Staff applicant privacy notice

The data controller processing your data is the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office and are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, James Newby, who can be contacted via dataprotection@surrey.ac.uk.

As part of any recruitment process, the University of Surrey collects and processes personal data relating to job applicants relating to University and Surrey Sports Park roles. The University is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

By registering to use our online recruitment and talent system and submitting a job application to us, you agree to the terms of this Data Privacy Statement and for your personal information (which might include sensitive personal information) to be processed and held by the University of Surrey and by selected third parties however any data shared with us will remain inside the EEA.

This people process management software solution is hosted by the University of Surrey and provided to University of Surrey by Stonefish Software Limited, 125 Nottingham Road, Stapleford, Nottinghamshire NG9 8AT.

The University collects a range of information about you. This includes:

  • Your name, address and contact details, including email address and telephone number;
  • Your date of birth
  • Identifiers issued by public bodies e.g.  NI Number, ORCID, HESA ID
  • Details of your qualifications, skills, experience and employment history;
  • Information about your current level of remuneration, including benefit entitlements;
  • Whether or not you have a disability for which the University needs to make reasonable adjustments during the recruitment process;
  • Information about your entitlement to work in the UK; and
  • Equal opportunities monitoring information, including gender, information about your ethnic origin, gender identification, sexual orientation, health, and religion or belief.

The University collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

The University will also collect personal data about you from third parties, such as references supplied by former employers, including information from employment background check providers and information from criminal records checks. The University will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.   On occasion Academic references are collected before the interview to complement the interview process, if you have not given consent for us to do so the University will contact you before requesting references.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

The University needs to process data at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the University needs to process data to ensure that it is complying with its legal obligations. These include

  • Checks to ensure a successful applicant's eligibility to work in the UK before employment starts.
  • Perform criminal records checks from the Disclosure and Barring Service (for applicable roles)
  • Perform professional registrations and qualifications checks (for applicable roles). 

The University has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the University to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The University may also need to process data from job applicants to respond to and defend against legal claims.

The University processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

The University processes other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of monitoring of the University’s policies in meeting our obligations under the Equality Act 2010, and other  initiatives including Athena Swan, Race Equality Charter and to provide anonymised statistical reporting, this equal opportunities monitoring is done with with the explicit consent of job applicants, which can be withdrawn at any time. This data is not used in the recruitment decision-making process.

For some roles, the University is obliged to seek information about criminal convictions and offences. Where the University seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

If your application is unsuccessful, the University may keep your personal data on file in case there are future employment opportunities for which you may be suited. The University will ask for your consent before it keeps your data for this purpose, it will only keep data until the retention schedule limit and you are free to withdraw your consent at any time.

Access to the information you provide to us shall be restricted to authorised users only and is treated in the strictest confidence and shall only be used for the purposes of processing your application and for processing of the aforementioned anonymous statistics.    In order for us to process your application your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

The University will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The University will then share your applicable data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service (if applicable) to obtain necessary criminal records checks. Some of your data may be shared with government bodies such as UK Visa and Immigration (UKVI) to ensure the University can demonstrate compliance.

If your application is successful the University will also share relevant health data (where necessary) with its internal Occupational Health department for the purposes of ensuring the University meets its employment obligations.

By using this site you will allow the University to share information with UKVI and Immigration for the purposes of applying for a Certificate of Sponsorship (if applicable), (this data includes Name, address, Contact phone number, DOB, Gender, Job data and Passport information).

The University will not transfer your data outside the European Economic Area.

The University takes the matter of IT security very seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. 

University IT Security

Details on University wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security.   It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

Application Security

The application employs extensive security measures to protect against the loss, misuse, and unauthorised alteration of data security includes the following standard features *

  • Protection against improper logins
  • Role based permissions are utilized to ensure that data is only accessible to those with appropriate access rights.
  • Enforced segregation of duties including secondary controls and restrictions are applied to privileged accounts
  • All data is encrypted including backups
  • Once data has reached our retention limits the disposition rules will be invoked and relevant data is disposed of securely.

*note this is not an exhaustive list

Third parties

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

If your application for employment is unsuccessful, the University will hold your job application and other information supplied on file for one year after the end of the relevant recruitment process.  However if the successful candidate is sponsored by the University under a Certificate of Sponsorship, the University has a statutory obligation to retain the personal data and associated interview notes of all candidates who were shortlisted and invited for interview until it’s next UKVI audit or for the duration of the successful candidates sponsorship. Should you make any subsequent applications during this time you agree to ensure that your personal data such as name, address and details of your current employer is updated as necessary. If you agree to allow the University to keep your personal data on file by registering for job alerts or our talent community, the University will hold your data on file for a further five years for consideration for future employment opportunities. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in the employee privacy notice.

As a data subject, you have a number of rights. You can:

  • Access and obtain a copy of your data on request;
  • Require the University to change incorrect or incomplete data;
  • Require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • Object to the processing of your data where the University is relying on its legitimate interests as the legal ground for processing; and
  • Ask the University to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University’s legitimate grounds for processing data.

If you would like to exercise any of these rights, please contact us at humanresources@surrey.ac.uk. You can make a subject access request by completing the University's subject access request form, available on the University’s web page https://www.surrey.ac.uk/information-management/data-protection

If you believe that the University has not complied with your data protection rights, you can complain to the Information Commissioner.

You are under no statutory or contractual obligation to provide data to the University during the recruitment process. However, if you do not provide the information, the University may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

For some roles the University's recruitment processes will be are based solely on automated decision-making. This is where there is a minimum requirement which is required for the advertised role, these are associated with

  • Qualifications either professional or educational that must be met in order for the application to proceed
  • Right to work in the UK
  • UK Driving Licence 

Should the minimum requirement not be met the system will not allow you to progress your application.

Find us

Map of the University of Surrey
Address
Business Support Services
Old Estates Building
University of Surrey
Guildford
Surrey
GU2 7XH