Privacy Notice - Employees
Part 2: Tailored Privacy Notice for Employees
Employees: Type(s) of personal data collected and held by the University and methods of collection
The University collects and processes personal data relating to our employees to manage the employment relationship. The University is committed to being transparent about how it collects and uses that data and to meeting our data protection obligations.
This section of the Privacy Notice provides you with the privacy information that you should be aware of as an employee of the University.
Please note that for ease of reference the contents of this privacy notice apply (where applicable) to current and former employees, workers and contractors/self-employed individuals but the terms employee and employment shall be used throughout.
This notice does not form any part of any contract of employment or other contract to provide services nor does it infer employment status.
The University collects a range of information about you, which includes (but is not limited to):
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the University;
- recruitment information including copies of right to work documentation, references, CV/resume, covering letter(s) and any other documents submitted as part of the application process, health declaration questionnaire and information completed by the employee prior to commencing employment;
- information about your current and previous remuneration with the University, including entitlement to benefits such as pensions, salary sacrifice arrangements or insurance cover;
- details of your bank account, national insurance number and tax status;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your start date, schedule (days of work and working hours), hours worked and attendance at work;
- information about your location and place of work;
- employment records including job titles, work history, training records and professional memberships;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any HR processes such as disciplinary, grievance or sickness absence procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information obtained through electronic means including, where applicable, swipe card access, computer logon information and software usage; and
- information about medical or health conditions, including whether or not you have a disability for which the University may make reasonable adjustments.
We may also collect, store and use the following “special categories” of more sensitive personal information:
- equal opportunities monitoring information including information about your ethnic origin, sexual orientation and religion or belief;
- trade union membership;
- information about your health, including any medical condition, health and sickness record;
- information about criminal convictions and offences and disclosure and barring.
The University collects this information in a variety of ways. For example, data is collected through applications, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of and/or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
The University collects personal data about you from third parties, such as references supplied by former employers (following consent), information from employment background check providers, and (if applicable) information related to criminal record checks and disclosure and barring.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
Employees: Lawful basis
The University has a legitimate interest in processing personal data before, during and after the employment relationship. The University needs to process data to take steps prior to potentially entering into a contract with you. Thereafter the University needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract.
The University needs to process data to ensure that it is complying with our legal obligations. We may also use your personal information where we need to protect your (or someone else’s) interests or where it is in the public interest. When we process your personal information we will do so provided your fundamental rights do not override those interests.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with details of the information that we would like and the reason we need it, so that you can consider whether you wish to consent.
Employees: How personal data is stored
Data will be stored in a range of different places, including in your electronic and hard copy personnel file, electronically (and sometimes in hard copy) in your department, within the Recruitment/HR management systems, within the University’s document systems and in other IT systems (including the University's email system).
HR data will be stored in a range of different places, predominantly in HR but some employment data will be stored in your department (for example recent Annual Staff Reviews) or other material departments of the University (for example any Occupational Health records will be stored in Occupational Health).
HR data is stored securely and will only be accessed by colleagues with a legitimate interest in accessing your data.
Employees: How personal data is processed
Processing employee data allows the University to:
- run and make a decision on recruitment and promotion processes;
- determining the terms on which you work for us;
- check you are legally entitled to work in the UK;
- paying you and, if you are an employee/worker/deemed a worker due to IR35 regulations, deducting tax and national insurance contributions;
- liaising with your pension provider;
- business management and planning including accounting and auditing;
- making decisions about salary, benefits and compensation;
- assessing qualifications and skills for a particular job or task, including decisions about promotions;
- providing you with relevant facilities such as access to IT and the Library;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes (or other relevant HR processes), gather evidence for any disciplinary or grievance processes (or other relevant HR processes), to ensure acceptable conduct within the workplace;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- manage sickness absence and operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that the University complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are fit for work and are appropriately supported by the University;
- contact third parties such as medical professionals or next of kin concerning the health of an employee, with an employee’s consent or, if that consent cannot or will not be given, in exceptional circumstances and in the legitimate interests of the employee, the University or in the public interest without the employee’s consent;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- education, training and development requirements;
- make decisions about requests for flexible working;
- ensure effective general HR and business administration to operate the employment contract;
- making decisions about your continued employment or engagement including the potential termination of your employment;
- to monitor your use of our information and communication systems to ensure compliance with our IT policies and to ensure network and information security including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution;
- to gather data to review and take action on employee retention and attrition rates;
- equal opportunities monitoring;
- preventing and detecting crime, such as use of CCTV or attaching photos to campus cards;
- maintaining contact with former employees;
- to engage with the University's recognised trade unions about matters pertaining to University groups of staff or individual employees;
- making statutory or external returns, for example to the Higher Education Statistics Agency (HESA);
- fundraising and marketing;
- provide references on request for current or former employees;
- to respond to and defend against legal claims;
- any other reasonable and related purpose.
