Staff privacy notice

Staff privacy notice


From 25 May 2018 the General Data Protection Regulation (GDPR) will replace the Data Protection Act and govern the way that organisations use personal data. Personal data is information relating to an identifiable living individual.

Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:

  • how and why the University uses your personal data,
  • what your rights are under GDPR, and,
  • how to contact us so that you can exercise those rights.

Data Subject Rights

One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data. The GDPR gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase  
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

For more information about these rights please see and the Contact Us section at the end of this Privacy Notice.

Why are we processing your personal data?

It is necessary for the University to process your personal data in order to fulfil all aspects of our contract with you:

  • To manage all the elements of our employment contract with you from recruitment through to resignation, redundancy or retirement including the recruitment process, changes to your contract, payroll administration, pension schemes, holiday entitlement, employee benefits, Transfer of Undertakings (Protection of Employment) and statutory entitlements such as sick pay, maternity and paternity leave
  • To process payments to and from you or made on your behalf
  • To identify you and manage access to our facilities and services
  • To provide support services including induction, training and development, IT services, disability and wellbeing support and to enable offers of additional support to you such as flexible working
  • To monitor performance, attendance and absence
  • To make referrals to the Occupational Health service
  • For work planning and performance and development reviews
  • To enable us to investigate, consider, respond to and monitor
    • reasonable adjustments
    • disciplinary cases
    • research misconduct
    • fitness to work cases
    • academic conduct
    • employment problems
    • complaints/grievances
    • fitness to practice cases
    and to provide information to professional and regulatory bodies which deal with such matters.

It is necessary for the University to process your personal data in order to meet our public tasks (learning and teaching, research, knowledge exchange)

  • To monitor, review and evaluate the quality, standards and effectiveness of our teaching, research, and other services and facilities.
  • For research applications to funding bodies, publication of research and returns to the Research Excellence Framework (REF)
  • To facilitate the provision of knowledge exchange
  • To provide reports and returns required by funding agencies, government departments, and public bodies

It is necessary for the University to process your personal data in order to comply with legal obligations

  • Taxes management and tax returns
  • To ensure the health, safety and security of staff and others
  • To monitor and promote equality and diversity within the University
  • To comply with Transfer of Undertakings (Protection of Employment) regulations
  • To comply with immigration compliance checks
  • For safeguarding purposes and to carry out background and suitability checks where required for your job

Subject Access Requests


When the University receives a Subject Access Request you will usually be informed directly if you are required to search University systems (e.g., Outlook, Teams, OneDrive) for the personal data of a student or member of staff.  In some circumstances (e.g., if a request is received whilst you are on leave from the University for an extended period, or where personal data of the data subject is held in a system that is technically difficult for an individual to search effectively) the Information Governance team will request that a search of your account is undertaken by Digital Technology Services. Such searches will only be carried out by trained, specialist staff for the purposes of enabling the University to comply with data protection legislation.  The Information Governance team reviews all information returned by such searches and your personal data (except for your name) will not be disclosed to the person making the request.

The University can search your accounts for personal data of other individuals as it is the data controller for all personal data held.


It is necessary for the University to process your personal data in order to protect your vital interests or those of another individual

  • To protect the vital interests of staff and others, i.e. in emergencies/life or death situations/where we believe that a staff member or another individual is at significant risk of harm

There are also a number of legitimate business purposes for which the University processes your data

  • To carry out business and workforce planning
  • For major incident planning and response
  • Administration, support and management of staff services such as library, facilities, equipment, IT, travel and the telephone directory
  • To protect our premises, facilities and other assets and resources
  • To monitor and manage Internet use
  • To direct enquiries to the appropriate members of staff
  • For Trades Union membership/payments
  • To enable the marketing and recruitment of students
  • To enable student module evaluation and the provision of student feedback/survey responses
  • To make awards (e.g. Inspirational Teaching Awards)
  • To facilitate the provision of consultancy activities
  • To provide you with information and updates about our services, facilities, opportunities to get involved with University activities
  • Assessing effectiveness of non-pay controls

If you apply for a course at the University:

  • Data will be transferred from your HR record to Registry services and the academic department to facilitate your enrolment and student and course administration
  • Information regarding your registration, attendance and progress will be shared by the academic department and Registry services with HR and your manager if you are enrolled under the Headstart scheme or similar

We may also ask for your consent to use your personal data for other purposes. You will be given additional information for each purpose and have the right to withdraw your consent at any time.

Where we process sensitive personal data/special categories of personal data, we will rely on the conditions in Article 9 of the GDPR: explicit consent, employment obligations, vital interests, legal claims, substantial public interest, occupational medicine, archiving/research.

Which Personal Data do we Collect and Use?

In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:

* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR and as such is subject to a greater level of control and protection.

