Important Information about Confidentiality
The University of Sheffield has a responsibility under data protection legislation to provide individuals with information about how we process their personal data.
We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.
To ensure that we process your personal data fairly and lawfully we are required to inform
you:
Why we collect your data
How it will be used
Who it will be shared with
We will also explain what rights you have to control how we use your information and how to inform us about your wishes. the University of Sheffield will make the Privacy Notice available via the website and at the point we request personal data.
Our privacy notices comprise of two parts – a generic part (i.e common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.
Here is link to the full UoS Privacy Statement
Department for Lifelong Learning Confidentiality Policy (Revised June 2023)
DLL Student Data and Confidentiality Policy
This policy sets out how students’ personal data should be managed and shared within and beyond DLL, in accordance with University of Sheffield policy, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
Personal data
Any data relating to an individual person is covered by GDPR. Some forms of data are classed as ‘Special Category’ data and more stringent rules apply (see below).
Personal data that is not Special Category data
Within DLL this is likely to relate to things like students’ contact details, academic record etc - data which does not fall within the special categories, but is clearly confidential. This can be shared without explicit consent within the department and within the University as necessary in relation to the student’s studies but should not be used for any other purposes.
Responding to external enquiries
Students’ personal data must NOT be shared by DLL staff with anyone outside the University of Sheffield. This includes parents, spouses or other relatives, and the police or other authorities. If you receive an external enquiry about a student you must not give out any information about them and should not even confirm that they are a student. If the enquirer persists, or if they represent an official body, they should be referred to Student Services: 0114 2224321.
Providing references
References, including UCAS references, will often ask for personal data, including a student’s academic record. A reference request from UCAS will already have the student’s consent. If you receive any other reference request, you should ask the student to confirm that they have consented to you providing it before responding.
Sharing data with students
Students’ personal data, including University of Sheffield email addresses, should not normally be shared with other students. There may be exceptions to support a particular aspect of their studies - for example, limited sharing of email addresses to set up groups for a groupwork assessment. Please contact the DLL Information Champion (currently s.hale@sheffield.ac.uk) to discuss any potential exceptions before sharing any data.
Special Category Data
The rules for handling Special Category data are more stringent, and can be thought of in terms of specific people who it can be shared with, rather than who it can’t be.
Special Category data includes ALL the following:
race
ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data (where this is used for identification purposes)
health data
sex life
sexual orientation
criminal convictions (treated in the same way as Special Category data)
The type of Special Category data most likely to be relevant to DLL’s day to day business is that relating to health, including mental health. The University has (in October 2022) issued a Code of Practice on sharing mental health and wellbeing information - it is important to note however that this is aimed primarily at clinical and support services rather than departments. The following policy and guidance is consistent with the code of practice.
Special Category data may only be shared with specified individuals within DLL, and only as many of these as necessary. These will normally be:
Head of Department
Student Support Manager
Senior Student Support and Welfare Officers - usually the one allocated to the student
Programme Directors - usually the one allocated to the student
The student’s Personal Tutor
Information may be shared further with the student’s explicit written consent, but such consent should not be solicited from the student, and should be exercised with regard for the student’s wellbeing.
If the student has voluntarily shared information with a number of people, those people may discuss it but should not share it further except as set out above.
Personal Tutors
A Personal Tutor who receives any significant personal or health information from a student should share it with one of the people specified above - usually the student’s SSWO. Personal Tutors should not be the sole person holding such information and should make it clear to students that any information given to them will be shared with other DLL staff as appropriate. Students should be reminded of this at any point when they volunteer potentially relevant information. A request from a student to a Personal Tutor to not share information with appropriate people should be declined, and the student’s SSWO should be informed - although if a student names specific people they do not want the information shared with, this should be respected where possible.
This also applies to any other member of staff not specified above who receives such information from a student.
Email Communication
Special Category data should not be shared or forwarded by email, because of the risk of it accidentally going to the wrong recipient. The preferred means of sharing such information is by entering it in PATS and then selecting the appropriate linked member(s) of staff to send an email to. An alternative where PATS is not appropriate is to put the information in a Google Doc. This should then be shared with the recipient and a link sent by email in two separate processes.
Emergency Situations
If any member of DLL staff believes that there is a risk of imminent harm to a student or others (most likely in relation to a student’s mental health) information may be shared without consent with appropriate parties, including Student Support Services, Residence Life, Campus Security and the University Health Service. The Head of Department / Student Support Manager / Student’s SSWO as appropriate should be informed subsequently if such action is taken.
Appendix: Sources of information and links
The University's web pages on data protection, including useful information about GDPR and the Data Protection Act, may be found here https://www.sheffield.ac.uk/govern/data-protection
The University’s Privacy Notice (information to students) may be found here: https://www.sheffield.ac.uk/govern/data-protection/privacy/students
This sets out how the University collects, stores and shares students’ data, and their rights in relation to this. A link to this is provided in the Online Student Handbook.
This guidance mainly relates to sharing information between departments, and between health services and departments, and does not explicitly address the sharing of information within a department.
Information about DLL Confidentiality Policy is provided to students via the Online Student Handbook which also provides a link to this document. This information should be checked annually to ensure that it is accurate and up to date.
Office of the Information Commissioner
This version June 2023 – saved as PDF in DLL Governance and Policy