The Privacy Notice for Staff should be read in conjunction with the overall Privacy Notice available here.
The University requires to process and retain certain personal data relating to you, by virtue of your employment by the University. All of your personal data will be treated strictly in accordance with the terms of the GDPR. This means that confidentiality will be respected and that appropriate security measures will be taken to prevent unauthorised disclosure.
Source of Data
The personal data the University holds about you is obtained from a number of sources including the following:
- Information you or a third party (e.g. a recruitment agency) have provided during your application process including references where applicable.
- Information you provide us with during the course of your employment.
- Information built up about you during your employment, e.g. promotions, disciplinary, general correspondence.
- Partner organisations such as professional bodies, employers, and other educational establishments for the purposes of external research, exchange or secondments.
- Records obtained during your interaction with the University and its facilities e.g. car parking records, CCTV footage, Sport Centre membership.
- Publicly accessible sources such as social media.
What Personal Data we process about you
A full description of the categories of personal data that we process about you can be found in the Record of Processing Activities – Staff Data and includes both special categories of personal information and information on protected characteristics required to fulfil the University’s equality duties. Examples of personal information held are name, gender, date of birth, contact details, education and training, qualifications, employment history, PAYE and NI code, bank details and salary information, pension information, criminal convictions, ethnicity and religious beliefs, trade union membership and health information.
Purposes of Processing
The University requires to process the personal data it collects about you for the purposes of providing you with employment and to allow us to execute all the administrative and ancillary tasks related to that. A full list of the purposes for which we process your personal data can be found in Record of Processing Activities – Staff Data. Examples include:
- Managing and updating HR processes (e.g. salaries, pensions, promotion, absences, disciplinary cases, complaints, professional development reviews etc.)
- Provision of advice and support for staff including referrals to Occupational Health
- Including staff details on the University’s website where this is required as part of the individual’s role
- Promoting the University’s work including research, researchers and their publications.
Legal Basis for Processing Your Personal Data
The law provides a number of basis on which data controllers such as the University can legitimise its processing activities. Given the breadth and depth of matters for which the University requires to process your personal data in order to provide you with employment, the University legitimises its processing activities on a variety of lawful basis. We have set out in our Legal Basis for Processing Staff Personal Data Record how we legitimise each processing activity. However the majority of our processing activities in relation to your personal data will be on the following grounds:-
To fulfil the Employment Contract
We process your personal data where this is necessary for the performance of the employment contract between you and the University. Examples include managing HR processes, paying your salary and providing advice and support. If you do not provide us with the information necessary for us to have to employ you as envisaged by this document, we may not be able to employ you.
Where it is necessary for the purposes of carrying out obligations and exercising specific rights as your employer
In some instances we will require to process special categories of data e.g. health information, trade union membership, racial or ethnic origin, religious belief etc. Depending on the purpose concerned, this is likely to be lawful on the basis that it is necessary for us to do this in our role as your employer.
Compliance with a Legal Obligation or in the Substantial Public Interest
Sometimes we need to process your personal data to comply with a legal obligation on us. An example of this is in relation to monitoring compliance with equality legislation under the Equality Act 2010.
We will occasionally process your personal data for purposes that are not a core part of the University’s activities but are nonetheless in the legitimate interests of the University and also in the interests of staff. An example of this would be staff surveys which are carried out as part of the University’s commitment to improve experiences for staff and students.
There may be circumstance where we may not be able to legitimise processing of your personal data unless we have your consent. Consent will be sought as and when required. You have the right to withdraw consent at any time without prejudice to your status within the University. You can do this by contacting email@example.com. Please note that if you do withdraw consent, this will not affect the lawfulness of processing based on your consent before your withdrawal.
As part of the initial employment process the University requests consent to use your personal data for:
- Providing contact details (name, job title and department) to those Trade Unions recognised by the University
Sharing your Personal Data with other bodies
The main bodies to which the University discloses staff personal data are detailed under the ‘Categories of Recipients’ section of the ‘Record of Processing Activities – Staff Data’. By way of summary, the main categories of bodies that we may disclose your personal data to are:-
- Accreditation bodies
- Central and Local government and government bodies
- Your embassy
- Other educational institutions – if you are involved in a project with a third party educational institutions e.g. as part of a research project or secondment.
- Overseas recruitment agencies.
- Service providers – we use service providers to store or in some cases process personal data on our behalf.
- If we are under a duty to disclose your personal data to a third party in order to comply with any legal or regulatory request e.g. the Police or HMRC.
- We may also disclose your personal data where this is strictly necessary to enforce or apply the employment contract in place with you or to investigate potential breaches of it or where this is necessary, in our view, to protect the rights, property or safety of others including our staff and students.
- Submit statistical returns to the government or its agencies, including Scottish Funding Council and other official bodies such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. For more information about HESA see the HESA Data collection notice.
As part of routine business correspondence email addresses and business contact details will be shared with third parties.
When we share your personal data with a third party as set out above or as referred to within our Record of Processing Activities – Staff Data in some cases, in particular to our use of Cloud based facilities, including Box, these may involve a transfer of personal data to a recipient outside of the European Economic Area and located within a country that may not be viewed as having adequate data protection laws by the European Commission. All international transfers will be in accordance with applicable data protection laws.
Retention of your personal data
As a minimum, the University will retain your personal data for as long as you are an employee of the University provided it is necessary for its purposes as described. Following termination of your employment at the University, we shall securely remove from our systems any personal data that we no longer require for the purposes set out above. Please note however that even after termination of your employment, the University may still need to retain your personal data to satisfy its obligations to keep certain records for particular periods under applicable law as per the University's retention schedule.
Contact details relating to staff data
If you would like to update your personal details this can be done via the University’s staff portal.
If you want further information about how your personal information is used or would like to request to correct, restrict or erase personal details should be reported to: