Privacy notice: staff data
The University needs to hold and process personal data relating to its staff in order to keep proper records, provide support and guidance to staff and monitor pensions and payroll, performance and contractual obligations.
We hold financial information so that we can pay staff salaries and expenses; information on health and disability so that we can properly support staff; and many other categories of information – which are listed below – in order to both run the business and activities of the University, to help and support staff and in order to fulfil our legal obligations.
The University takes the security and integrity of all the personal data it holds very seriously. We have an Information Security Policy and staff are trained in Data Protection.
We believe our systems are secure. We do not release information about our staff to any third parties outside the University unless we have a legal obligation to do so, or in very specific and limited circumstances; which are listed below; an exception to this are those colleagues who have a public facing role: where appropriate and necessary, information relating to certain members of staff is made public in order for them to fulfil the requirements of their role.
The handling of personal data is controlled by the General Data Protection Regulation (GDPR) and associated legislation.
The University is obliged to provide you with the following information which explains in detail how and why we are processing your personal data and explains your legal rights.
General information on Data Protection law is available from the Information Commissioner’s Office
Data Controller: The University of Sheffield, Western Bank, Sheffield S10 STN
Data Protection Officer: Luke Thompson
Supervisory Authority:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 or 01625 545745
Categories of sharing
Categories (Google Drive)
Special data
'Special categories of personal data' are defined as information relating to the following:
- Racial or ethnic origin Political opinions
- Religious or philosophical beliefs
- Trades union membership
- Genetic or biometric data
- Health
- Sex life or sexual orientation
The University may process this data, but only in specific and restricted circumstances, and always in accordance with Article 9 of the GDPR.
Sources of information
- Provided by data subjects
- Previous and future employers
- Referees
- Government Agencies
- Agents and recruitment consultants
- Partner institutions
Purposes of processing
Purposes (Google Drive)
Legal basis for processing
Information about the legal basis for processing (including specific General Data Protection Regulation articles)
Legal basis for processing (Google Drive)
Recipients of data
The University shares staff personal data with the following. This is done according to one or more legal bases of the General Data Protection Regulation, which are explained below.
Staff personal data is routinely and regularly shared with the following:
Higher Education Statistics Agency (6(1)c, 6(1)e)
We may also from time to time, when necessary and under proper legal basis share data with the following:
- family, associates and representatives of the person whose personal data we are processing
- current, past or prospective employers
- healthcare, social and welfare organisations
- educators and examining bodies
- suppliers and service providers
- financial organisations
- debt collection and tracing agencies
- auditors
- police forces, security organisations
- courts and tribunals
- prison and probation services
- legal representatives
- local and central government
- consultants and professional advisers
- trade union and staff associations
- survey and research organisations
- press and the media
- voluntary and charitable organisations
- research collaborators, agents and contractors
- pension schemes, including USS and the NHS Pension Scheme
Personal data will only be shared under the following legal bases, one or more of which may apply in any particular case:
- Article 6(1)a: the data subject has given consent to the processing of his or her personal data for one or more specific purpose
- Article 6(1)b: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract
- Article 6(1)c: processing is necessary for compliance with a legal obligation to which the controller is subject
- Article 6(1)d: processing is necessary to protect the vital interests of the data subject or other natural persons
- Article 6(1)e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Transfer outside the EU
The University does not as a rule transfer staff data outside the European Union. The exception to this in relation to those staff who are studying or working at other institutions. In order to properly administer these arrangements and provide appropriate support, the University will share personal data with partner institutions.
The legal basis for these transfers is contained within clause 6(1)b and c(1)f of the General Data Protection Regulation.
Retention periods
The University needs to be able to confirm who has been a member of staff, and to keep details of their employment history. Therefore certain information about former members of staff will be retained permanently.
Access Rights
You entitled to a copy of all the information the University holds about you, although you may not be able to receive information which identifies or relates to anybody else. If you would like a copy of your records, please contact the University Data Protection Officer. In order to help us provide you with the information as quickly as possible, it would be very helpful if you could provide us with as much information as possible, particularly if you can specify which sort of information you are interested in. You will be required to provide proof of identity, such as a photograph and a signature.
Rectification
If you believe any of your University personal data is incorrect you should amend it via MyJob. If you cannot make the required change via MyJob, please contact the Human Resources department.
Portability
You have the right to move your personal data to another data controller: however this right is limited to the following circumstance:
- data which you have provided directly to the University yourself data which is used in order to fulfil a contract or is in preparation for a contract
- data which is used in order to fulfil a contract or is in preparation for a contract
- the data is automated (ie this right does not apply to paper records)
In order to exercise this right, please contact the University Data Protection Officer.
Erasure (right to be forgotten)
The rights of erasure (the right to be forgotten) does not apply to staff data held by the University for most purposes.
However, any personal data held solely for the purpose of marketing can be erased. In order to exercise this right, please contact the University Data Protection Officer.
Restriction/Objection
The law gives you the right to object to processing of your personal data carried out by the University and/or to ask the University to restrict processing of your personal data.
These are not absolute rights (except for the right to prevent use of your personal data for marketing and fundraising purposes) and apply only in limited circumstances. You can object to your data being used for research or statistical purposes, but not where the research is being carried out in the public interest.
You can also ask the University to restrict any processing of your data if you think the data we hold about you is inaccurate.
The rights of objection and restriction are complicated and each instance will be assessed individually. If you wish to exercise either of these rights, please contact the University Data Protection Officer.
Withdrawal of consent
You have the right to stop any processing which is based solely on your consent: Advertising and promotion of the University, its goods and services, and Fundraising.
Please contact the University Data Protection Officer, or the appropriate University department (Accommodation and Campus Services, Sport Sheffield, etc)
Complaints to ICO
If you feel that the University has not dealt correctly with your personal data you can complain to the Information Commissioner’s Office
Consequences of not providing data
The University relies on having up to date and correct information about its staff. Staff members have a responsibility to inform the University if we are holding incorrect information, and giving us a chance to put things right.
The University will only ask you to provide information for which it has a genuine need. If you fail to provide any requested information, there is a chance that your University records could be incorrect, or incomplete and this could lead to problems which take time and trouble to sort out.