The Privacy Notice for Staff should be read in conjunction with the overall Privacy Notice.
The University requires to process and retain certain personal data relating to you, by virtue of your employment by the University. All of your personal data will be treated strictly in accordance with the terms of the UK GDPR. This means that confidentiality will be respected and that appropriate security measures will be taken to prevent unauthorised disclosure.
Source of Data
The personal data the University holds about you is obtained from a number of sources including the following:
- Information you or a third party (e.g. a recruitment agency) have provided during your application process including references where applicable.
- Information you provide us with during the course of your employment.
- Information built up about you during your employment, e.g. promotions, disciplinary, general correspondence.
- Partner organisations such as professional bodies, employers, and other educational establishments for the purposes of external research, exchange or secondments.
- Records obtained during your interaction with the University and its facilities e.g. car parking records, CCTV footage, Sport Centre membership.
- Publicly accessible sources such as social media.
What Personal Data we process about you
A full description of the categories of personal data that we process about you can be found in the Record of Processing Activities – Staff Data and includes both special categories of personal information and information on protected characteristics required to fulfil the University’s equality duties. Examples of personal information held are name, gender, date of birth, contact details, education and training, qualifications, employment history, PAYE and NI code, bank details and salary information, pension information, criminal convictions, ethnicity and religious beliefs, trade union membership, participation in industrial action and health information.
Purposes of Processing
The University is required to process the personal data it collects about you for the purposes of providing you with employment and to allow us to execute all the administrative and ancillary tasks related to that. A full list of the purposes for which we process your personal data can be found in Record of Processing Activities – Staff Data. Examples include:
- Managing and updating HR processes (e.g., salaries, pensions, promotion, absences, disciplinary cases, complaints, professional development reviews etc.)
- Provision of advice and support for staff including referrals to Occupational Health
- Including staff details on the University’s website where this is required as part of the individual’s role
- Promoting the University’s work including research, researchers and their publications.
Legal Basis for Processing Your Personal Data
The law provides a number of bases on which data controllers such as the University can legitimise their processing activities. Given the breadth and depth of matters for which the University is required to process your personal data in order to provide you with employment, the University legitimises its processing activities on a variety of lawful bases. We have set out in our Legal Basis for Processing Staff Personal Data Record how we legitimise each processing activity. However, the majority of our processing activities in relation to your personal data will be on the following grounds:-
To fulfil the Employment Contract
We process your personal data where this is necessary for the performance of the employment contract between you and the University. Examples include managing HR processes, paying your salary and providing advice and support. If you do not provide us with the information necessary for us to have to employ you as envisaged by this document, we may not be able to employ you.
Where it is necessary for the purposes of carrying out obligations and exercising specific rights as your employer
In some instances, we will be required to process special categories of data e.g., health information, trade union membership, racial or ethnic origin, religious belief etc. Depending on the purpose concerned, this is likely to be lawful on the basis that it is necessary for us to do this in our role as your employer. An example of this is where participation in industrial action is recorded in order to process deductions to pay.
Compliance with a Legal Obligation or in the Substantial Public Interest
Sometimes we need to process your personal data to comply with a legal obligation on us. An example of this is in relation to monitoring compliance with equality legislation under the Equality Act 2010.
We will occasionally process your personal data for purposes that are not a core part of the University’s activities but are nonetheless in the legitimate interests of the University and also in the interests of staff. An example of this would be staff surveys which are carried out as part of the University’s commitment to improve experiences for staff and students.
There may be circumstances where we may not be able to legitimise processing of your personal data unless we have your consent. Consent will be sought as and when required. You have the right to withdraw consent at any time without prejudice to your status within the University. You can do this by contacting firstname.lastname@example.org. If you do withdraw consent, this will not affect the lawfulness of processing based on your consent before your withdrawal.
As part of the initial employment process, the University requests consent to use your personal data for:
- Providing contact details (name, job title and department) to those Trade Unions recognised by the University
Sharing your Personal Data with other bodies
The main bodies to which the University discloses staff personal data are detailed under the ‘Categories of Recipients’ section of the ‘Record of Processing Activities – Staff Data’. By way of summary, the main categories of bodies which we may disclose your personal data to are:-
- Accreditation bodies
- Central and Local government and government bodies
- Your embassy
- Other educational institutions – if you are involved in a project with a third party educational institutions e.g. as part of a research project or secondment.
- Overseas recruitment agencies.
- Service providers – we use service providers to store or in some cases process personal data on our behalf.
- Where we receive requests from third parties such as, but not limited to, statutory, regulatory, law enforcement agencies or other academic institutions, e.g., the Home Office, the Police, the NMC, HMRC etc. we may disclose your personal data as appropriate in line with data protection legislation. Such circumstances might include where information is required for investigations, e.g., fraud, fitness to practise or visa compliance.
- We may also disclose your personal data where this is strictly necessary to enforce or apply the employment contract in place with you or to investigate potential breaches of it or where this is necessary, in our view, to protect the rights, property or safety of others including our staff and students. For example, if we consider the University’s Prevent duty may apply.
- Submit statistical returns to the government or its agencies, including Scottish Funding Council and other official bodies such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. For more information about HESA see the HESA Data collection notice.
As part of routine business correspondence email addresses and business contact details will be shared with third parties.
When we share your personal data with a third party as set out above or as referred to within our Record of Processing Activities – Staff Data in some cases, in particular to our use of Cloud based facilities, including Office 365, these may involve a transfer of personal data to a recipient outside of the European Economic Area and located within a country that may not be viewed as having adequate data protection laws by the European Commission. All international transfers will be in accordance with applicable data protection laws.
Retention of your personal data
We will hold your personal data for the duration of your employment and for a period following the end of your employment in line with best practice recommendations for records retention. We will, however, keep a record of your employment at the University for the longer term for tax and pension reasons.
Contact details relating to staff data
If you would like to update your personal details this can be done via the University’s staff portal.
If you want further information about how your personal information is used or would like to request to correct, restrict or erase personal details should be reported to: