Privacy Notice for Library Associate Members
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. GDPR and governs the way that organisations use personal data. Personal data is information relating to an identifiable living individual. Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:
- how and why the University uses your personal data,
- what your rights are under GDPR, and,
- how to contact us so that you can exercise those rights.
With your consent we will process your personal data for the following purposes:
- To give you access to and exit from the Library buildings through our access control system;
- To provide you with borrowing rights to library resources, including the charging of fines in order to ensure the prompt return of stock and replacement fees to cover the cost of any lost items;
- To contact you by email on a monthly basis to provide you with a statement of loans and on an occasional basis to notify you of any relevant changes to library services.
In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:
a) Contact information and personal details
- First name
- Home address - including property number, street name, town or city, and postcode.
- Phone number
- Email address
- Library number - this is the number also shown on the Associate Member SHUcard, which acts as the library card
- 'MiFare ID' - this is also held on the chip within the Associate Member SHUcard and is unique to that card
- Statistical category - an indication of the category of eligibility for membership, e.g. former SHU student, held for the purpose of monitoring uptake of Associate Membership
b) Transaction data
- 'MiFare ID'
- Barcodes relating to library resources that you borrow from and return to the library
- Dates and times of any borrowing and return transactions
c) Access control data
- First name
- Library number
- 'MiFare ID'
- Statistical category
- Dates and times of entry to and egress from library buildings
- Contact information and personal details are gathered from the Associate Membership application form completed by you will form the basis of your Associate Member record within the library management system.
- Transaction data is collected by the self-service borrowing and return machines in the libraries whenever an Associate Member borrows or returns library resources.
- Access control data is gathered by the access control system in the libraries whenever an Associate Member uses their SHUcard to gain access to or egress from the library buildings.
You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The University NEVER sells personal data to third parties.
Your data may be shared with:
- University staff who need the information for administrative, purposes. Access to information for associate members is limited to Library staff. Email addresses of associate members who are alumni of the University are also shared with the Alumni team.
- Contractors and suppliers, where the University uses external services or has outsourced work which involves the use of personal data on our behalf, e.g. IT services and support, mailing services, confidential waste services. The University will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place. The library management system is supplied by Ex Libris.
The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitors systems and respond to suspicious activity. The University has Cyber Essentials certification.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.
Your Associate Member record, including your personal data, details of any library resources you have on loan and have borrowed previously, and details of any library fines both paid and unpaid, will be retained with the library management system, Alma, for a period not exceeding 10 years or for an unlimited amount of time in cases of outstanding loans or fines. Your details are kept for this period of time to facilitate renewal of membership beyond the initial one-year period.
One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data. The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
You should contact Library Services if you have a query about how your data is used by the Library
Sheffield Hallam University
Phone: 0114 2253333 (option 3)
You should contact the University's Data Protection Officer if:
- you would like to request copies of your personal data held by the University (a subject access request);
- you would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing)
- you have a query about how your data is used by the University
- you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
- you would like to complain about how the University has used your personal data
Data Protection Officer
Telephone: 0114 225 5555
Please see more information about how the University uses personal data https://www.shu.ac.uk/about-this-website/privacy-policy
The Information Commissioner is the regulator for GDPR. The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:
The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service. You can also report concerns online. For more information please see the Contact Us page of their website: