Student privacy notice

Student privacy notice

Updated November 2023


The General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (and, where applicable, EU GDPR) govern the way that organisations use personal data.  Personal data is information relating to an identifiable living individual.

Transparency is a key element of the Data Protection legislation and this Privacy Notice is designed to inform you:

  • how and why the University uses your personal data,
  • what your rights are under the Data Protection legislation, and,
  • how to contact us so that you can exercise those rights.

We keep our privacy notice under regular review.  Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email or post.

Please check back frequently to see any updates or changes to our privacy policy.

This Privacy Notice is for current students from the point of provisional enrolment.  Please see additional notices for student enquirers & applicants and for alumni.

Data Subject Rights

One of the aims of the Data Protection legislation is to empower individuals and give them control over their personal data. The legislation gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase  
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling
  • The right to complain to the Information Commissioner

For more information about these rights please see here and the Contact Us section at the end of this Privacy Notice.

Why are we processing your personal data?

It is necessary for the University to process your personal data in order to fulfil all aspects of our contract with you:

  • To manage all the elements of our contract with you and the student lifecycle from enrolment through to graduation and becoming an alumni, including course delivery, teaching and learning, placements, field trips, exams and assessment
  • To process payments to and from you or made on your behalf
  • To identify you and manage access to our facilities and services
  • To provide support services including, library, IT, financial, careers, disability and wellbeing support and to enable offers of additional support to you
  • To monitor progress, engagement and attendance in order to
    • Improve learning outcomes
    • Target appropriate support
    • Support the development of a personalised academic experience
    • Ensure course requirements are met
  • To enable us to investigate, consider, respond to and monitor
    • reasonable adjustments
    • extenuating circumstances (in relation to RRAAs and RESDs)
    • fitness to study cases
    • academic appeals
    • complaints
    • disciplinary cases
    • academic conduct
    • fitness to practice cases
    and to provide information to professional and regulatory bodies which deal with such matters

It is necessary for the University to process your personal data in order to meet our public tasks or for a task carried out in the public interest (learning and teaching, research, knowledge exchange)

  • To monitor, review and evaluate the quality, standards and effectiveness of our teaching, research, and other services and facilities
  • To produce reports and returns for funding agencies, government departments, and public bodies and to facilitate student and graduate participation in national surveys where the University is required to do so
  • To award and verify degrees and other qualifications/awards

It is necessary for the University to process your personal data in order to comply with legal obligations

  • To ensure the health, safety and security of students and others
  • To monitor and promote equality and diversity within the University
  • To comply with immigration compliance checks
  • For safeguarding purposes and to carry out background and suitability checks where required for your course

It is necessary for the University to process your personal data in order to protect your vital interests or those of another individual

  • To protect the vital interests of students and others, i.e. in emergencies/life or death situations/where we believe that a student or another individual is at significant risk of harm

It is in the Legitimate Interests of the University to process your data

  • To plan, deliver and review our services and facilities
  • To provide you with information and updates about our services, facilities, opportunities to get involved with University activities
  • To protect our premises, facilities and other assets and resources
  • To monitor and manage Internet use e.g. essay mill sites and extremist content
  • Learner Analytics
  • Audio and visual recordings for course evaluation
  • To select prize-winners and manage prize-giving activities

With your consent we will process your personal data to:

  • Enable you to enter prize draws-Information on the personal data required to enter and how long we retain this data will be made available in the terms and conditions for each prize.

We may also ask for your consent to use your personal data for other purposes. You will be given additional information for each purpose and have the right to withdraw your consent at any time.

Where we process sensitive personal data, we will rely on the conditions in Article 9 of the Data Protection legislation: explicit consent, vital interests, legal claims, substantial public interest, occupational medicine, archiving/research.

Which Personal Data do we Collect and Use?

In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:

* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the Data Protection legislation and as such is subject to a greater level of control, care, and protection.
^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or "information refused".

a) Contact information and personal details

  • Name(s)
  • Email address(es)
  • Age / Date of Birth
  • Extra-curricular activities (clubs, course rep, mentors, initiatives etc)
  • Specific circumstances (e.g. care leaver / looked after child / estranged)
  • Names changes (including reason and evidence)
  • National Insurance number (where required)
  • Address(es)
  • Next of kin (incl relationship)
  • Gender^ / sex
  • Telephone number(s)
  • Nationality
  • Disability*^
  • Photograph(s)
  • Area / Country of residence
  • Criminal convictions* (where required)

b) Your academic and learner records

  • Schools / colleges attended
  • Qualifications and grades
  • Module results
  • Course and stage details
  • Attendance, progress & current status
  • Final results
  • Video and audio recordings of teaching and learning activities
  • Diagnostic assessments*
  • Academic references (including personal statement & predicted grades)
  • Placements and field trips
  • Use of and engagement with University services and events
  • Learning Contract*
  • Extra Curricular-Course Reps and details of volunteering
  • Data related to complaints/disciplinary investigations

The University also collects information about your engagement with your course and our services, including attendance at timetabled teaching and learning sessions and your use of IT and learning resources. We may match these with information about your personal circumstances in order to personalise your academic experience, improve your learning outcomes and target appropriate support.

Additional personal data may be collected by colleges for specific course requirements and by services that you choose to access. Additional information about how this data is used will be provided by the college or service in question.

c) Financial information

  • Income (yours / parental / household)
  • Bank / card / payment details
  • Sponsor
  • Funding, bursary and fee-related information
  • Debt information

d) Additional equality/statutory monitoring information

  • Religion/belief*
  • Parental occupation
  • Parental education
  • Gender identity*^
  • Sexual Orientation*
  • Ethnicity*
  • Socio-economic background
  • Pregnancy, maternity, paternity, adoption*

e) Information relating to your health, disability, wellbeing and safety

  • Evidence of disability*
  • Health records*
  • Reasonable adjustments
  • Details of extenuating circumstances*
  • Safeguarding information*
  • Pastoral notes, clinical case notes, counselling records
  • Occupational health referrals and reports*
  • Campus CCTV images
  • Absence information (including reasons and dates)*
  • Details of health and safety incidents*
  • Disabled Student Allowance Documents*
  • Website data linked to extremist ideologies

f) Information relating to your career and employment

  • Curriculum Vitae
  • Staff number for placement students
  • Career readiness
  • DBS checks*
  • Employer details
  • References and referees
  • Fitness to Practice*
  • Research passport
  • Teacher reference number^
  • Employment status & average number of hours worked

g) For international students the following data may be collected and used

  • Academic Technology Approval Scheme (ATAS)
  • Passport details
  • Visa / BRP details (including previous visas)


Relevant information collected prior to your enrolment (from your application, from pre-enrolment communications with you, and from previous outreach activities) will form part of your student record. Data is then collected from you at enrolment and updated throughout your course.

Most of the data that we hold is collected directly from you as the data subject but other sources of personal data include:

  • UCAS
  • recruitment agents that you have used
  • referees
  • collaborative teaching partners
  • schools/colleges
  • accommodation providers
  • assessment centres
  • funding bodies, employers and sponsors - i.e. where an organisation is paying your fee
  • immigration authorities
  • The University may receive enquiries and complaints of individuals and organisations.

Who do we share your data with?

You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Sheffield Hallam University. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The University NEVER sells personal data to third parties.

Your data may be shared with:

  • University staff who need the information for administrative, teaching, research, assessment, and student support purposes. In the case of international students, this includes staff in our overseas offices.
  • Sheffield Hallam Students’ Union to enable the Union to enrol members, to contact members, to plan and promote its services, to provide services to opted-out members, to facilitate elections for student course reps and officers, and for the administration of the student rep system, student societies, volunteering programmes and the Hallam Award. Students may opt out of membership of the Union by contacting the Union via Please see the Code of Practice relating to the Operation of the Students' Union and the statement on Membership of Sheffield Hallam Students' Union for more information.
  • Accommodation providers/landlords for the administration of student accommodation and to provide support during the tenancy
  • Parents, guardians and other family members only where you have given your consent or in the event of an emergency where the disclosure of personal data is considered in your vital interests or pertinent to your safety and well-being.
  • Contractors and suppliers, where the University uses external services or has outsourced work which involves the use of Students' personal data on our behalf. The University will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the Data Protection legislation and other applicable legislation. Examples of suppliers include IT services and support, confidential waste disposal, mailing services. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as 'adequate' by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • Organisations that sponsor prizes for the purpose of selecting prize winners and awarding prizes.

