The University of Sheffield
Corporate Information and Computing Services

Data Protection

Description of Service

Compliance with the 1998 Data Protection Act (as amended).

Client Groups/Eligibility for Services

Data subjects and data users - all members of the University.
Data - all personal information held for carrying out the University's business relating to living, identifiable individuals.

Provider Responsibility

  1. To provide a named Data Protection Officer as the University's first point of contact for internal and external enquiries.
  2. To notify the Information Commissioner, on behalf of the University, of all types of personal data held by the University.
  3. To keep the University abreast of its responsibilities relating to Data Protection and to recommend good practice:
    a) General policy for Council.
    b) Guidance for departments and staff.
  4. To provide verification of compliance, as requested.
  5. To action requests for information from data subjects and from individuals and organisations as approved by the Information Commissioner.
  6. To notify the University of approved sources of information.

User Responsibility

  1. To observe the 8 data protection principles of good information handling.
  2. To verify that their actions relating to personal information are within the bounds of the Data Protection Act.
  3. To notify the Data Protection Officer of any relevant activities.
  4. Data subject - to make a request for access to personal data using the standard form and paying the fee.
  5. Data user - to inform data subjects of the purpose(s) for which their data will be processed and obtain their consent, as appropriate.
  6. Departments - to provide complete details of the information they hold on a named data subject (student or member of staff) following a formal request from the University’s Data Protection Officer.

Availability of Service

Staff are available within core service hours.
Complex enquiries will be dealt with within 10 working days.
A data subject will get a response to a formal data request in accordance with the Data Protection Act within 40 days of the request and the payment of the fee, apart from information relating to exams, where the response will be made within 5 months of the exam or 40 days of the results being released.

Service Statistics/Outputs

Records of registrations.
Records of notifications.
Records of all Data protection activities.

Service Measures

A data subject will get a response to a formal data request in accordance with the Data Protection Act within 40 days of the request and the payment of the fee, apart from information relating to exams, where the response will be made within 5 months of the exam or 40 days of the results being released.

Dependencies

Guidance from the Office of the Information Commissioner.
Applicants making clear what information they want.
Staff responding promptly to requests for information.

Feedback and Monitoring

Nothing formal exists.

Benchmarking

None currently.

Exclusions

Implementation of other acts of Parliament - Freedom of Information, Human Rights, etc.

Location of Service

Charges

£10 is charged for responding to a formal data request from a data subject.

Failure Response

Failures of the service will be investigated internally and, where necessary, escalated to the Director of CiCS or The Registrar and Secretary or the Information Commissioner.