Privacy Notice

WHO ARE WE?

We are The Sheffield College (“we”, “our”, “us”). We are the data controller of personal information about you.

The Sheffield College includes three additional subsidiary companies to which this Privacy Notice also applies. These companies are Sparks Managed Services, Sparks Teaching Services and Sparks Solutions Ltd.

Our Data Protection Officer is Seb Smith. If you have any questions about this policy or the ways in which we use your personal information, please contact:

DPO@sheffcol.ac.uk

Data Protection Officer, The Sheffield College, Granville Road, Sheffield S2 2RL

We are registered with the Information Commissioner’s Office under number: Z667180X.

THE DATA WE PROCESS

We process data for a number of categories of data subjects. Please view the appropriate section below to read more.

 

STAFF

WHO ARE YOU?

By staff we mean individuals who are employed by, have applied to work for or who have previously been employed by us.

 

HOW WE COLLECT PERSONAL DATA

WE COLLECT DATA DIRECTLY FROM YOU IN A NUMBER OF WAYS INCLUDING:

• when you apply to work for us
• when you become an employee
• when you make a holiday/sickness submission
• when you apply for a change of hours or role
• when you submit expense claims, travel or hotel bookings
• when you complete mandatory workplace training
• when you participate in social events
• when you use college systems (in limited circumstances)
• when you contact the helpdesk

 

WE COLLECT DATA INDIRECTLY FROM A VARIETY OF SOURCES INCLUDING FROM:

• companies that provide us with references
• companies that provide us with results on background checks
• companies that provide hotel and travel booking services
• CCTV when you visit college sites
• information concerning your system and application usage which is collected when accessing and using college IT systems. This includes internet usage, system access logs, communications history (including emails, instant messaging and calls)
• system logs that contain online identifiers such as IP addresses and cookie-related information
• photos and videos when we engage marketing agencies or otherwise collect images at events

 

WE CREATE INFORMATION THAT CAN IDENTIFY YOU IN A NUMBER OF WAYS INCLUDING:

• your unique staff number that can identify you in conjunction with other personal information
• capability and disciplinary details
• working time information, including sign in/out times

We aim to always ensure that you know we are processing your personal information except where it is disproportionately difficult to do so or when doing so would defeat our legitimate purpose (i.e. in the detection of fraud).

SPECIAL CATEGORY DATA PROCESSING

Additional rules apply to the processing of special category data and, where we process this data, we need to tell you the additional lawful basis for processing.

From time to time, we will request that you complete a Display Screen Equipment (DSE) assessment to ensure that the equipment you are using and your working environment are suitable for your specific needs. This may include special category data.

In the event that you have an accident or injury at work, the details of this will be recorded by our Health and Safety Team. Depending on the nature of the report, it may contain special category data.

If you need to take time off sick (including health issues related to the COVID-19 pandemic), the College will process your information as part of our legal obligations under employment law. This includes keeping a record of employees who are self-isolating or taking time off to care for a dependant. In these situations, the relevant line manager will also record the date you returned to work.

• Our lawful basis for processing in these cases is the 'employment, social security and social protection' basis within the Data Protection Act 2018.

If the College determines it is necessary to refer you to an occupational health provider, we will share your personal data with carefully selected third parties that perform occupational health assessments on our behalf.

• Our lawful basis for processing in these cases is the 'health or social care purpose’ basis within the Data Protection Act 2018.

We process special category data such as disability, health and ethnicity in order to support diversity and equality in our workforce, and in order to support our colleagues with disabilities whilst working for the College.

• Our lawful basis for processing in these cases is the 'equality of opportunity or treatment' basis within the Data Protection Act 2018.

For more information regarding our processing of special category data, please see our Appropriate Policy Document which can be found at privacy.sheffcol.ac.uk.

OUR PURPOSE AND LAWFUL BASIS FOR PROCESSING

We use your personal information to:

• perform our employment contract
• meet our legal obligations
• perform tasks as a public authority

This includes but is not limited to:

• checking your qualifications
• conducting investigations for capability or disciplinary processes, only when required
• carrying out our role as your employer or potential employer
• keeping an audit trail of our relationship with you in case of employment claims
• checking your identity and right to work in UK
• setting up payroll and pension and to reimburse expenses
• dealing with HMRC on your behalf
• safeguarding students
• completing our recruitment process and carry out pre-employment checks
• monitoring sickness and absences, for wellbeing and health and safety

With your permission (consent), we use your personal information to:

• Communicate with you, including for marketing purposes

 

WHO WE SHARE IT WITH

We share your personal information with:

• anyone who works for us when they need it to do their job
• any organisation when we need to perform our employment contract, there is a public interest or we have a legal obligation to do so
• organisations who provide services to us/you based on your consent or you opting in to these services
• anyone who you give us explicit permission to share it with

 

STUDENTS

WHO ARE YOU?