  • Government bodies and departments, in the UK and overseas, responsible for:
    • public funding
    • statistical analysis, monitoring and auditing
    • sponsorship
    • regulatory matters
    • overseas government bodies where this is required for student sponsorship and regulatory matters essential to a students contract
  • The University shares data with a number of organisations to facilitate academic, financial, and administrative functions essential to your contract with us:

    • student funding organisations in connection with grants, fees, loans and bursaries
    • employers, other education providers or others sponsoring students to provide references, and updates on attendance, progress, conduct and matters relating to fees and funding
    • validating and professional bodies in connection with registration and awards
    • collaborating organisations that provide teaching, assessment or student support for a University course or apprenticeship (only for relevant students)
    • placement providers to facilitate placements
    • exam invigilators and external examiners for examination, assessment, and moderation purposes
    • international recruitment consultants and agents in relation to the students that they recruit
    • occupational health provider to assess fitness to study
    • 3rd party organisations who collate data with regards to national student activity and attainment for the purposes of statistical analysis, monitoring and use by member organisations to inform recruitment and other activities.
    • the University's insurers, legal advisers and auditors
    • debt collection agencies where fees are outstanding and all other means have been exhausted
  • The University may share data with external services to provide additional support for individual students

    • the emergency services and/or other support organisations called upon in the case of an emergency where the disclosure of personal data is considered in the student's vital interests or pertinent to their safety and well-being
    • specialist external support services, e.g. mental health, rape crisis, external Disabled Student Allowance (DSA) services
    • student medical centre or GP
    • accommodation provider/landlord
  • The University may share data with organisations for the purposes of research with may include:

    • authorised university researchers but only after ethical approval, permission from the Director of Academic Services and with appropriate safeguards
    • research funders and/or collaborating partners to support a funding application, for the monitoring of an award, or in the case of research misconduct allegations
  • The University is also required to provide information to a number of government and public bodies to assist with their public tasks:

    • the Department for Work and Pensions as required by the Social Security Administration Act 1992
    • Electoral Registration Officers for the compilation of the electoral register as required by Regulation 23 of the Representation of the People (England and Wales) Regulations 2001.
    • the Office for National Statistics for the purposes of conducting the national census
    • local authorities for the purpose of assessing and collecting Council Tax
    • the Home Office and relevant UK immigration agencies
    • the police and/or other organisations responsible for safeguarding or investigating a crime where a student may be involved


The University takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity.

Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University and existing staff have training and expert advice available if needed.


Most student data is held for the duration of your course plus one further academic year. Some data is held for audit purposes beyond this time and the retention period depends on the type of audit (up to 7 years). Some data is held for statistical reporting purposes and analysis for a further 6 years. Data from complaints, appeals, disciplinary, fitness to practice and fitness to study cases are kept for 6 years in case of further queries or actions. Your core student record, including details of your award is kept permanently so that your award can be verified in the long-term to future employers and educational providers. Relevant information from your core record will become your alumni record at the completion of your qualification.  You can find more information on our Alumni Privacy Notice

Contact Us

  • If you would like to request copies of your personal data held by the University please see our info about SARs (a subject access request)
  • If you would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing) please contact our Data Protection Officer. 

You should also contact the Data Protection Officer if:

  • you have a query about how your data is used by the University
  • you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
  • you would like to complain about how the University has used your personal data

Data Protection Officer
Governance Legal and Sector Regulation
City Campus
Howard Street
S1 1WB
Telephone: 0114 225 5555

Further Information and Support

Please see more information about how the University uses personal data here

The Information Commissioner is the regulator for UK Data Protection legislation.  The Information Commissioner's Office (ICO) has a website with information and guidance for members of the public:

The Information Commissioner's Office operates a telephone helpline, live chat facility and email enquiry service.  You can also report concerns online.  For more information please see the Contact Us page of their website:

The University is required to provide data to HESA for regulatory and analytical purposes. Please see the HESA privacy notices.

View UCAS Privacy Notices.