Collecting your personal information

Sheffield City Region Mayoral Combined Authority take the privacy of your information very seriously. Our Privacy Policy below explains how we will collect and use the information you give us via our websites and otherwise when you are using our services, for instance when you complete any forms or otherwise, or provide data to us by telephone.

We are committed to good information handling principles and protecting the privacy and confidentiality of any personal information we deal with.

When we interact with you, we might give you supplementary privacy notices which are more specific to the personal data we’re collecting or using at that point. You should read those notices alongside this Privacy Policy.

In this Privacy Policy, the word “we” and “MCA” refers to Sheffield City Region Mayoral Combined Authority. Unless otherwise stated, we are the data controller of any personal data collected. Our contact details are included in the contact us section below.

What is personal information?

“Personal information” is data which relates to an identified or identifiable natural person who can be identified from that data. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

We collect your personal information in order to provide services to you. This includes the details about yourself that you provide over the telephone, on forms, by email, in letter, in person and online.

We’ll only collect information that is necessary or is required by law and we’ll explain the reasons for this.

We recognise that the information you provide may be sensitive and we will respect your privacy.

You may choose not to provide us with personal information, although some of our services may not be available as a result.

The categories of personal data we hold

Personal information collected from you in connection with our services includes the following:

  • your full name, postal address, phone number, e-mail address, employer/business and professional information, job title, any other personal data which is voluntarily provided from time to time
  • bank and card details where you make payments to us or we pay you.

If you communicate with us by email over the internet you should be aware that the nature of the internet as a means of communication means that this may not be secure. Please do not email us with confidential or sensitive information. We comply with data privacy laws in relation to security, but cannot accept responsibility for unauthorised access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on Security of personal information.

Third party personal information

If you give us personal information about another person, in doing so you confirm that they have given you their prior permission to provide it to us and for us to be able to process their personal data (including any sensitive personal data).

You must also ensure this and other relevant privacy policies are brought to their attention so they can review how their personal information may be used.

The purposes for which we use personal information

The MCA complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We will only use your personal information for the purposes that you would reasonably anticipate or that we state when we collect it and, where necessary,  when you have given us your consent.  The situations in which this is relevant are set out in the table below.

The legal basis for our use and other processing of your personal information under data privacy laws

We are required to indicate our processing activities with your personal information and the legal basis for those activities (see the table below). The legal basis includes handling your personal information:

  • in order that we may perform our services and obligations under any contract with Government agencies and other relevant funding bodies
  • for the legitimate interests of the MCA and its partners or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
  • for processing which is necessary for compliance with a legal obligation
  • where it is necessary to protect your vital interests or those of another person
  • where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
  • with your consent. This means your freely given, specific, informed and unambiguous consent which must be collected from you at the time at which it is requested, including in relation to any direct marketing communications. See Keeping you informed

SCR Privacy Table

You should be aware that you are entitled under data privacy law to withdraw your consent, where it has been given, at any time.  You can withdraw your consent by contacting us. See more details in the Contact us section below.

You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your personal information, this may affect our ability to provide our services.

Security of personal information

We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, whenever this is collected in connection with our services.

In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.

If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall, without undue delay, work to mitigate those risks and contact you and/or the data privacy supervisory authority in accordance with applicable laws.

Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared only under the following circumstances:

  • Where it is necessary to share with our third party/sub-contracted specialist advisors to deliver business growth support in partnership with us;
  • if we have your consent;
  • in exceptional circumstances – this might be to comply with legal requirement and regulatory requirements, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this Site, to take precautions against legal liability;
  • with third parties we are required to partner with to deliver the services you are seeking
  • with regulatory authorities, courts and governmental agencies to comply with legal orders, legal or regulatory requirements and government

Your contact details will be shared with Sheffield Hallam University in relation to the Sheffield Innovation Programme Continuation. You are advised to read SHU’s Privacy Notice  to see how with your consent they use and share your personal data.

Transfer of data abroad

Unless explicitly specified, your data will not be transferred outside the European Economic Area (“EEA). In the event that a data transfer is made, appropriate technological safeguards will be put in place.

How long will we keep your data?

Sheffield City Region will only collect information that is necessary for the purposes for which it was collected as described above or in another privacy notice provided to you, or that is required by law. Sheffield City Region will retain this for no longer than reasonably necessary. When determining the appropriate criteria and timeframe for retention of users’ data, we will refer to our Retention Policy and Schedule.


Cookies are messages that web servers pass to your web browser when you visit internet sites. Your browser stores each message in a small file, called cookie.txt. We use ‘cookies’ to collect anonymous statistics about how people use the site, and to help us keep it relevant for the user. For detailed information on the cookies we use and the purposes for which we use them see Cookie Information on our website.

People who contact us via Social Media

Any interactions with us via Social Media are subject to the Privacy Notice of the site use. If you send us a direct or private message via social media it will be processed in accordance with section 1 of the table above and retained in line with the MCA retention schedule.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data which the MCA holds about you;
  • The right to request that the MCA amend or rectify any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for the MCA to retain such data;
  • The right to withdraw your consent to the processing at any time (Only where consent is relied upon as a processing condition);
  • The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) (This right only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means).
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable) (This only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics)
  • The right not to be subject to a decision based solely on automated processing. (The MCA does not make automated decisions)

Exercising your rights

Please see the contact details in the Contact us section below if you wish to exercise any rights. We endeavour to acknowledge requests within two working days and issue the appropriate response and information promptly and within the relevant statutory timescale (usually one month).

How do I request access to my personal information?

The MCA tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to the Sheffield City Region Mayoral Combined Authority for any personal information we may hold you need to put the request in writing to the address provided below.

Your right to lodge complaints with the data privacy supervisory authority

If you want to complain about any issues relating to your personal information, you can email us using the address provided below.

You can also complain to the Information Commissioner’s Office, who can be contacted by telephone at 0303 123 1113, by email using the form at the following web link, or in writing to:

Wycliffe House
Water Lane

Changes to this privacy notice

We keep our privacy notice under regular review. Our data practices may change from time to time. If and when our data practices change, we will notify you of the changes via this page where the current version of the Privacy Policy will be published. Where appropriate, we will notify you of changes usually by email, but occasionally in another more appropriate format such as letter. We also encourage you to check this page frequently.

This privacy notice was last updated in May 2018.

How to contact us

If you want to request information about our privacy policy or request a copy of any information we hold about you, you can email us using or write to:

The Data Protection Officer
Sheffield City Region Mayoral Combined Authority
11 Broad Street West
S2 1BQ