In order to comply with its contractual, statutory, and management obligations and responsibilities, the University is required to process personal data relating to its employees, including ‘sensitive’ personal data, as defined in the Data Protection Act 1998 (the “Act”) which includes information relating to health, racial or ethnic origin, and criminal convictions. All such data will be processed in accordance with the provisions of the Act and the University Policy on Data Protection as amended from time to time. (See the current University Policy on Data Protection.) For the purposes of the Act, the term ‘processing’ includes the initial collection of personal data, the holding and use of such data, as well as access and disclosure, through to final destruction. In certain circumstances, the provisions of the Act permit the University to process an employee’s personal data, and, in certain circumstances, sensitive personal data, without their explicit consent. Further information on what data is collected and the purposes for which it is processed is given below.
The University’s contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll; bank account; postal address; sick pay; leave; maternity pay; and pension and emergency contacts.
The University’s statutory responsibilities are those imposed on the University by legislation. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax; national insurance; statutory sick pay; statutory maternity pay; family leave; work permits; and equal opportunities monitoring.
The University’s management responsibilities are those necessary for the organisational functioning of the University. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment; training and development; teaching; research; absence; disciplinary matters; health and safety; security, including University-operated CCTV; e-mail address and telephone number; swipe cards; and criminal convictions.
Sensitive personal data
The Act defines ‘sensitive personal data’ as information about racial or ethnic origin; political opinions; religious beliefs or other similar beliefs; trade union membership; physical or mental health; sexual life; and criminal allegations, proceedings or convictions. In certain limited circumstances, the Act permits the University to collect and process sensitive personal data without requiring the explicit consent of the employee.
(a) The University will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and consent.
(b) Save in exceptional circumstances, the University will process data about an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding the University's equal opportunities policies and related provisions.
(c) Data about an employee’s criminal convictions will be held as necessary.
Disclosure of personal data to other bodies
In order to perform its contractual and management responsibilities, the University may, from time to time, need to share an employee’s personal data with one or more colleges. In such cases, the college or colleges will be required to process the data in accordance with the provisions of the Act.
For the performance of the employment contract, the University is required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.
In order to fulfil its statutory responsibilities, the University is required to provide some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
Some information about staff is sent in coded and anonymised form to the Higher Education Statistics Agency (HESA). Further information on how HESA uses this data is available from the HESA website.
The University will display an employee’s webmail address and telephone number in the Online Contact Search Facility, which is accessible to internet users, including those in countries outside the European Economic Area (EEA). Employees should be aware that many countries outside the EEA do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect their personal data to the same standard as within the EEA. Requests to have an email address and/or telephone number omitted from the Online Contact Search Facility should be addressed to the employee’s Telecommunications Co-ordinator (normally their departmental administrator) and will need to be approved by their Head of Department.
Keeping personal data up-to-date
The Act requires the University to take reasonable steps to ensure that any personal data it processes is accurate and up-to-date. It is the responsibility of the individual employee to inform the University of any changes to the personal data that they have supplied to it during the course of their employment.
Under the Act, it is possible for individuals to request access to any of their personal data held by the University, subject to certain restrictions. A request for disclosure of such information is called a subject access request. Any such requests should be addressed to the University’s Information Compliance Team.