By students we mean individuals who are attending the College, have applied to the College or who have previously attended the College.

HOW WE COLLECT PERSONAL DATA

WE COLLECT DATA DIRECTLY FROM YOU IN A NUMBER OF WAYS INCLUDING:

• when you apply to be a student
• when you become a student
• when you provide information for funding and student loans
• when you create and submit work
• when you participate in social events
• when you use college systems (in limited circumstances)
• when you contact the helpdesk

 

WE COLLECT DATA INDIRECTLY FROM A VARIETY OF SOURCES INCLUDING FROM:

• third party application platforms
• CCTV when you visit college sites
• results from exam awarding organisations
• information concerning your system and application usage which is collected when accessing and using college IT systems. This includes internet usage, system access logs, communications history (including emails, instant messaging and calls)
• system logs that contain online identifiers such as IP addresses and cookie-related information
• photos and videos when we engage marketing agencies or otherwise collect images at events

 

WE CREATE INFORMATION THAT CAN IDENTIFY YOU IN A NUMBER OF WAYS INCLUDING:

• your unique student number that can indirectly identify you in conjunction with other personal information
• details about your behaviour, progress, and targets
• attendance information, including sign-in/sign-out times

We aim to always ensure that you know we are processing your personal information except where it is disproportionately difficult to do so or when doing so would defeat our legitimate purpose (i.e. in the detection of fraud).

SPECIAL CATEGORY DATA PROCESSING

Additional rules apply to the processing of special category data and, where we process this data, we need to tell you the additional lawful basis for processing.

In the event that you have an accident or injury at the College, the details of this will be recorded. Depending on the nature of the report, it may contain special category data.

If you need to take time off sick (including health issues related to the COVID-19 pandemic), the College will process your information as part of our legal obligations.

If the College determines it is necessary, we will share personal data that you have disclosed to us to the police, local authorities or youth services.

• Our lawful basis for processing in these cases is the ‘Safeguarding of children and of individuals at risk’ basis within the Data Protection Act 2018.

We process special category data such as disability, health and ethnicity in order to support diversity and equality in our workforce and in order to support our colleagues with disabilities whilst working for the College.

• Our lawful basis for processing in these cases is the 'equality of opportunity or treatment' basis within the Data Protection Act 2018.

For more information regarding our processing of special category data, please see our Appropriate Policy Document which can be found at privacy.sheffcol.ac.uk

OUR PURPOSE AND LAWFUL BASIS FOR PROCESSING

We use your personal information to:

• process your application and enrolment
• manage and administer your education
• meet our legal obligations
• perform tasks as a public authority
• monitor attendance and access to the college

This includes but is not limited to:

• processing your admission
• putting together class lists and to allocate you to the correct classes for assessments
• putting together reports and registers
• making arrangements for exams or visits
• considering whether to offer you a place
• considering whether special provision or assistance is required for exams and visits
• telling other colleges your attendance dates if you leave

With your permission (consent), we use your personal information to:

• Communicate with you, including for marketing purposes

 

WHO WE SHARE IT WITH

We share your personal information with:

• anyone who works for us when they need it to do their job
• your next of kin
• emergency contacts, Local Authorities and youth services
• third party organisations that provide services to the college
• any organisation when we have a legal obligation/legitimate interest to do so
• organisations who provide services to us/you based on your consent or you opting in to these services
• anyone who you give us explicit permission to share it with

 

INDIVIDUALS WHO ARE NEITHER STAFF OR STUDENTS

WHO ARE YOU?

By individuals who are neither staff or students we mean individuals that visit or interact with the college, either in person or through the College website.

HOW WE COLLECT PERSONAL DATA

WE COLLECT DATA DIRECTLY FROM YOU IN A NUMBER OF WAYS INCLUDING:

• when you fill out the visitor book
• when you fill out a webform
• when you provide special access requirements

 

WE COLLECT DATA INDIRECTLY FROM A VARIETY OF SOURCES INCLUDING FROM:

• CCTV when you visit college sites
• when students provide your contact details as a next of kin
• online identifiers such as IP addresses and cookie-related information
• digital marketing agents who conduct marketing activity on our behalf

 

SPECIAL CATEGORY DATA PROCESSING

Additional rules apply to the processing of special category data and, where we process this data, we need to tell you the additional lawful basis for processing.

From time to time, we will collect disability details for access requirements.

• Our lawful basis for processing in these cases is the ‘support for individuals with a particular disability or medical condition’ basis within the Data Protection Act 2018.

If we need to share your details with Track and Trace in relation to the COVID-19 pandemic, the College will process your information as part of our legal obligations.

• Our lawful basis for processing in these cases is the 'employment, social security and social protection' basis within the Data Protection Act 2018.

For more information regarding our processing of special category data, please see our Appropriate Policy Document which can be found at privacy.sheffcol.ac.uk.

OUR PURPOSE AND LAWFUL BASIS FOR PROCESSING

We use your personal information:

• to meet our legal obligations
• to perform tasks as a public authority
• in a way that you would reasonably expect, based on our legitimate interest

This includes but is not limited to:

• to effectively manage and administer the College
• for analysis and monitoring the performance of the website
• to respond to queries about the College
• to contact you in relation to a student for who you are next of kin
• to ensure that the College is safe and secure for all persons
• to understand details of who is in the building and to be able to communicate with them

 

WHO WE SHARE IT WITH

We may share your personal information with:

• anyone who works for us when they need it to do their job
• emergency contacts, Local Authorities and youth services
• third party organisations that provide services to the college
• any organisation when we have a legal obligation/legitimate interest to do so
• organisations who provide services to us/you based on your consent or you opting in to these service
• anyone who you give us explicit permission to share it with

SHARING PERSONAL DATA

In order to effectively operate, we need to share personal data from time to time. We only share the minimum amount of information required and where a lawful basis for us to do so has been identified.

The College will only appoint data controllers and data processors who can provide sufficient guarantees that the requirements of the UK GDPR will be met and your rights will be protected.

For international learners sponsored by their country, we will confirm learners are enrolled and attending. Model clauses are in the agreements/contracts with these countries who send international students.

 

WHERE WE STORE YOUR DATA

We do not store personal data outside the UK however we may use organisations to process data on our behalf that do so. We only allow data to be stored in countries that the UK has deemed to have adequate data protection regulations.

Where this is not possible, a legal safeguard will be in place to facilitate the transfer of data.

HOW LONG WE KEEP YOUR DATA

The storage of your personal data will be kept to a minimum, and personal data will not be stored for longer than required for the purpose of which it was collected.

The amount of data stored, and the retention period for that data, is limited to the requirements of the business, contractual, legal or regulatory purposes as specified in our Personal Data Retention Policy.

 

YOUR RIGHTS

Your data belongs to you; and your rights as the owner of your data are enforced by data protection legislation. A brief summary of your rights is presented below:

Access your data: You can access the information we hold on you at any time, by making a Subject Access Request. There are some exemptions to this right, which means you may not always receive all the information we process.

Rectify your data: You can ask us to correct or complete any information we hold about you that is inaccurate. In some circumstances you can do this yourself via a self-service portal.

Request erasure: You have the right to ‘be forgotten’ in certain circumstances. This right is not absolute.

Request the restriction of processing: You may ask us to suspend the processing your data under certain circumstances. This right is not absolute.

Request the transfer of your data: In some cases, you can ask us to transfer the data you originally provided to us to you or to another company.

Object to the processing of your data: You can object to us processing your data. This right is not absolute.

Object to automated descion-making: You can object to us processing of your personal information where profiling is being used to make assumptions about your behaviours or preferences. The College does not undertake any automated decision-making.

HOW TO COMPLAIN

If you believe data is being handled in a way that breaches data protection legislation, or you disagree with how we are processing your data, please contact our Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office (ICO). For more details you can visit their website at ico.org.uk

 

CHANGES TO THIS POLICY

This privacy notice will periodically be updated to ensure that it remains accurate and reflects changes in legislation, our practices and services. If they are significant changes, we will let you know.

 

PREVIOUS VERSIONS

• Version 1.0