Information Management

Staff privacy notice

The University of Surrey is registered as a data controller with the Information Commissioner’s Office for the purposes of the Data Protection Act 1998 and is committed to ensuring that the personal data of its applicants, students, alumni and staff is handled in accordance with the principles set out in the Act.

What information do we hold?

The University of Surrey holds and processes personal data and sensitive personal data about its current, past or prospective staff and others who are defined as data subjects under the Data Protection Act. This information is normally initially provided to the University by a prospective member of staff on an application form and is added to by the University over the course of employment. Information about staff and prospective staff is retained and disposed of in accordance with the University’s Records Retention Schedules. Some information may be passed to the University Archive for long term historical preservation.

Personal Data

Personal data is data relating to a living individual who can be identified from that information or from that data and other information in the University’s possession (for example: name, address, telephone number, staff number). It can also include expressions of opinions about an individual.

Sensitive Personal Data

Sensitive Data relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Personal data concerning disability is sensitive data.

Why do we process personal data?

The University needs to process certain personal data about its staff for a number of administrative purposes:

  • Managing Human Resources processes such as recruitment, payment of salaries and pensions, performance management, and training and development 
  • Providing facilities such as the IT service, Library Services, and car parking provision
  • Monitoring equal opportunities
  • Preventing and detecting crime, such as using CCTV and using photographs on Campus Cards
  • Providing communications about University news and events, such as through SurreyNet and Netnews
  • Maintaining contact with past employees
  • Fundraising and Marketing
  • Provision of wellbeing and support services
  • Compliance with legal obligations such as making external/statutory returns to the Higher Education Statistics Agency (HESA)

The University processes sensitive personal data for a number of administrative purposes:

  • Equal opportunities monitoring
  • Managing Human Resources processes such as administering Sick Pay and Sick Leave schemes, managing absence, administering Maternity Leave and related pay schemes
  • Managing a safe environment and ensuring fitness for work
  • Managing obligations under Equal Opportunities legislation
  • Provision of occupational health and wellbeing services to individuals

How do we use your information?

General Principles

The University will process your information in accordance with the Data Protection Act and its own Data Protection Policy. To comply with the law,information about individuals must be collected and used fairly, stored safely and securely , be adequate, relevant and not excessive, be kept accurate and up to date, held only as long as necessary and not disclosed to any third party unlawfully.

Any breach of the Data Protection Act 1998 or the University Data Protection Policy is considered to be an offence and in that event, the University disciplinary procedures will apply.

How do we use your information within the University?

Within the University, personal data may be shared between colleagues who legitimately need the information to carry out their duties.

Registration with IT Services means that a member of staff’s name, department/section, email address and telephone number will appear in the University’s internal email and telephone directory. This information may also appear on externally facing departmental webpages.

Staff photographs are used on the University Campus Card for the purposes of identification and security. The University may occasionally commission photographs around Campus or at specific University events which could include images of staff for inclusion in promotional material.

The University may monitor computing use through user names and log-ins to ensure adherence to the Acceptable Use Policy or for statistical purposes.

The University is required to obtain information about past criminal convictions as a condition of employment for certain posts. The University also undertakes CRB checks on those staff who work with young and/or vulnerable people.

Staff personal data may be processed for academic research purposes on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use sensitive personal data, such as ethnicity, explicit consent will be sought in advance from the individuals concerned.

The amount of personal information shared within the University will be no more than is reasonably necessary.

There are occasions when University staff members will need to share your sensitive personal data with work colleagues within the University. For example, the Occupational Health service may seek information from departments or share information with Human Resources about fitness to work. The University will try to do so only with your explicit consent. This means that you will be asked to respond actively either orally or in writing to any particular disclosure of your sensitive personal data.

Circumstances may also arise where sensitive personal data is shared with work colleagues within the University without first obtaining your explicit consent. This will only occur if the processing is necessary:

  • To protect your vital interests and you cannot give your consent or your consent cannot be reasonably obtained
  • To protect another person’s vital interest and you have unreasonably withheld your consent 
  • For the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service and
  • Your consent cannot be given,
  • We cannot reasonably obtain your explicit consent, or
  • Requiring your explicit consent would prejudice the provision of that counselling, advice, support or other service
  • To meet our statutory obligations in relation to equality and diversity monitoring
  • The disclosure is made for the purpose of prevention or detection of crime, the apprehension or prosecution of offenders and we have received a notice from the police confirming that the disclosure is required for these purposes 
  • Pursuant to a Court Order requiring disclosure

 

 

 

 

 

 

 

How do we share your data with third parties?

