v2.2 - Updated 28/02/22
The General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (and, where applicable, EU GDPR) governs the way that organisations use personal data. Personal data is information relating to an identifiable living individual.
Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:
- how and why the University uses your personal data,
- what your rights are under GDPR, and,
- how to contact us so that you can exercise those rights.
Data Subject Rights
One of the aims of the Data Protection legislation is to empower individuals and give them control over their personal data.
The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
For more information about these rights please see here and the Contact Us section at the end of this Privacy Notice.
Why are we processing your personal data?
It is necessary for the University to process your personal data in order to comply with legal obligations
- Recruitment and selection of new members by the Governance and Nominations Committee of the Board
- to contact you in connection with Board business
- for inclusion in minutes of Board and Committee meetings
- for inclusion in the University's annual report and financial statements
- to maintain a Register of Interests containing declarations from each member of the Board and its committees. This includes external co-opted members who are not trustees.
- to provide reports and returns required by funding agencies, government departments, and public bodies
- to monitor and promote equality and diversity within the University in accordance with the Equality Act 2010
- for inclusion in the University's Publication Scheme which is a requirement of the Freedom of Information Act 2000
- for funding bids and contracts which need to satisfy the requirements of the US Patriot Act.
- to ensure that governors have not been disqualified as a charity trustee in accordance with the Charities Act 2006
- to meet the requirements of the Office for Students. This includes upholding the Regulator's public interest governance principles and complying with its conditions of registration and any other requirements of the Regulator and its other regulators.
- to meet the requirements of companies legislation if you are also a director of one of the University's subsidiary undertakings.
It is necessary for the University to process your personal data in order to protect your vital interests or those of another individual
- to protect the vital interests of governors and others, i.e. in emergencies/life or death situations/where we believe that a governor member or another individual is at significant risk of harm
There are also a number of legitimate business purposes for which the University processes your data
- to identify you and manage access to our facilities and services (e.g. SHUCard)
- for the administration, support, monitoring and management of access to University IT Services, including SHU email
- funding bids to UK and international funding bodies
- to fulfill the requirements of the University's banking arrangements
- to create and update Pen Portraits for the University's website and publications
- for the administration of expenses claims
- to publish election results on the staff intranet including the numerical breakdown of the votes cast for each candidate.
We will seek your consent for the following purposes
- to issue parking permits for University car parks
- to share contact details with other members of the Board
- to confirm accommodation, dietary and access requirements for events
- to book training with external organisations
- to circulate a statement to the electorate and production of ballot papers (staff seeking election to the Board)
- to add you to relevant mailing lists for University publications.
- If you withhold or withdraw your consent, you will be unable to access these services and, in the case of staff seeking election to the Board, will be unable to stand for election
Where we process sensitive personal data/special categories of personal data, we will rely on the conditions in Article 9 of the GDPR: explicit consent, vital interests, substantial public interest, occupational medicine, archiving/research.
Which Personal Data do we Collect and Use?
In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:
* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR and as such is subject to a greater level of control and protection.
V Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or "information refused".
# Denotes information which will be published/available to the public
From your application (external governors and co-opted members of the Board's committees):
- Email address
- Telephone number
- Postal address
- Educational background
- Occupational/employment history
- Public/voluntary appointments
- Charity trustee declaration
- Additional statement in support of your application
From the staff governor election process
- Charity trustee and fit and proper person declarations
- Statement to the electorate
- Ballot details and results including numerical breakdown of the votes cast for each candidate
From your Equality Monitoring Form:
- Date of Birth
- Religion / belief*V
- Gender identity*V
- Sexual Orientation*V
- Highest Qualification
- Reasonable Adjustments/access requirements*V
Additional data collected during your term of office:
- Bank account details
- Car registration number
- Name of partner/spouse
- Dietary requirements
- Additional contact details
- Pen portrait#
- Attendance at meetings
- Reasonable adjustments/access requirements*
Who do we share your data with?
You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The University NEVER sells personal data to third parties.
- University staff who need the information for administrative purposes. In the case of candidates for staff governor posts, the statement to the electorate will be shared with all University staff.
- Contractors and suppliers, where the University uses external services or has outsourced work which involves the use of governors' personal data on our behalf. The University will ensure that appropriate contracts, terms and conditions and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. Examples of suppliers include IT services and support, confidential waste disposal, mailing services, election ballot services. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
- Advance HE bookings made on behalf of governors for training and events.
- Government bodies and departments, in the UK and overseas, responsible for:
- public funding
- statistical analysis, monitoring and auditing
- regulatory matters, e.g. HESA
- Hotels and external venues - for bookings, to confirm accommodation, dietary and access requirements
- Funding bodies and partner organisations - for contracts and funding bids
- University's banks - For completion of bank mandates
- the University's insurers, legal advisers and auditors
- Companies House - for governors who are directors of one of the University's subsidiary undertakings.
- Public domain:
- the Register of Interests which is available for consultation by members of the public
- the University's website
- annual report and financial statements
- other University publications.
- Agendas and the confirmed minutes of the Board of Governors, Finance and Employment Committee, Academic Assurance Committe, and the Audit and Risk Committee are contained in the Publication Scheme for a period of 3 years.
PLEASE NOTE that equality and diversity information is only published in the form of anonymised reports
- Equality and Diversity data is also shared with the Governance and Nominations Committee of the Board to inform its review of the balance of Board memberships and with the Board in relevant reports
The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.
- Equality Monitoring data is reviewed annually with each governor. Anonymised statistics are retained permanently in our archives.
- Information relating to events bookings and parking permits will be retained for the period of office of each member.
- The following records are retained for 6 years after the end of a member's period of office.
- application forms
- declarations of interests
- Records of expenses claims and payments and banking details are retained by the Finance Directorate for 7 years for tax and audit purposes and are then held in the archive indefinitely.
- The following records are retained permanently in our archives:
- Minutes of Board and Committee meetings
- annual reports and financial statements
- pen portraits and photographs.
- Where a governor is also a director of a subsidiary undertaking, related records are retained for 10 years after the wind-up/disposal of the company.
- Statements to the electorate made by successful candidates for staff governor posts are kept for their period of office. In the case of unsuccessful candidates, the retention period is 6 months after the completion of the election.
- Election results (votes cast, turnout) have a retention period of completion of election plus 6 years.
- For the external members of the Board and its committees, SHUCard and IT/email accounts will terminate at the end of their period of office.
If you would like to request copies of your personal data held by the University (a subject access request) or would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing) please contact our Data Protection Officer.
You should also contact the Data Protection Officer if:
- you have a query about how your data is used by the University
- you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
- you would like to complain about how the University has used your personal data
Data Protection Officer
Governance Legal and Sector Regulation
Telephone: 0114 225 5555
Further Information and Support
Please see more information about how the University uses personal data here.
The Information Commissioner is the regulator for GDPR. The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:
The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service. You can also report concerns online. For more information please see the Contact Us page of their website:
The University is required to provide data to HESA for regulatory and analytical purposes. Please see the HESA privacy notices.