Privacy Notice

 

The University of Sheffield (collectively referred to as University of Sheffield, "we", "us" or in this privacy notice) is a registered data controller with the Information Commissioner’s Office. 

The registered address is: 

Sheffield University
Western Bank
Sheffield
S10 2TN

 

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Protection Officer. The University of Sheffield’s Data Protection Officer can be contacted at dataprotection@sheffield.ac.uk 

 

For queries relating to website content, our website contact information is:
Smart Move Sheffield
Level 3
Students' Union Building
Western Bank
Sheffield
S10 2TG

 

This Privacy Notice provides details of the personal data we (University of Sheffield) collect from you, why and how we collect it, how you can access it and how it is shared.

 

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

 

What data do we collect?

 

We may collect, use, store and transfer the following personal information:

  • Identity Data, including your first name, last name and user name;
  • Contact Data, including your email address and telephone number;
  • Technical Data, including your internet protocols (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website;
  • Profile Data, including your username and password, your preferences, and reviews;
  • Usage Data, including information about how you use our website.

 

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

 

We may collect some special category personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, student union membership, information about your health and genetic and biometric data. We will only collect this data if you provide it to us, and will use it in order to provide you with information, products or support relating to the services provided by University of Sheffield.

 

We do not collect any information about criminal convictions and offences.

 

How do we collect your data?

 

We use different methods to collect data from and about you, including through:

  • Direct interactions. You may give us Identity and Contact Data when creating an account or by corresponding with us by post, phone, email or otherwise.
  • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details.
  • Third parties. We may receive Technical Data from analytics providers such as Google, based outside the EU.

 

Why do we collect your data?

 

The information that you provide will be held in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). Your personal data will be collected and processed for the following purposes:

  • To provide you with information or products relating to the services provided by University of Sheffield where you have consented to be contacted for such purposes.
  • To allow you to participate in interactive features of our service, when you choose to do so. You can alter your preferences at any time in the “My Account” section of your account page.
  • To provide appropriate details to agents/landlords.
  • To notify you about any changes to our service.
  • Because we have a legitimate business interest.

 

Under the General Data Protection Regulation, the University must establish a legal basis for processing your personal data and communicate this to you. The lawful bases for processing your personal data for the purposes outlined above are as follows:

  • Article 6(1)(a) GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Article 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

In addition, we process special category data, such as information in relation to your health and sexual orientation, under Article 9 GDPR using the following lawful basis:

  • Article 9(2)(a) – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

 

Data acquired through site visitor tracking

 

Like most websites, this site uses Google Analytics (GA) to track user interaction. We use the data from GA to determine how many people are using our site, how people find and use our web pages, and to visualise user journeys through the website.

 

Although GA records Technical Data, none of this information makes you personally identifiable to us. Your computer’s IP address is also recorded by GA and presents a potential way for you to be personally identified; however, Google do not grant us access to this information. We consider Google to be a third-party data processor (see below).

 

GA makes use of cookies, details of which can be found on Google’s developer guides. Our website uses the analytics.js implementation of GA.

 

Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages within this website; however, this may have an impact on the website display quality.

 

You can find out more about our cookies on our dedicated cookies page.

 

Data acquired when creating property reviews

 

If you add a review to any of the properties published on this site, your name and any additional details you enter, along with your comment, will be saved to this website’s database, along with the time and date that you submitted the review. This information is only used to identify you as a reviewer of the respective property and is not passed on to any of the third-party data processors detailed below. Only the information you directly enter will be shown on the public-facing website (please do not enter any sensitive or personal information that you do not wish to be made public).

 

Your review and its associated data will remain on this site until we see fit to either;

  1. remove the review, or
  2. remove the property.

 

Should you wish to have the review and its associated personal data deleted, please contact us. Please remember to provide us with your name and the property you have reviewed.

 

If you are under 16 years of age you MUST obtain parental consent before posting a review on any properties. NOTE: You should avoid entering personally identifiable information to the review section of any property.

 

Data acquired when using contact forms and email links

 

If you choose to contact us using the contact form (on our Contact us page), or via email, none of the data that you provide will be stored by this website. This data will not be passed to or be processed by any of the third-party data processors listed below. Instead, the data will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP).

 

NOTE: Our SMTP servers are not encrypted by TLS or SSL, and we strongly recommend that you do not send any sensitive information over email.

 

Data acquired when creating an account

 

We provide the ability for users to create an account to make their property search easier and faster, but this functionality is entirely optional. Should you choose to create an account with us, your data will be handled as outlined below:

  • Passwords are stored in a non-reversible encryption string. This means that nobody can see what your password is (e.g. the word "example" could look like this "61EA0803F8853523B777D414ACE3130CD4D3F92DE2CD7FF8695C337D79C2EEEE"). We also salt your password with additional information, to ensure the encrypted password does not resemble your original password.
  • The information held on you will, typically, be Contact and Identity Data. You are free to add, delete or update the information we hold about you, using the account area of the website. You are also free to use the ‘unsubscribe’ button on your account dashboard to completely remove your account and all the associated data.
  • The data you provide when creating your account will be included in our backups. Our database is backed up, encrypted and stored on 3 different servers for secure storage.  

 

Data acquired when using the message boards

 

When using the message board functionality on our site, the name and any details you enter alongside your message will be saved to the website’s database, along with the time and date that you submitted the post or reply. This information is used to identify you as a user of the message board and is not passed on to any of the third-party data processors detailed below. Only the information you enter onto the message board will be shown on the public-facing website. This will typically include your name, a subject message and the message content.

 

NOTE: please do not enter any sensitive or personal information that you do not wish to be made public.

 

Your post and its associated data will remain on this site until:

  1. the expiry date set in the post has passed; or
  2. an administrator removes the post/reply; or
  3. an administrator removes the message board thread.

 

Should you wish to have any post/reply and its associated personal data deleted, please contact us. Please remember to provide us with all the details regarding your request, including the reason for removal. If you have chosen to create an account, you will have the option to log into your account and delete any posts you have submitted on the message board.

 

If you are under 16 years of age you MUST obtain parental consent before posting on the message board.

 

Useful Points to consider while using the message boards:

  • If you put your contact details in the body of your message these will be publicly available.
  • Take steps to verify the identity of anyone with whom you make contact.
  • Beware of scams, including anyone requesting money in advance.

 

How your data is shared

 

Your personal data may be processed and stored by the following third-party processors:

  • Studentpad, who are acting as processors based in the United Kingdom, and who provide IT and system administration services.
  • This website also directly uses the services of: Google, ShareThisWe require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party processors to use your personal information for their own purpose and only permit them to process your personal data for specified purposes and in accordance with our instructions.

 

The University will not disclose your personal data to any external third party, other than as set out above and/or where you have given us permission to do so, unless we are required to do so by law. 

 

We may share your personal data with other internal departments including relevant academic departments.

 

How your data is kept secure

 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and these are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

This website is hosted by our third-party processor, Studentpad, which forms part of the Pad Group Limited group of companies, and is stored on servers provided by OVH. These servers are located in the UK and are solely used by Pad Group Limited.

 

Some of the data centre’s more notable security features are as follows:

  • CCTV covering all areas of the data centres and corporate offices.
  • Highly experienced security guards on duty 24/7, 365 days a year.
  • Role-based access control swipe-card system across multiple secure areas to ensure absolutely no access by unauthorised personnel.
  • Awarded ISO 27001 certification – an international standard given to data centres that reach the top-level of security, safety and compliance.
  • All traffic (transferral of files) between this website and your browser is encrypted and delivered over HTTPS.

 

How long your data is kept

 

The personal data that you provide the University of Sheffield will be held in compliance with our Retention Schedule. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements.

 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk and harm from unauthorised use or disclosure of your personal data, the purposes of which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

 

Your right of access to your personal data

 

You have a right to request a copy of the information that we hold about you. If you would like to request a copy of some or all of your personal data, please contact the University Secretary's Office. We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove information that you think is inaccurate. 

 

Your other rights as a data subject

 

The GDPR provides you, as a data subject, with a number of rights in relation to your personal data. You have the right to withdraw your consent where that is the legal basis of our processing, have inaccuracies in the personal data that we hold about you rectified, a right to erasure, to request that the processing of your personal data be restricted, to object to certain processing activities and to complain to the Information Commissioner's Office about the way we process your personal data. 

 

Who do I contact if I want to know more? 

 

For further information about your right to access information we hold about you, to make a complaint about the way in which we are handling your personal information, or to request to be removed from our systems, please contact the Data Protection Officer at dataprotection@sheffield.ac.uk 

 

If you are not satisfied with our response or wish to raise a complaint with our supervisory body, you may complain to the Information Commissioner’s Office.

 

Changes to our privacy policy

 

This privacy policy may change from time to time, in line with legislation or industry developments. We will not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes. Specific policy changes and updates are mentioned in the change log below.

 

Change log

 

Date

Changes

25/04/2018

New GDPR Privacy policy created.
Privacy policy change log introduced.

 24/06/2021

Policy reviewed and reformatted. Details of lawful basis added