In addition employees should be aware of the following uses of data:
We process personal data related to the protected characteristics of employees including gender and race but we do so for the purpose of equal opportunities monitoring and employees are not obliged to provide such information to the University.
In some cases, the University needs to process data to ensure that it is complying with its legal obligations, for example, the University is required to check that all employees are entitled to work in the UK and thereafter may have to conduct regular checks of employee’s right to work status.
Registration with Computing and Information Services (CIS) means that an employee’s name, department/section, job title, email address and telephone number will appear in the University's electronic email and telephone directory which can be viewed on the internet. In exceptional circumstances employees can opt-out of the directory (in full or in part, such as declining contact details), either at the point of first registering with CIS or later by contacting the University’s Data Protection Officer. Employees also have their name and academic qualifications published in the Durham University Calendar and may have their name, academic qualifications and contact details published in external academic-related publications such as the Commonwealth Universities Yearbook. Employees may also have their details on the relevant departmental web pages but can ask that these be removed or deleted.
The University routinely logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policy and Regulations for the Use of University IT Facilities and, specifically, to prevent or detect crime.
Where an employee’s employment with the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Employees should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA.
Each employee is required to provide a digital image of themselves to CIS for reproduction on their University campus card, which will be used for the purpose of identification. The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material and employees may appear on the resulting images, which may be published.
Employee personal data (not including sensitive personal data) may be processed for academic research purposes (i.e. where there is only benefit to the researcher alone or the researcher and University combined) on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use sensitive personal data, such as ethnicity or health, explicit consent will be sought beforehand from the individuals concerned.
We will only use information relating to criminal convictions and disclosure and barring where we are legally entitled to do so. This will include enquiring about unspent convictions during the recruitment process and we will obtain information about criminal convictions and safeguarding where we consider that it is appropriate given the nature of the requirement for the role. Less commonly, we may use information relating to criminal convictions and/or disclosure and barring where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
Some of the reasons for processing your data overlap and there may be several grounds which justify our use of your personal data.
Employees: How we use sensitive personal data
Special categories of sensitive personal information require higher levels of protection. We may process such data in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out any legal obligations.
- Where it is needed in the public interest, such as for equal opportunities monitoring.
Less commonly, we may process this information where it is needed in relation to legal claims, or where it is needed to protect your interests (and you are not capable of giving your consent) or where you have already made the information public.
In an HR context we would anticipate use of sensitive personal information in the following ways:
- using information about your physical or mental health or disability status to ensure that you are fit for work, to ensure your health and safety in the workplace, to manage sickness absence, to administer benefits, and to consider any potential reasonable adjustments and support you if you have any health concerns. All health related information is stored securely, is only accessible by those with a legitimate interest to view that data such as Occupational Health, HR and your line manager and, if being sent in electronic format must be password protected;
- information related to leaves of absence including sickness absence or family related leave, to comply with our legal obligations;
- we will also use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting; and
- we will use trade union membership information to pay trade union premiums and to comply with any relevant legal obligations.
Employees: Who the University shares data with
Your information may be shared internally, including with members of the HR and recruitment team, with the University’s Finance team which includes the Payroll and Pension’s Team, your line manager, managers and business support administrators in the business area in which you work and staff support services staff if access to the data is reasonable for the purpose of your contract.
The University may share your data with third party agencies to satisfy any legal requirements including in respect of your right to work in the UK and, if applicable information on any criminal convictions and/or disclosure and barring.
The University may need to disclose the personal data of employees to organisations contracted to work on its behalf, which could include its pension providers, insurers or professional advisors such as lawyers or auditors. The University may also disclose data to funders of research and externally funded activities, research collaborators and selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published. In certain circumstances the University passes the personal data of employee debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal financial or HR processes.
Where considered legitimate and/or necessary the University may share data with the University's recognised trade unions.
The University has a statutory requirement to disclose employee personal data to the Higher Education Funding Council for England (HEFCE) and the Higher Education Statistics Agency (HESA) and/or their nominees/successors. The University may also disclose personal data to HEFCE and its partner bodies during the Research Excellence Framework (REF).
