Staff privacy notice
This Privacy Notice is relevant to current and former staff of the University, including full-time and part-time permanent and fixed-term employees in professional and academic roles, freelancers, independent contractors, consultants and other outsourced and non-permanent workers.
The data controller processing your data is the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, Suzie Mereweather, who can be contacted via email@example.com.
Current staff members may also refer to the Human Resources Privacy Notice available on SurreyNet which provides more information regarding data and processing practices relating to employment matters. The University is in the process of developing further Privacy Notices of relevance to current staff, and these will be made available as they are finalised. You should also be given information at any point at which you are asked to provide personal information, so that you understand why and what your applicable rights are.
During the course of your time working with us, we will collect, obtain and hold a range of data about you that may be able to identify you directly or indirectly. If and when you cease to the employed by us, we will continue to hold some data that we hold about you for a predefined period of time in order to fulfil our remaining tasks and obligations.
The personal data that the University holds about you as a member of staff will include:
- Personal information – your name, photograph, employee user name and ID number, date of birth, gender, nationality, national insurance (NI) number, copies of documentation proving your right to work such as your passport or visa, and your contact details.
- Job information - your role title and department, information about your employment contract such as start date/s, hours, contract type, salary, information about any benefits you have received, and details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and your bank details for pay and expenses purposes.
- Performance information - assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans, promotions, details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- Education and work history - details of your qualifications, skills, experience and employment history and references given and received, or research proposed or undertaken
- Information about your family, lifestyle or social circumstances - in certain circumstances we will also hold limited information about your spouse, partner, or civil partner, or other individuals. This is collected, for example, where you name them as an emergency contact or where shared parental leave is requested.
- Your image captured on University CCTV cameras.
- Basic information about your activities in the University including use of information and communication systems, such as access times from swipe card access, or an IP address if you access information from a device.
The University may also process some kinds of more sensitive information about you that is classed as ‘special category’ data, and which receives additional protections under law, and in terms of our processing of it. This includes data about:
- health, medical conditions or disabilities
- religion or beliefs
- political opinions
- sexual orientation
- trade union affiliations, where applicable
For certain roles, we are required to seek information about past criminal convictions, working with children or vulnerable adults, and/or your fitness to practise in certain regulated professions.
Much of this data we will have asked you to provide to us directly when you started your employment. Alternatively, we may have asked you for it during your employment, or you may have provided it to us independently in order for us to help you with something.
If we do not receive information directly from you, we either generate it ourselves (such as your Surrey employee ID and username), or we receive it from third parties, such as:
- HM Revenue and Customs (HMRC)
- Pensions scheme providers
- Disclosure and Barring Service
- Robens Centre for Occupational Health
- Individuals or organisations that you named as a referee.
We request data from you when you:
- submit a successful application for a job at the University
- complete your new starter and payroll forms and starting working with us
- update your personal record via the Human Resources Employee Self Service system during your employment or ask us to update your record in any way
- supply emergency contact details - in which case we will assume that the person whose details you give us are happy for these details to be shared with us by you
- request shared parental leave, in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer
- at various other times when you share it during the course of your employment, for example, during correspondence with you, during the annual appraisal process, if you need to take sick leave, or if your role changes.
We take our obligations around the handling of data very seriously, and it is therefore important for you to know the various lawful bases that we rely on under data protection law for the processing of your personal data.
In order to be able to process your data lawfully, we must rely on a specific lawful basis, depending on the main reason why we need the data. Below we will explain these lawful bases and when they might be used below.
- Necessary for the University to comply with a legal obligation
We process data about you under this legal basis when we need to in order to comply with UK legislation, such as in the areas of employment for tax purposes or to comply with the Equality Act, or laws around health and safety in the workplace.
- Necessary for the University to perform a contract with you
We process your data in order to carry out the contract of employment we have with you, or to enter into it in the first place – for example, ensure you can work in the UK, pay you a salary and keep records of disciplinary, complaint or grievance proceedings.
- Necessary for the purposes of the University’s legitimate interests
Sometimes we will process your data because we have identified a ‘legitimate interest’ in doing so. The legitimate interests we identify are determined through an assessment made by weighing our requirements against the impact of the processing on you. This is done to make sure that our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data.
Examples of when we will process your data in our legitimate interests are:
- providing you with a University campus card, University of Surrey IT account, access to a Surrey email account, and give you personalised access to buildings, IT applications, resources and network services such as WiFi
- monitoring use of IT services to ensure adherence to the University’s Acceptable Use Policy
- providing you with access to training and development services
- enabling effective communications with you regarding information you need to know for campus security or operations.
- contacting those people you have named to be notified in the event of an emergency.
- operating and keep a record of employee performance and related processes to plan for career development, succession planning and workforce management purposes.
- using staff information to conduct strategic analysis, modelling and forecasting to help the University plan ahead.
- analysing the effectiveness of a service that we provide, such as our annual staff survey. This analysis is carried out at an aggregate level so that you are not identifiable from the data.
- ensuring that we can keep University sites safe and secure, and taking measures to prevent and detect crime. This involves capturing images of you in our CCTV system. More information about how your data is processed within the CCTV system can be found in the CCTV code of practice which includes a privacy notice for CCTV. This is available upon request.
- Necessary to protect your vital interests or those of another person
On rare occasions, we may need to access or share your information in order to protect your life or that of another person, for example in an emergency situation where we cannot gain your consent or to do so could endanger life. We will only rely on vital interests in extremely limited circumstances when no other legal basis is available.
- You have given us your consent to process your data for a specific purpose
We may sometimes ask for your consent to do something that involves use of your personal data. We will do this where no other lawful basis applies and where it makes sense to give you the highest level of control over how your data is used by us.
For this reason, we will not ask for your consent very often where your data is being processed for employment reasons because one of the other lawful bases listed above will often be more appropriate.
However, you would be asked to specifically consent to the processing of your data if, for example, we wished to use your image in marketing materials; wished to send you marketing, or to process your data where we cannot rely on one of the above bases.
Processing your ‘special category’ personal data
Sensitive personal data, called “special category” data in the legislation, receives extra protection under data protection law. The University can only process it if we have an additional lawful basis to rely on and meet higher standards for safeguarding it.
Special category data is defined as information which reveals:
- Your race or ethnicity, religious beliefs, sexual life or orientation, or your political opinions.
- A trade union membership.
- Information about your health, including:
- any medical condition, health and sickness records
- occupational health referrals;
- where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision;
- information required for medical physicians and / or pension providers; and
- details of absences from work (other than holidays) including time on sick leave or statutory / family leave.
Of the lawful bases available to us, those the University is mostly likely to rely on in relation to staff data are the following:
- Processing is necessary for us to carry out our obligations or exercise our (or your) rights under employment, social security and social protection law
This would apply when, for example, we:
- keep a record of reasonable adjustments for a disability to allow us to meet our obligations under the Equality Act;
- ensure that you are physically fit to work in a particular role;
- set up a voluntary salary deductions to a trade union.
- Processing is necessary for purposes of preventive or occupational medicine and to assess your working capacity as an employee
This would apply when we obtain advice from medical professionals at the Robens Centre for Occupational Health with regards to making adjustments to your working practices due to a health condition.
- Processing is necessary to protect your life or someone else’s
We will rely on this basis on rare occasions when we cannot reasonably get your consent for whatever reason.
- Processing is necessary for statistical purposes where this is based on UK law, respects your right to data protection and where measures are taken to safeguard your rights and freedoms, such as through the collection of minimal data.
This includes compiling statistics for equal opportunity initiatives such as Athena Swan and the Race Equality Charter.
- Processing is necessary for the establishment, exercise or defence of legal claims against the University.
- We have asked for and received your explicit consent to process your data for a specific purpose
As a principle, information about you will not be kept for longer than it is needed for the purpose it was collected.
The University has records retention schedules which document for how long different information is required, and these are available on SurreyNet. These are currently in the process of being updated, so may not contain the most up to date information.
As the retention schedules indicate, we need to keep different data for differing periods of time, and you will always be told how long your personal information will be kept, or how we calculate this – this will either be when you give it to us, or if you don’t give it to us yourself, as soon as possible after we obtain or receive it.
If you have any queries regarding how long we keep your data that are not answered in the schedules, please feel free to contact firstname.lastname@example.org.
Some basic information about our former staff is transferred to the University Archives for permanent preservation so that it can be professionally managed in order to facilitate future historical research enquiries. All relevant safeguards are met in relation to this archival processing and you can find more detail on this in the University Archive Collections Privacy Notice.
When it is no longer required in line with its retention period, personal information is securely and permanently destroyed.
Whilst you are working with us, we will need to share certain information both internally between departments and with external parties.
As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need. There is guidance and governance in place to help staff to ensure that only the necessary data is made available to other departments or third parties who would not otherwise have access to it.
Some information must be shared by HR with other departments to complete essential tasks related to your employment, such as payroll, occupational health, pensions and arranging access to IT services.
Other purposes for which personal data may need to be shared internally include, for example:
- for analysis to ensure our compliance with equality of opportunity and diversity legislation
- to allow for line managers to provide staff with sufficient support in their role
- for strategic analysis, planning and forecasting
- for investigating alleged employee misconduct
Third parties with whom information about staff may need to be shared by the University include, for example:
- HMRC, the Higher Education Statistics Agency (HESA) or Health and Safety Executive (HSE) to meet statutory reporting obligations
- external pensions providers to administer staff pensions
- Robens Centre for Occupational Health
- Disclosure and Barring Service to obtain criminal record checks for certain roles
- law enforcement agencies for the prevention or detection of crime
- external auditors
- legal advisors to the University, and court of law as necessary
- emergency response services as necessary to protect your vital interests or those of another person.
In most cases, information about how your data is shared will be given to you closer to the time by the relevant department.
We take the security of your data seriously. Details on University wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security. It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
As a data subject, you have a number of rights. You can:
- ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing (by making a subject access request)
- require us to change incorrect or incomplete data
- require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- object to the processing of your data where we rely on our legitimate interests as the legal ground for processing
- receive from us the personal data we hold about you which you have provided to us in a reasonable format specified by you, including for the purpose of you transmitting that data to another data controller
- ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University’s legitimate grounds for processing data
- withdraw your consent for us to process your data where we do so with your consent
Not all of these rights apply in all circumstances. You can find full details of the rights that you have regarding your personal data, and when these apply, by visiting the University’s guidance on data subject rights on the Information Compliance SurreyNet page.
If you would like to exercise any of these rights, please contact us at email@example.com.
You can make a request to access or have copies of your information by completing the University's subject access request form, available on the University’s webpage https://www.surrey.ac.uk/information-management/data-protection.
If you have concerns about the way we use your personal data after having raised it with us, you may lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is an independent body set up to uphold information rights in the UK.
They can be contacted through their website: https://ico.org.uk/make-a-complaint/, or their helpline on 0303 123 1113, or in writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF