Staff Privacy Policy

Staff Privacy Policy

This policy applies to the University of Oxford’s current and former employees, workers, contractors, secondees from other organisations, visitors, volunteers and interns.

A. What is the purpose of this document?

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).

This privacy policy describes how we collect and use your personal data during and after your employment or work with us, in accordance with the General Data Protection Regulation (GDPR) and related UK data protection legislation. It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using the information.

B. Glossary

Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified, whether directly or indirectly. It does not include data where your identity has been removed (anonymous data).

Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.

C. Who is using your personal data?

The University of Oxford[1] is the "data controller" for the information that we hold about you as a result of your employment or work at the University. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.

This policy does not form part of any contract of employment or other contract to provide services. We may update this policy at any time.

D. The types of data we hold about you

The information we hold about you may include the following:

• Personal details such as name, title, address, telephone number, email address, date of birth, National Insurance number, nationality, sex and gender identity, marital status, information about your dependants;

• Next of kin and emergency contact information;

• Banking, tax status and other financial information;

• Salary, leave, pension and benefits information;

• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);

• Employment records (including job titles, work history, working hours, location of workplace, personal development and training records, performance information, exit interview, health and safety information and professional memberships);

• Disciplinary and grievance information;

• Information about your use of our information and communications systems (including CCTV and building access information);

• Work related photographs.

We may also process the following "special categories" of more sensitive information:

• Information about your race or ethnicity, religious beliefs and sexual orientation;

• Trade union membership;

• Information about your health, including any disability and/or medical condition, health and sickness records;

• Information about criminal convictions and offences, including proceedings or allegations.

E. How did the University obtain your data?

We obtain the vast majority of information directly from you, through the application and recruitment process. We may also obtain information from third parties, such as employment agencies, background check providers or referees. We will collect additional information about you during your employment or work with us.

F. How the University uses your data

We process your data for a number of purposes arising from your employment or work, including appointment (e.g. terms and conditions and payment of salary); staff management (e.g. induction, performance appraisal, management of sickness or other absence, merit schemes); discipline or grievance processes; and the provision of services and support (such as counselling, disability support or childcare). We set out below those circumstances where it is necessary for us to process your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)

1. Because we have a contract with you

We need to process your data in order to meet our obligations or exercise rights under the contract of employment or other contractual document relating to your engagement with the University. Information processed for this purpose includes, but is not limited to, data relating to: payroll; your pension; your bank account; your postal address, email address and telephone number; emails sent or received by you or between other members of staff, which are stored on the University’s network; any record of absence; sick pay; annual leave; family leave and pay; emergency contacts; training and development; reward and recognition; teaching and research; disciplinary matters; criminal convictions or barring decisions; health and safety; and security. 

2. Where we need to comply with a legal obligation.

We need to process your data in order to meet legal obligations, such as those relating to immigration, health and safety, and equal opportunities. Information processed for this purpose includes, but is not limited to, information relating to tax; national insurance; auto-enrolment for pension; statutory sick pay; statutory maternity, adoption, paternity and shared parental pay; family leave; work permits or immigration status; management of health and safety and equal opportunities monitoring. We are required to disclose much of this data to government departments or agencies.

3. Where it is necessary to meet a task in the public interest

We may need to process your data for purposes related to teaching and research such as academic assessment, examination administration or research related administration. Teaching and research are tasks that we perform in the public interest in order to fulfil our responsibility as a charity for promoting the advancement of learning. Information processed for these purposes includes, but is not limited to: your personal details; records of teaching and research activity; emails sent or received by you or between other members of staff; and funding applications or grants.

4. Where it is necessary to meet our legitimate interests

We need to process your data in order to meet our legitimate interests relating to the governance, management and operation of the University. Examples include, but are not limited to, the following activities:

  • Policy development;
  • Internal reporting;
  • Management of staffing budgets;
  • Benchmarking;
  • Equal Pay Audits;
  • Financial Audits;
  • Internal communications;
  • Activities arising from your membership of University committees or similar bodies e.g. Congregation;
  • Your participation in events and other activities organised in support of the University's alumni relations and development objectives;
  • Nominations for external awards;
  • University elections;
  • Security, including CCTV;
  • Maintenance of IT systems, including information security; and
  • Administration of health and safety.

 5. Where we have your consent

There may be situations where we ask for your consent to process your data e.g. where we ask you to volunteer information about yourself by taking part in a survey, or where we ask for your permission to share sensitive information.

If you fail to provide personal information under F1 or F2 above

If you fail to provide certain information when requested under the circumstances described in F1 and F2 above, it may impair our ability to fulfil our obligations to you, or to comply with our other legal obligations.

G. Change of purpose

We will only process your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.

Please note that we may process your data without your knowledge or consent where this is required or permitted by law.

H. Special category data and criminal conviction data

Special category data and criminal conviction data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data.  In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests or those of another person.

(a) Health (including disability)

We will process data about your health where it is necessary, for example, to record absence from work due to sickness, to arrange to pay appropriate levels of sick pay, to determine fitness for work or to determine whether it is necessary to make reasonable adjustments for disability.  Processing of this nature is necessary to carry out our obligations or exercise our specific rights as an employer; and/or for the purposes of occupational medicine and for the assessment of the working capacity of employees. There may also be circumstances where we ask for your explicit consent to share data about your health.

(b) Criminal conduct (including convictions, proceedings or allegations)

Data about unspent criminal convictions or barring decisions is collected before your appointment. Data about spent criminal convictions or any barring decisions will only be collected if you have applied for and been appointed to particular posts, and where we are legally required to do so. If a post requires additional screening you will be advised before the screening takes place. We may also process data relating to criminal conduct for disciplinary reasons in order to exercise rights under our contract with you.

Processing of this nature is necessary to meet our legal obligations and exercise our specific rights as an employer, and will be subject to suitable safeguards.

(c) Racial or ethnic origin, sexual orientation and religious belief

Data about your racial and ethnic origin, sexual orientation or religious belief will only be processed where you have volunteered it and where we need to process it in order to meet our statutory obligations under equalities and other legislation.  This processing is considered to meet a substantial public interest.  

I. Data Sharing with third parties

In order to perform our contractual and other legal responsibilities, we may, from time to time, need to share your information with the following types of organisation:

  • With one or more colleges[2], where members of staff are employed by both organisations or are providing services in different parts of the collegiate university;
  • External companies providing services to us, for example, those that hold and process staff data on our behalf in relation to HR functions e.g. IT systems in use across the University to record absence data, process payroll, staff appraisal, occupational health. Other examples include companies assisting us with legal advice, staff surveys and benchmarking;  
  • External organisations offering University-sponsored services including those that offer benefits to staff, such as travel schemes, nursery providers and employee assistance programmes;
  • Pension providers;  
  • Relevant governmental departments or agencies, including those responsible for tax and immigration;
  • Our internal and external auditors;
  • If you have or are seeking a particular relationship with a third party, such as a fellowship or trust provider, either because of an employment relationship, secondment, sponsorship arrangement, or collaboration;
  • Other UK Higher education providers or other employers, where you have worked in the past or you may move to in the future;
  • Unions and legal representatives where you have involved them to support you through a process.

Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may share only your employee number and not your name (this is known as pseudonymisation).

All our third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

Some information about staff is sent in coded and pseudonymised or anonymised form to the Higher Education Statistics Agency (HESA) (further information on how HESA uses this data is available from the HESA website.) We also submit information to equality charter mark schemes such as Athena Swan and the Race Equality Charter (for more information see: https://www.ecu.ac.uk/equality-charters/).

J. Transfers of your data outside of the European Economic Area (EEA)[3]

There may be occasions when we transfer your data outside the EEA, for example, if we communicate with you using a cloud based service provider that operates outside the EEA, or if we seek a reference from a person outside the EEA. Such transfers will only take place if one of the following applies:

  • the country receiving the data is considered by the EU to provide an adequate level of data protection;
  • the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
  • the transfer is governed by approved contractual clauses ;
  • the transfer has your consent;
  • the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract;
  • the transfer is necessary for the performance of a contract with another person, which is in your interests;
  • the transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent;
  • the transfer is necessary for the exercise of legal claims; or
  • the transfer is necessary for important reasons of public interest.

We may display your University email address and telephone number on our websites, which are accessible to internet users, including those in countries outside the EEA.

K. Data Security

We have put in place measures to protect the security of your information. Details of these measures are available from the University’s Information Security website.

Third parties that process data on our behalf will do so only on our instructions and where they have agreed to keep it secure.

L. Retention Period

We will retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.  

Details of the retention periods for different types of HR data are available here: http://www.admin.ox.ac.uk/personnel/recruit/rec_recs/retention/

M. Your rights

Under certain circumstances, by law you have the right to:

• Request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.

• Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate data we hold about you.

• Request erasure of your data. This enables you to ask us to delete or remove your data under certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).

• Object to processing of your data where we are processing it to meet our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.

• Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your data to another party.

Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations as your employer if we were to stop.   Where you have consented to the processing (for example where you have allowed us to communicate with your GP regarding your medical records) you can withdraw your consent at any time, by emailing the relevant department. If you choose to withdraw consent it will not invalidate past processing. Further information on your rights is available from the Information Commissioner’s Office (ICO).

If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, you should contact the University’s Information Compliance Team at data.protection@admin.ox.ac.uk. The same email address may be used to contact the University’s Data Protection Officer.  We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.

N. Keeping your data up-to-date

It is important that the data we hold about you is accurate and current. Please keep us informed of any changes that may be necessary during your working relationship with us.

O. Changes to this privacy policy

We reserve the right to update this privacy policy at any time, and will seek to inform you of any substantial changes. We may also notify you in other ways from time to time about the processing of your personal data.


[1] The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford

[2] College means any college or Permanent Private Hall

[3] The EU plus Norway, Lichtenstein and Iceland.