Further Information about Disclosures to HESA:
Every year, the University sends some staff employee data to HESA. The data is sent in coded form and employee names are not given. For each anonymous individual, a HESA record is created. The HESA employee record is used for:
The HESA record is used by the organisations listed below, or agents acting on their behalf, to carry out their public functions connected with education in the UK:
- Department for Business, Energy and Industrial Strategy
- Welsh Assembly Government
- Scottish Government
- Department for the Economy, HE Division
- Office for Students
- Higher Education Funding Council for Wales
- Scottish Further and Higher Education Funding Council
- Research Councils
- Department for Education
The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.
HESA use the HESA record to produce anonymised data in annual statistical publications. These include some National Statistics publications and online management information services.
Research, equal opportunity, journalism, other legitimate interest/public function
HESA will also supply anonymised data to third parties for the following purposes:
- Equal opportunities monitoring – the HESA record may contain details of ethnic group and any disabilities. This data is only used where it is needed to promote or maintain equality of opportunity or treatment between persons of different racial or ethnic origins, religious beliefs or different states of physical or mental conditions.
- Research – this may be academic research, commercial research or other statistical research into education where this is of benefit to the public interest.
- Journalism – where the relevant publications would be in the public interest e.g. league tables.
Anonymised data for the above purposes is supplied by HESA to the following types of user:
- Local, regional and national government bodies who have an interest in higher education.
- Higher education sector bodies.
- Higher education institutions.
- Academic researchers and students.
- Commercial organisations (e.g. recruitment firms, housing providers, graduate employers).
- Non-governmental organisations and charities.
HESA will take precautions to ensure that individuals are not identified from the anonymised data which they process.
An individual has the right to a copy of the information HESA holds about them. Because the information HESA holds about individuals does not include names and is a copy of the information held by the University, individuals should contact the University if they wish to see the information. If individuals have any concerns about their information being used by HESA, please contact HESA directly by emailing email@example.com.
Further information about the HESA record is available at www.hesa.ac.uk/dataprot. Individuals who wish to opt out of any non-statutory purposes should request their HESA number from the University and then contact HESA directly.
NHS Research Passport
The NHS Research Passport initiative is a national scheme. It allows universities and relevant NHS trusts to share certain information about employees who hold contracts of employment that require them to engage in health-related research in the NHS. Where required, the University will issue a form to the relevant NHS trust to verify that a number of checks have been undertaken (which will allow the trust to issue a contract or letter of access to the employee):
- Disclosure and Barring Service clearance
- Occupational health clearance
- Identity (passport/birth certificate)
- Two references (from normal recruitment process)
- Permission to work in the UK
- Evidence of professional registration (if appropriate)
- Evidence of qualifications
The University’s Human Resources webpages hold further information about the NHS Research Passport.
On occasion the University may engage with a third party provider to facilitate your contract of employment or to meet a legal requirement or where we have another legitimate interest in doing so.
Third party service providers includes (but is not limited to) our pension providers, benefit providers and any other relevant service which the University may procure to a third party provider such as auditing and legal services.
The University requires any third parties to respect the security of your data and to treat it in accordance with the law. All third party service providers are required to enter into a formal data-sharing agreement with the University and must demonstrate that they have appropriate security, safeguards and policies in place to process your data.
The University will require that any third party storing your data does so securely with access limited to staff who have a requirement to access the data for reasonable and legitimate purposes.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the University in whole or in part. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Employees: How the University protects data
The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees legitimately in the performance of their duties or by third parties as outlined in this Privacy Statement.
Employees: How long personal data is held by the University
The University will only retain your data for as long as necessary to fulfil the purposes we collected it for which includes satisfying any legal, accounting or reporting requirements.
The University Records Retention Schedule (Section 20: Human Resources) outlines how long we will keep your data.
In some cases, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Employees: If you fail to provide personal data
You have obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about matters which could impact on your employment, for example criminal convictions. You may also have to provide the University with data so that you can use your statutory rights, for example to take maternity or paternity leave and failing to provide such data may mean that you are unable to exercise your statutory rights.
Some information, such as contact details, your right to work in the UK and payment details, must be provided to enable the University to enter a contract of employment with you. If you do not provide such information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently and, in some cases, we may not be able to continue employing you.
Employees: Visitors to our websites/webpages
When someone visits www.dur.ac.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.
Employees: Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Employees: Changes to this privacy notice
We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.
Employees: Further information
If you have any questions which you feel have not been covered by this Privacy Notice, please email us or write to:
Information Governance Unit
Telephone: (0191 33) 46246 or 46103