The University may need to share your personal and sensitive personal data with third parties outside of the University who are contracted to work on its behalf, for example to pension providers, insurers or legal consultants. IT data might be used for testing purposes outside of the University. The University may also disclose data to auditors undertaking investigations or to selected individuals acting on behalf of the University such as organisations undertaking market research or academic researchers provided no personal data is published. The University will often confirm dates and nature of an individual’s employment to a prospective employer in a reference. In certain circumstances the University may pass the data of staff debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal financial or HR processes.

Where a member of staff’s employment with the University requires study, employment, or a placement at another organisation it may be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. This may require some data being sent outside the EEA to countries which may have lower standards for the protection of personal data.

The University has a statutory requirement to disclose staff personal data to the Higher Education Funding Council for England (HEFCE) and the Higher Education Statistics Agency (HESA) and/or their nominees/successors. HESA will process your information in accordance with their collection notice.

The University may also have to share your personal data with third parties outside the University for other purposes with your consent. However,there may be circumstances where information is shared without consent. This will only be if:

  • The disclosure is in the legitimate interests of the University or the third party to whom the information is being disclosed
  • There is a statutory obligation to share the data; for example making returns to the local authority, to the Higher Education Funding Council for England, or to the Higher Education Statistics Agency
  • Disclosure is required for the performance of a contract
  • Disclosure is necessary to protect your vital interest; for example in medical emergency situations
  • Disclosure is made to assist with prevention or detection of crime, or the apprehension or prosecution of offenders
  • Disclosure is required by a Court Order
  • Disclosure is necessary to assist the University obtain legal advice

The University will usually only share your personal data with third parties outside of the EU if you have given your consent. However, there may be circumstances where information is shared without consent. This will only be if:

  • The EU has made a finding of adequacy in relation to the country having an adequate level of protection
  • The disclosure is to a US company which has signed up to the Safe Harbor principles
  • It is necessary to protect your vital interests; for example in medical emergency situations
  • It is necessary for the performance of a contract between you and the University
  • It is necessary for the purpose of obtaining legal advice or for the purposes of any legal proceedings

Sensitive Personal Data

The University may occasionally need to share your sensitive personal data outside of the University, although it will try to do so only with your explicit consent. This means that you will be asked to respond actively either orally or in writing to any particular disclosure of your sensitive personal data.

Circumstances may also arise where sensitive personal data is shared outside of the University within the EU without first obtaining your explicit consent. This will only occur where one of the following conditions has been met:

  • The processing is necessary to protect:
  • Your vital interests and you cannot give your consent or your consent cannot be reasonably obtained
  • Another person’s vital interest and you have unreasonably withheld your consent
  • The processing is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service and:
  • Your consent cannot be given ,
  • We cannot reasonably obtain your explicit consent, or
  • Requiring your explicit consent would prejudice the provision of that counselling, advice, support or other service
  • The processing is necessary to meet our statutory obligations in relation to equality and diversity monitoring
  • The disclosure is made for the purpose of prevention or detection of crime, the apprehension or prosecution of offenders and we have received a notice from the police confirming that the disclosure is required for these purposes
  • Pursuant to a Court Order requiring disclosure; or
  • In order for the University to obtain legal advice or for the purposes of any legal proceedings.

Circumstances may also arise where sensitive personal data is shared outside of the EU without first obtaining your explicit consent. This will only occur if it is necessary to protect your vital interests, for example in medical emergency situations.

Your rights in relation to your data

You have certain rights with respect to the data held about you by the University. You can make a written request to obtain access to the data held about you by the University, subject to certain exemptions. This is called a Subject Access Request.

You also have the right to have errors and omissions corrected or out of date or irrelevant information removed.

If you have an extensive request for access to information about yourself which may involve collating information held in more than one department or office, you should make it in writing to the Information Compliance Unit. Initial enquiries can be emailed to Freedomofinformation@surrey.ac.uk A fee of £10 may be payable before the request can be acted upon.

Minor day-to-day requests for information and corrections can be taken up with your department or HR. You are able to check and amend some data through the HR Self Service system.

You also have the right to object to processing likely to cause damage or distress. To exercise this right you must put your objection to the processing in writing and be able to show that our processing is causing you unwarranted and substantial damage and distress.