The Privacy Notice for Staff should be read in conjunction with the overall Privacy Notice available here.
The University requires to process and retain certain personal data relating to you, by virtue of your employment by the University. All of your personal data will be treated strictly in accordance with the terms of the GDPR. This means that confidentiality will be respected and that appropriate security measures will be taken to prevent unauthorised disclosure.
The personal data the University holds about you is obtained from a number of sources including the following:
A full description of the categories of personal data that we process about you can be found in the Record of Processing Activities – Staff Data and includes both special categories of personal information and information on protected characteristics required to fulfil the University’s equality duties. Examples of personal information held are name, gender, date of birth, contact details, education and training, qualifications, employment history, PAYE and NI code, bank details and salary information, pension information, criminal convictions, ethnicity and religious beliefs, trade union membership and health information.
The University requires to process the personal data it collects about you for the purposes of providing you with employment and to allow us to execute all the administrative and ancillary tasks related to that. A full list of the purposes for which we process your personal data can be found in Record of Processing Activities – Staff Data. Examples include:
The law provides a number of basis on which data controllers such as the University can legitimise its processing activities. Given the breadth and depth of matters for which the University requires to process your personal data in order to provide you with employment, the University legitimises its processing activities on a variety of lawful basis. We have set out in our Legal Basis for Processing Staff Personal Data Record how we legitimise each processing activity. However the majority of our processing activities in relation to your personal data will be on the following grounds:-
To fulfil the Employment Contract
We process your personal data where this is necessary for the performance of the employment contract between you and the University. Examples include managing HR processes, paying your salary and providing advice and support. If you do not provide us with the information necessary for us to have to employ you as envisaged by this document, we may not be able to employ you.
Where it is necessary for the purposes of carrying out obligations and exercising specific rights as your employer
In some instances we will require to process special categories of data e.g. health information, trade union membership, racial or ethnic origin, religious belief etc. Depending on the purpose concerned, this is likely to be lawful on the basis that it is necessary for us to do this in our role as your employer.
Compliance with a Legal Obligation or in the Substantial Public Interest
Sometimes we need to process your personal data to comply with a legal obligation on us. An example of this is in relation to monitoring compliance with equality legislation under the Equality Act 2010.
We will occasionally process your personal data for purposes that are not a core part of the University’s activities but are nonetheless in the legitimate interests of the University and also in the interests of staff. An example of this would be staff surveys which are carried out as part of the University’s commitment to improve experiences for staff and students.
There may be circumstance where we may not be able to legitimise processing of your personal data unless we have your consent. Consent will be sought as and when required. You have the right to withdraw consent at any time without prejudice to your status within the University. You can do this by contacting email@example.com. Please note that if you do withdraw consent, this will not affect the lawfulness of processing based on your consent before your withdrawal.
As part of the initial employment process the University requests consent to use your personal data for:
The main bodies to which the University discloses staff personal data are detailed under the ‘Categories of Recipients’ section of the ‘Record of Processing Activities – Staff Data’. By way of summary, the main categories of bodies that we may disclose your personal data to are:-
As part of routine business correspondence email addresses and business contact details will be shared with third parties.
When we share your personal data with a third party as set out above or as referred to within our Record of Processing Activities – Staff Data in some cases, in particular to our use of Cloud based facilities, including Box, these may involve a transfer of personal data to a recipient outside of the European Economic Area and located within a country that may not be viewed as having adequate data protection laws by the European Commission. All international transfers will be in accordance with applicable data protection laws.
As a minimum, the University will retain your personal data for as long as you are an employee of the University provided it is necessary for its purposes as described. Following termination of your employment at the University, we shall securely remove from our systems any personal data that we no longer require for the purposes set out above. Please note however that even after termination of your employment, the University may still need to retain your personal data to satisfy its obligations to keep certain records for particular periods under applicable law as per the University's retention schedule.
If you would like to update your personal details this can be done via the University’s staff portal.
If you want further information about how your personal information is used or would like to request to correct, restrict or erase personal details should be reported to: