Staff Privacy Notice

What is the purpose of this document? 


The University of Worcester (“The University”)  (“we”, “our” or “us”) is committed to protecting the privacy and security of your personal information.

The University is defined as the University of Worcester and its subsidiary companies: UW Developments Ltd, UW Enterprises Ltd and UW Worcester Wolves Ltd.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, together the data protection legislation.

It applies to all employees (including sessional staff, temporary staff and associate staff), workers and contractors. It is important that you read this notice.

The University is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under the data protection legislation to notify you of the information contained in this privacy notice.

This notice applies to current and former employees, workers and contractors (“you” or “your”). This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.

This Privacy Notice should be read in conjunction with the Staff Record of Processing Activities which sets out the various data records processed, the lawful basis for processing, and who the data is shared with. 

The University has also published separate notices, which are applicable to other groups and activities. Those notices may also apply to you, depending on your circumstances, and it is important that you read this privacy notice together with other applicable privacy notices and webpages:

1. Current students and applicants Privacy Notice

2. Visitors to the University Privacy Notice (including those attending conferences, events or accessing other facilities offered by the University. This notice also applies to Alumni, members of the Board of Governors, members of the College of Fellows, and holders of other honorary appointments)

3. Website Privacy Notice (including how we monitor use of our website)

4. Cookie Notice

5. CCTV webpage (including information about how we use CCTV)

6. IT Regulations (which includes information about monitoring of network accounts – section 8)

This notice explains what personal data the University holds about you, how we share it, how long we keep it and what your legal rights are in relation to it.

Contact Details

We are the University of Worcester, Henwick Grove, Worcester, WR2 6AJ

If you need to contact us about your data for your general staff record please contact: Human Resources (HR@worc.ac.uk).  For other data collections please contact in the first instance: Information Assurance (infoassurance@worc.ac.uk)

The University has a Data Protection Officer, whose contact details are: Helen Johnstone, Head of Information Assurance (h.johnstone@worc.ac.uk)

 

Data protection principles

We will comply with the data protection legislation. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.

Personal data, or personal information, means any information relating to you as a living individual from which you can be identified. It does not include data where the identity has been removed (anonymous data)

There are "Special Categories" of more sensitive personal data which require a higher level of protection.


The categories of personal information that we may collect, store, and use about you include (but are not limited to):

  • The contact details that you provide to us, including names, titles, addresses, telephone numbers and personal email addresses.
  • Personal details/data such as date of birth, gender, marital status etc
  • Family details such as next of kin and emergency contact information, details of any life assurance beneficiaries.
  • National Insurance number.
  • Lifestyle and social circumstances.
  • Trade union membership.
  • Your position, role, contract terms, grade, salary, benefits and entitlements, working hours, training records and if you leave, your reason for leaving.
  • Records about your recruitment, including your application paperwork, details of your qualifications/education, references, requests for special arrangements, communications regarding our decisions, and relevant committee and panel reports. 
  • Details of any relevant criminal convictions or charges that we ask you to declare to us, either when you apply to us, [or during your employment. Relevant criminal convictions or charges are those that indicate you might pose an unacceptable risk to customers or staff. Further, your role at the University may require that we conduct a Disclosure and Barring Service check, which will provide us with details of any relevant criminal convictions and/or cautions that you have received. More information is available her
  • Copies of passports, driving licence and driving history, right to work documents, visas and other immigration data.
  • Pensions membership data, including identification numbers, quotes and projections, terms benefits and contributions.
  • Details of any medical issues and/or disabilities that you have notified to us, including any consideration and decision on reasonable adjustments made as a result.
  • Equality monitoring data.
  • Dietary requirements. 
  • Your financial details, including bank and building society account numbers, sort codes, BACS IDs, NI numbers, tax codes, payslips, payroll records, tax status information and similar data.
  • Learning and development records, including your attendance, completions, accreditations and certifications.
  • Capability procedure records, including performance indicators, records of review meetings, feedback, decisions and outcomes.
  • Promotion and progression records, including applications, references and supporting materials, records of deliberations and decisions, feedback and awards.
  • Records regarding grievances, disciplinary proceedings or investigations prompted by, involving or relating to you
  • Visual images, personal appearance and behaviour / photographs, audio and video recording (including CCTV).
  • Absence records, including leave requests, sickness records and related data
  • Computing and email information, including login information for our IT systems, IP address(es), equipment allocated to you and records of network access.
We may during the course of your employment with us also collect, store and use the following "special categories" of more sensitive personal information:
  • Information about your race, ethnicity (including nationality), religious or philosophical beliefs, political opinions and sexual orientation (Information about your trade union membership
  • Information about your health, including any medical condition or disability and health and sickness records.

Further categories of data what we hold in relation to you are set out in our Record of Processing Activity

We typically collect personal information about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider (including your previous educational establishments and/or former employers if they provide references to us or credit reference agencies).

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

Our Record of Processing Activity indicates the sources of each of the various categories of data that we process.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered with you and/or we may be prevented from complying with our legal obligations.  For example:

  • Copies of your passport, right to work, and visa information will be collected by us at the time of your application to enable us to comply with UK Immigration and Visa requirements.  We may also be required by law to retain that data, along with related information (such as your application paperwork, short-lists and selection committee papers) until a certain point after your employment with the University ends.
  • Financial data, including your account number and sort code, BACS ID, NI number, salary, tax codes and payments information are collected by us at the time of your appointment to enable us to pay you in accordance with the contract between us
  • You have a contractual obligation to inform us of relevant conflicts of interest affecting your involvement in University management and decision-making. Failure to do so may undermine the reputation and integrity of the University, and may have legal implications.
The consequences for any failure to provide such data will depend on the particular circumstances.  For example, a failure to provide copies of your passport, right to work and visa information, may mean that we are unable to enter into, or continue, with your employment.

Some data that you give to us is provided on a wholly voluntary basis – you have a choice whether to do so.  Examples include:
  • Equality monitoring data, which is requested by the University as part of the equality monitoring that we undertake pursuant to our legal obligations under the Equality Act 2010.
  • Disability and health condition information, which you may choose to provide to us in order that we can take this information into account when considering whether to make a reasonable adjustment.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity.  We may process such data on the same grounds as those identified for “special categories” referred to above.

Details of the lawful bases we rely on for the processing of the categories of data that we hold in relation to you are set out in our Record of Processing Activity

Do we need your consent?

We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights in the field of employment law in accordance with our written policy. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

 

We do not, and will not, sell your data to third parties.

We may have to share your data with third parties, including third-party service providers and partner organisations.

We require third parties to respect the security of your data and to treat it in accordance with the law.


Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legal requirement or legitimate interest in doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within the University Group

Examples of bodies to whom we are required by law to disclose certain data include, but are not limited to:


Organisation

Why?

Home Office;  UK Visas and Immigration

To fulfil  the University’s obligations as a visa sponsor

Disclosure and Barring Service (DBS)

Required for certain posts to assess an applicant's suitability for positions of trust or where the post works with vulnerable people or children.

The Higher Education Funding Council for England (HEFCE)

Data submitted for the Research Excellence Framework (REF) which is a system for assessing the quality of research in higher education.

HM Revenues & Customs (HMRC)

Real time information released to HM Revenue & Customs (HMRC) in order to collect Income Tax and National Insurance contributions (NICs) from employees.



Examples of bodies to whom we may voluntarily disclose data, in appropriate circumstances, include but are not limited to: 

Organisation

Why?

Other [legal entities] within the “University Group”

We will share your personal information with other entities in the University Group as part of our regular reporting activities on company performance, in the context of a business reorganisation or a University Group restructuring exercise, for system maintenance support and hosting of data.

Where you are employed by or connected to a number of entities in the University Group, or are providing services in different parts of the University Group we may need to share relevant data for the proper functioning of relevant contracts and services.

Agencies with responsibilities for the prevention and detection of crime, apprehension and prosecution of offenders, or collection of a tax or duty.

For the prevention, detection or investigation of crime, for the location and/or apprehension of offenders, for the protection of the public, and/or to support national interest.

Mortgage lender and letting agencies

In order to allow these organisations to verify for mortgages and tenancy agreements.  Release of this information is subject to a written request being received from the employee.

Teachers’ Pension Scheme

Local Government Pension Scheme

Universities Superannuation Scheme (USS)

In order to provide data required for the provision of pensions by these providers.

Higher Education Statistics Agency (HESA)

Some information, usually in pseudonymised form, will be sent to the HESA for statistical analysis and to allow government agencies to carry out their statutory functions.

Occupational Health providers

To enable the provision of these facilities.

 

Third party service providers

To facilitate activities of the University [including activities that are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services, auditors and lawyers, and training provision]. Any transfer will be subject to an appropriate, formal agreement between the University and the third party service provider.

Partner organisations

To facilitate the joint delivery of various education provision.


Where information is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.

How secure is my information with third-party service providers and other entities in the  University Group?

All our third-party service providers and other entities in the University Group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes (as written in the contract between us) and in accordance with our instructions.

 

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.



We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business requirement to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer [Helen Johnstone, Head of Information Assurance email:infoassurance@worc.ac.uk].

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Sharing your data outside the European Union

The law provides various further safeguards where data is transferred outside of the EU.

When you are resident outside the EU in a country where there is no “adequacy decision” (a country outside the EU that ensures adequate level of data protection due to its domestic laws or international commitments) by the European Commission, and an alternative safeguard is not available, we may still transfer data to you which is necessary for performance of your contract with us .

We intend to transfer the following information about you to the following countries:

Country

Reason for transfer

Data to be transferred

USA

To allow access to certain IT provision

Staff name and email address

USA

In relation to vehicle hire

Staff name and contact details when vehicle hire is arranged.

 

In the case of the USA the providers used by the University are part of the EU Privacy Shield Framework which means the Commission has decided that it has an adequate level of protection for the time being.

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Records and Document Retention Schedule

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Retention periods may increase as a result of legislative changes, e.g. an increase in limitation periods for legal claims would mean that the University is required to retain certain categories of personal data for longer.  Any such changes will be reflected in updated versions of our Records and Document Retention Schedule which is reviewed on a three year basis.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We may keep anonymised statistical data indefinitely.

Once you are no longer an employee, worker or contractor of the University we will retain and securely destroy your personal information in accordance with our data retention policy.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Where we are processing your personal information on the basis of your consent, you always have the right to withdraw that consent.

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to   ask us to correct any incomplete or inaccurate information we hold about you.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are processing your personal information on the basis of our legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Suspend processing of your personal information, for example if you want us to establish the accuracy of the data we are processing.
  • Object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
  • Object to any automated decision-making about you which produces legal effects or otherwise significantly affects you.
  • Request the transfer of your personal information to another party.

Please be aware that these rights are subject to certain conditions and exceptions as set out in the data protection legislation.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer [Helen Johnstone, Head of Information Assurance email infoassurance@worc.ac.uk] in writing and they will explain any conditions that may apply.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

 

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Information Assurance (infoassurance@worc.ac.uk). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Further guidance on your rights is available from the Information Commissioner’s Office (https://.ico.org.uk/).  You have the right to complain to the UK’s supervisory office for data protection, the Information Commissioner’s Office at https://ico.org.uk/concerns/ if you believe that your data has been processed unlawfully.

We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes or to make the University’s operations and procedures more efficient.  If the change is material, we will give you not less than two months’ notice of the change so that you can exercise your rights, if appropriate, before the change comes into effect.  We will notify you of the change by email.

We are the University of Worcester, Henwick Grove, Worcester, WR2 6AJ

If you need to contact us about your data for your general staff record please contact: Human Resources (HR@worc.ac.uk). For other data collections please contact in the first instance: Information Assurance (infoassurance@worc.ac.uk)

The University has a Data Protection Officer, whose contact details are: Helen Johnstone, Head of Information Assurance (h.johnstone@worc.ac.uk