^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or "information refused".

a) Contact information and personal details

  • Name (s)
  • Address(es)
  • Telephone number(s)
  • Email address(es)
  • Next of kin (incl relationship)^
  • Nationality
  • Age / Date of Birth
  • Gender / sex^
  • Disability*^
  • Photograph(s)
  • Area / Country of residence
  • Criminal convictions*
  • Baby Due Date
  • Car registration number
  • Trade Union Membership*^
  • Names changes (including reason and evidence)
  • National Insurance number (where required)

b) Information relating to your employment at the University

  • Employee Number
  • Working pattern
  • Start date / Years in Service
  • Terms and conditions of employment
  • Work / office location information
  • Equipment records
  • Staff profiles
  • Application information
  • HESA unique identifier
  • Induction, training and development records
  • Secondments
  • Use of and engagement with University services and events
  • Academic work planning records
  • Annual leave entitlement, taken and remaining
  • Survey responses
  • End of contract (including reason for leaving)
  • Award nominations and comments
  • Performance and development review information
  • Student module evaluation
  • Grievances and disciplinary information
  • Line management
  • Video and audio recordings of teaching and learning activities

c) Financial information

  • Salary, payments and rewards (including settlements and redundancy)
  • Benefit schemes
  • Pension information
  • Bank / card / payment details

d) Additional equality/statutory monitoring information

  • Religion / belief*^
  • Ethnicity*^
  • Gender identity*^
  • Sexual Orientation*^
  • Pregnancy, maternity, paternity, adoption*

e) Information relating to your health, disability, wellbeing and safety

  • Evidence of disability*
  • Health data*
  • Reasonable adjustments
  • Pre-employment health screening
  • Safeguarding information*
  • Pastoral notes*
  • Occupational health referrals and reports*
  • Campus CCTV images
  • Absence information (including reasons and dates)*
  • Details of health and safety incidents*

f) Information relating to your career and previous employment

  • Curriculum Vitae
  • Schools / colleges attended
  • Qualifications and grades
  • Employment status
  • Previous Employer details
  • References and referees
  • Research passport
  • Fitness to Practice*
  • REF management information
  • Academic activity, research publications, outputs, grants and awards, collaborations/partnerships, and supervision

g) Proof of right to work

  • DBS checks*
  • Visa / BRP details
  • Work permit
  • Proof of identity (e.g. Passport, driving licence)

The University also collects information about your activity and engagement with our services. This includes timetables, calendars and work patterns along with your use of IT and online resources. 

Additional personal data may be collected by the University or specific services that you choose to access. Additional information about how this data is used will be provided at that time by the area or service in question.


Relevant information collected prior to your employment (from your application, from pre-employment communications with you, and from previous recruitment activities) will form part of your staff record.  Data is then updated throughout your employment.

Most of the data that we hold is collected directly from you as the data subject but other sources of personal data include:

  • previous employers / referees
  • recruitment agents that you have used
  • collaborative teaching partners
  • schools, colleges or other learning institutions
  • research funding bodies and sponsors
  • immigration authorities

Who do we share your data with?

You should be aware that we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so.  The University NEVER sells personal data to third parties.

Your data may be shared with:

  • Other University staff including staff in our overseas offices.
  • Emergency contact/ next of kin only where you have given your consent or in the event of an emergency where the disclosure of personal data is considered in your vital interests or pertinent to your safety and well-being.
  • Contractors and suppliers, where the University uses external services or has outsourced work which involves the use of Staff personal data on our behalf. The University will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation.  Examples of suppliers include IT services and support, confidential waste disposal, mailing services, election ballot services. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • Government bodies and departments, in the UK and overseas, responsible for:
    • public funding
    • sponsorship
    • statistical analysis, monitoring and auditing
    • regulatory matters
  • The University shares data with a number of organisations in connection with your employment:
    • validating and professional bodies in connection with registration and awards
    • collaborative partners
    • placement providers to facilitate placements
    • exam invigilators and external examiners for examination, assessment, and moderation purposes
    • occupational health provider
    • the University's insurers, legal advisers and auditors
    • external training providers
    • independent investigators
    • reference requests
  • The University may share data with external organisations for research and knowledge transfer purposes such as research funders and/or collaborating partners to support a funding application, for the monitoring of an award, or in the case of research misconduct allegations
  • The University may share data with the emergency services and/or other support organisations called upon in the case of an emergency where the disclosure of personal data is considered pertinent to the staff member's safety and well-being
  • The University is also required to provide information to a number of government and public bodies to assist with their public tasks:
    • Her Majesty's Revenue & Customs (HMRC)
    • the Department for Work and Pensions as required by the Social Security Administration Act 1992
    • the Office for National Statistics for the purposes of conducting the national census
    • the Home Office and relevant UK immigration agencies
    • the police and/or other organisations responsible for safeguarding or investigating a crime where a staff may be involved


The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity.

Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.


Information relating to your staff employment contract is retained for 6 years after the termination of your contract. This includes your personal file held by Human Resources and Organisation Development. Some medical information and health and safety records are kept for 40 years in line with legal requirements. For more information about the retention of your data please see the University's Records Retention Schedule.

Contact Us

  • If you would like to request copies of your personal data held by the University (a subject access request)
  • If you would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing) please contact our Data Protection Officer. 

You should also contact the Data Protection Officer if:

  • you have a query about how your data is used by the University
  • you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
  • you would like to complain about how the University has used your personal data

Data Protection Officer
Governance Services
City Campus
Howard Street
S1 1WB
Telephone: 0114 225 5555

Further Information and Support

The Information Commissioner is the regulator for GDPR.  The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:

The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service.  You can also report concerns online.  For more information please see the Contact Us page of their website:

The University is required to provide data to HESA for regulatory and analytical purposes. Please see the HESA privacy notices.