Privacy Notice


Collecting your personal information

Sheffield City Region Combined Authority and Sheffield City Region Local Enterprise Partnership take the privacy of your information very seriously.

When we collect personal data, we are required to make sure you are clear what data we need and why, what we intend to do with it, what your individual rights are, and who you can contact for enquiries or concerns about the use of your personal data. This is called a privacy notice and we can do this verbally or in writing.

Our Privacy Policy below explains how we will collect and use the information you give us via our data processors, websites and otherwise when you are using our services, for instance when you complete any paper or forms or otherwise, or provide data to us by telephone.

We are committed to good information handling principles and protecting the privacy and confidentiality of any personal information we deal with.

When we interact with you, we might give you supplementary privacy notices which are more specific to the personal data we’re collecting or using at that point. You should read those notices alongside this Privacy Policy.

In this Privacy Policy, the word “we” and “SCR” refers to Sheffield City Region Combined Authority and Sheffield City Region Local Enterprise Partnership. Unless otherwise stated, we are the data controller of any personal data collected.  Our contact details are included in the contact us section below.

Our contracted data processors for the Enterprise Adviser Network for the period 1st September 2018-31st August 2019 are:

Barnsley Metropolitan Borough Council

Doncaster Chamber

Rotherham Metropolitan Borough Council

Sheffield City Council

Giraffe Learning Ltd

What is personal information?

“Personal information” is data which relates to an identified or identifiable natural person who can be identified from that data. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

We collect your personal information in order to provide services to you and enable your participation in the Enterprise Adviser Network. This includes the details about yourself that you provide to our data processors over the telephone, on forms, by email, in letter, in person and online.

We’ll only collect information that is necessary or is required by law and we’ll explain the reasons for this.

We recognise that the information you provide may be sensitive and we will respect your privacy.

You may choose not to provide us with personal information, although some of our services and participation in the Enterprise Adviser Network may not be available as a result.

The categories of personal data we hold

Personal information collected from you in connection with our services includes the following:

  • your full name, home and work postal addresses, telephone numbers, e-mail address, employer/business and professional information, job title, medical conditions, outcome and validity of safeguarding/DBS checks, educational attainment, professional body membership, social media accounts and any other personal data which is voluntarily provided from time to time.

[Where we hold sensitive personal data, it will be held by Sheffield City Region Combined Authority and LEP only and will be kept confidential, it will not be shared, and it will only be used for purposes connected with your engagement as an Enterprise Adviser and your particular needs whilst working]

  • record and process information about meetings and events you attend as a volunteer of the Enterprise Adviser Network

If you communicate with us by email over the internet you should be aware that the nature of the internet as a means of communication means that this may not be secure. Please do not email us with confidential or sensitive information. We comply with data privacy laws in relation to security, but cannot accept responsibility for unauthorised access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on Security of personal information.

Third party personal information

If you give us personal information about another person, in doing so you confirm that they have given you their prior permission to provide it to us and for us to be able to process their personal data (including any sensitive personal data).

You must also ensure this and other relevant privacy policies are brought to their attention so they can review how their personal information may be used.

The purposes for which we use personal information

Sheffield City Region and its data processors comply with their  obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We will only use your personal information for the purposes that you would reasonably anticipate or that we state when we collect it and, where necessary, when you have given us your consent.  The situations in which this is relevant are set out in the table below.

The legal basis for our use and other processing of your personal information under data privacy laws

We are required to indicate our processing activities with your personal information and the legal basis for those activities (see the table below). The legal basis includes handling your personal information:

  • in order that we may perform our services and obligations under any contract or memorandum of understanding with
  • for the legitimate interests of the SCR or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
  • for processing which is necessary for compliance with a legal obligation
  • where it is necessary to protect your vital interests or those of another person
  • where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
  • with your consent. This means your freely given, specific, informed and unambiguous consent which must be collected from you at the time at which it is requested, including in relation to any direct marketing communications. See Keeping you informed



Scope of processing

Information to enable the completion of the EAN Register

Information to provide grant claims and progress reports to the requirements of the Careers and Enterprise Company Information to enable the operation of the Enterprise Adviser Network according to the Enterprise Coordinator Roadmap

Duration of the processing

Rolling annual basis at this stage until 31st August 2020 (subject to confirmation and availability of budgets)

Nature and purposes of the processing

To enable the submission of Grant claims and progress reports to the requirements of the Careers and Enterprise Company

Types of personal data

  • Details on pay/payslips/payroll information

  • Curriculum Vitaes

Disposal of data

7 years from the date of programme completion

Categories of data subject

Personal information

You should be aware that you are entitled under data privacy law to withdraw your consent, where it has been given, at any time.  You can withdraw your consent by contacting us. See more details in the Contact us section below.

You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your personal information, this may affect our ability to provide our services.

Security of personal information

We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, whenever this is collected in connection with our services.

In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.

If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall, without undue delay, work to mitigate those risks and contact you and/or the data privacy supervisory authority in accordance with applicable laws.

Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared only under the following circumstances:

  • Where it is necessary to share with our third party/sub-contracted delivery partners to deliver the Enterprise Adviser Network in partnership with us;
  • if we have your consent;


- in exceptional circumstances – this might be to comply with legal requirement and regulatory requirements, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this Site, to take precautions against legal liability;


- with third parties we are required to partner with to deliver the services you are seeking


- with regulatory authorities, courts and governmental agencies to comply with legal orders, legal or regulatory requirements and government

Sensitive personal data will not be shared.

Transfer of data abroad

Unless explicitly specified, your data will not be transferred outside the European Economic Area (“EEA). In the event that a data transfer is made, appropriate technological safeguards will be put in place.

How long will we keep your data?

Sheffield City Region will only collect information that is necessary for the purposes for which it was collected as described above or in another privacy notice provided to you, or that is required by law. Sheffield City Region will retain this for no longer than reasonably necessary. When determining the appropriate criteria and timeframe for retention of users’ data, we will refer to our Retention Policy and Schedule.


Cookies are messages that web servers pass to your web browser when you visit internet sites. Your browser stores each message in a small file, called cookie.txt. We use ‘cookies’ to collect anonymous statistics about how people use the site, and to help us keep it relevant for the user. For detailed information on the cookies we use and the purposes for which we use them see the SCR Cookie Information on our website.

People who contact us via Social Media

Any interactions with us via Social Media are subject to the Privacy Notice of the site use. If you send us a direct or private message via social media it will be processed in accordance with section 1 of the table above and retained in line with the SCR retention schedule.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data which Sheffield City Region holds about you;
  • The right to request that Sheffield City Region amend or rectify any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for Sheffield City Region to retain such data;
  • The right to withdraw your consent to the processing at any time (Only where consent is relied upon as a processing condition);
  • The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) (This right only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means).
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable) (This only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics)
  • The right not to be subject to a decision based solely on automated processing. (Sheffield City Region does not make automated decisions)


Exercising your rights

Please see the contact details in the Contact us section below if you wish to exercise any rights. We endeavour to acknowledge requests within two working days and issue the appropriate response and information promptly and within the relevant statutory timescale (usually one month).

How do I request access to my personal information?

Sheffield City Region tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to the Sheffield City Region for any personal information we may hold you need to put the request in writing to the address provided below.

Your right to lodge complaints with the data privacy supervisory authority

If you want to complain about any issues relating to your personal information, you can email us using the address provided below.

You can also complain to the Information Commissioner’s Office, who can be contacted by telephone at 0303 123 1113, by email using the form at the following web link, or in writing to:

Wycliffe House
Water Lane

Changes to this privacy notice

We keep our privacy notice under regular review. Our data practices may change from time to time. If and when our data practices change, we will notify you of the changes via this page where the current version of the Privacy Policy will be published. Where appropriate, we will notify you of changes usually by email, but occasionally in another more appropriate format such as letter. We also encourage you to check this page frequently.

This privacy notice was last updated in May 2019.

How to contact us

If you want to request information about our privacy policy or request a copy of any information we hold about you, you can email us using This email address is being protected from spambots. You need JavaScript enabled to view it. or write to:

The Data Protection Officer
Sheffield City Region
11 Broad Street West
S2 1BQ

Careers Enterprise Co 150

Visit The Careers & Enterprise Company website for information about the national programme


ea la footer

S5 Box



You need to enable user registration from User Manager/Options in the backend of Joomla before this module will activate.