is used only to deliver messages based on our services you choose to the email address or phone number you specify. You may unsubscribe at any time. In these cases, the University will respond promptly to any such request.
- Sheffield Hallam University, Conference, Meetings and Events/The Events Team Marketing (Legal Basis-Legitimate Business Interests). We will also use your data to contact you about our products and offers. If you have contacted us in relation to an event you will be able to opt out from receiving future communications from us. Individuals contacting us from a personal, non-business, email address e.g., Gmail, will be required to opt in to these communications.
- Managing the event (Legal Basis-Contract). Data supplied to us will be used at the event for registration including name badges, managing workshop selections and special requirements supplied to us. Special category personal data (e.g., in relation to access or dietary requirements) will be processed with your explicit consent. On occasion we may be asked to provide attendee lists to other delegates or sponsors, this may include your contact information, this would only be done with your explicit consent through the registration process.
- To maintain the appropriate physical, electronic and organisational security measures of the University (Legal Basis-Legitimate Interest) The University collects data through our CCTV which has signage in place to indicate areas that have CCTV in place. This is done to ensure the safety of our staff, students, visitors, and the wider community. We may also collect your data when you are asked to sign in at certain locations on campus.
- Photography and filming (Legitimate Interest) – Photographs or film may be taken at events for marketing purposes, in printed or digital programmes or publicity material. If taking group photographs or film at an event, we will ensure prominent signage is displayed at registration points and in buildings where it is taking place. Where possible (when photography/film is confirmed in advance) attendees will be notified via the event registration forms. Photographers/videographers will alert people in the foreground of any shots who are within earshot and give them the opportunity to move should they wish. The photographer/videographer will seek verbal permission from anyone in close up shots. Attendees that do not want to be included in photographs or film will be asked to notify the event organisers.
- Recorded sessions (Consent) - Speakers may be recorded delivering their talk, this will only be done with their explicit consent.
Which Personal Data do we Collect and Use?
In order to provide our services, we need to collect and use your personal data. Below is a list of what this may include:
* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the UK GDPR and as such is subject to a greater level of control and protection.
^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or "information refused".
Clients booking an event with us
- Name
- Address
- Telephone number
- Email address
- Photograph(s) ^
- Membership or affiliation^
- Employer or organisation information
- Payment information*
Delegates attending an event at Sheffield Hallam University or organised by the University
- Name(s)
- Address(es)
- Telephone number(s)
- Email address(es)
- Nationality ^
- Ethnicity *^
- Disability or access requirements *^
- Dietary requirements*^
- Photograph(s)
- Membership or affiliation (relevant to the event)^
- Employer information^
- Payment information where required*
- Workshop or topic preferences
Sources
We receive personal information from clients when enquiring about holding an event with us, via email, web-form, telephone or in person. If Sheffield Hallam Events Team is managing an event, we will collect delegate data during the registration process specific to that event directly from the registrant e.g., Eventbrite, google forms or an online event registration site.
Who do we share your data with?
You should be aware that to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The University NEVER sells personal data to third parties.
Your data may be shared with:
University staff who need the information for administrative purposes.
- Contractors and suppliers where the University uses external services or has outsourced work which involves the use of personal data on our behalf, e.g. IT services and support, external venues and hotels, and registration products e.g. Eventbrite. The University will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
- Clients Where we are organising an event on behalf of an external client, and we are collecting data on their behalf as their data processor Sheffield Hallam University will act on their instructions and will provide data to the client as part of our contract with them. The Client is the Data Controller, and it is their responsibility to ensure UK GDPR compliance. Data collected by Sheffield Hallam University will be subject to this privacy statement until it is transferred to the client.
- Delegates We may share delegate information with other delegates (e.g., attendee lists including contact information), this is subject to receiving permission as stated in the Why are we processing your data section.
- Speakers and Exhibitors Your data, biographies, photographs, submitted papers or abstracts (your intellectual property) and company/organisation information provided to us will be shared with delegates attending an event electronically and in hard copy format and may be published online. Recordings taken at the event may also be shared online with your consent.
Security
The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of devices; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.
Retention
- Data collected from delegates attending an event will be kept for 2 years.
- Information related to financial transactions will be retained for 7 years for tax and audit purposes.
- Sensitive personal data collected will be deleted 6 months after the event, this allows us to deal with any issues that may arise during an event.
- If you enquire about booking an event with us, you will be kept informed about our services. You will remain on this list until you inform us otherwise. You can request to be removed from this list at any time. Occasionally we may check your information is still current.
- If you have signed up to receive emails or marketing information from us, you will remain on this list until you inform us otherwise. You can request to be removed from this list at any time. Occasionally we may check your information is still current.
- If you unsubscribe from receiving communications from The Events Team/Conferences, Meetings and Events, we will be required to keep limited information about you: Your name, contact details and the fact that you do not want to be contacted to enable us to ensure you don’t receive future communications from us.
Contact Us
You should contact the University’s Data Protection Officer
- If you would like to request copies of your personal data held by the University (a subject access request) or To exercise your other data subject rights (e.g., to have inaccurate data rectified, to restrict or object to processing) you have a query about how your data is used by the University
- you have a query about how your data is retained by the University
- you would like to report a data security breach (e.g., if you think your personal data has been lost or disclosed inappropriately)
- you would like to complain about how the University has used your personal data
Data Protection Officer
Governance, Legal and Sector Regulation
City Campus
Howard Street
Sheffield
S1 1WB
DPO@shu.ac.uk
Telephone: 0114 225 5555
You should contact the Events Team if:
- you have a query about how your data is used by The Events Team
The Events Team
Sheffield Hallam University
City Campus
Howard Street
Sheffield
S1 1WB
Eventservices@shu.ac.uk
Telephone: 0114 225 5340
Further Information and Support
Please see more information about how the University uses personal data here
The Information Commissioner is the regulator for GDPR. The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:
https://ico.org.uk/for-the-public/
The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service. You can also report concerns online. For more information please see the Contact Us page of their website:
https://ico.org.uk/global/contact-us/