Staff privacy notice
The data controller processing your data is the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, James Newby, who can be contacted via email@example.com.
The University of Surrey holds and processes personal data about current and former members of University staff, including temporary workers, associates, external examiners and assessors, and honorary and emeritus members of staff.
We only collect the data we need and keep that data up to date.
The personal data that we hold about you consists of:
- Personal information – your name, data of birth, gender, nationality, national insurance number, copies of documentation proving your right to work such as your passport or visa, identifiers issued by public bodies (e.g. NI Number, ORCID, HESA ID, RCN and Midwifery Council, employee number and username) and your contact details.
- Information about your job and contract of employment - your role title and department, information about your employment contract such as start date/s, hours, contract type (for example, fixed term, permanent, temporary etc.), your salary, information about any benefits you receive, and details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals
- Information relating to your performance in your role - assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans, promotions, details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- Education and work history - details of your qualifications, skills, experience and employment history and references received.
- Family, lifestyle and social circumstances - In certain circumstances we will also hold limited information about your spouse, partner, or civil partner, or other individuals. This is collected where you name them as an emergency contact or where shared parental leave is requested - in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer.
The University may process some information about you that is classed as ‘special category’ data, and which receives additional protections.
We may collect the following special category data:
- Details of periods of leave taken by you relating to sickness absence, family leave, etc.
- Health or disability information about you
- Information about your religion or beliefs
- Information about your ethnic origin
- Your sexual orientation
- Gender identification
- Trade union affiliations, where applicable
For certain roles, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practise in certain regulated professions.
We receive this data directly from you from a variety of different sources, depending on how and where you interact with the University.
We receive a lot of this data from you when you:
- Submit an application for a job at the University
- Complete your new starter and payroll forms
- Supply your passport or other identity documents at the start of your employment, at other times when necessary during your employment with us, or when we ask you to confirm your identity
- Update your personal record via the Human Resources Employee Self Service system during your employment or ask us to update your record in any way
- Supply emergency contact details, in which case we will assume that the person whose details you give us are happy for these details to be shared with us by you
- Request shared parental leave, in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer
- At various other times when you share it during the course of your employment, for example, during correspondence with you, during the annual appraisal process, if you need to take sick leave, or if your role changes.
If we do not receive information directly from you, we either generate it ourselves (such as your Surrey employee ID and username), or we receive it from third parties.
Data about you that we receive from third parties comprises your employment references, tax details, results of criminal records checks, medical information and details of voluntary salary deductions.
We receive this information from the following third parties:
- Professional or education organisations which you may have named as a referee
- Individuals who you may have named as a referee
- HM Revenue and Customs (HMRC)
- Pensions scheme providers
- Disclosure and Barring Service
- Robens Centre for Occupational Health
- In some cases, third parties carrying out pre-employment checks.
We take our obligations around the handling of data very seriously, and it is therefore important for you to know the various lawful bases that we rely on for the processing of your personal data.
We process some of your data in order to enter into and to fulfil a contract of employment with you, or to meet a relevant obligation under employment law or other legislation.
We process your personal data for these purposes when we:
- Provide you with an employment contract
- Administer HR-related processes, including those relating to performance management, conduct and promotion
- Operate and keep a record of disciplinary, complaint and grievance issues to ensure acceptable conduct in the workplace
- Ensure you are legally eligible to work in the UK
- Calculate your pay, including any statutory or voluntary deductions (such as to a pension scheme, salary sacrifice scheme or trade union)
- Ensure that you are able to practice in a particular role
- Ensure that you are physically fit to work or practice in a particular role
- Identify and prevent any potential risks to your health or wellbeing that may arise from your work
- Provide you with a University campus card, University of Surrey IT account, access to a Surrey email account, and give you personalised access to buildings, IT applications, resources and network services such as WiFi
- Monitor use of IT services to ensure adherence to the University’s Acceptable Use Policy
- Provide you with access to training and development services
- Process and pay your statutory and occupational payments for relevant periods of absence or leave, such as when you are unable to work due to illness
- Administer pension and benefit entitlements
- Ensure we can get in touch with you if we need to regarding work or employment related matters
- Compile statistics for regulatory and statutory reporting purposes (for example our annual returns to HESA or the Office for National Statistics).
In other circumstances, the University processes your data in our legitimate interest.
This is an assessment made by weighing our requirement against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact firstname.lastname@example.org.
We process your data in our legitimate interest when we:
- Produce statistics for internal reporting to ensure the effective management of our workforce. Analysis of statistics is carried out at an aggregate level and does not identify you directly.
- Enable effective communications with you regarding information you need to know for campus security or operations.
- Provide opportunities for employee wellbeing and support, such as counselling services.
- Operate and keep a record of employee performance and related processes to plan for career development, succession planning and workforce management purposes.
- Use your data to analyse the effectiveness of a service that we provide, such as our annual staff survey. This analysis is carried out at an aggregate level so that you are not identifiable from the data.
- Meet our obligations for ensuring your health, safety and security whilst working with us. This includes capturing your image in our CCTV system. More information about how your data is processed within the CCTV system can be found in the CCTV code of practice which includes a privacy notice for CCTV. This is available upon request.
Some special category data is processed to carry out our obligations and exercise specific rights in relation to employment.
We process information about ethnic origin, sexual orientation, religion or belief or trade union membership, offences and alleged offences, criminal offences, gender identification, health information to carry out our employment obligations when we:
- make reasonable adjustments for staff who have a disability
- ensure that you are fit to work in a particular role
- meet our obligations under the employment law such as the Equality Act 2010, and related initiatives including Athena Swan, Race Equality Charter
- manage voluntary salary deductions to a trade union, where applicable
- For some roles, we are obliged to seek information about criminal convictions and offences.
We process for statistical purposes or with your consent when we produce statistics for equal opportunity initiatives such as Athena Swan and the Race Equality Charter or to make regulatory returns such as HESA.
Data that we use for these purposes is pseudonomysed, anonymised or is collected with your consent. You are free to decide whether or not to provide this data and there are no consequences if you choose not to provide it.
Some special category data is processed for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.
We process for this reason when we obtain occupational health advice, to ensure that we comply with our duties in relation to individuals with disabilities. This assessment is carried out by health professionals at the Robens Centre for Occupational Health who provide the University’s occupational health service. They have a separate privacy notice which can be found on their web page.
Your information may be shared internally with members of the HR and Finance teams, your line manager, managers in the business area in which you work, and IT, Library and Security staff if access to the data is necessary for performance of their roles.
We combine the data you provide us with other data generated during your employment in order to maintain a summary record of your employment with us.
We also combine your data with data received from the third parties listed above in order to:
- Determine whether you are eligible to work in the UK
- Ensure that you pay the correct tax and National Insurance contribution
- Ensure you receive any pension payments you are due once you are eligible.
Access to, and the sharing of, your special category data are controlled very carefully. You will be given further details about our need for collecting such data when we ask you to share it with us, including any consequences for you of not providing it.
We will keep your information for a maximum period of 25 years after the end of your employment with the University. In many cases, data will be kept for a shorter period of 10 years after the end of your employment.
For more information please refer to the HR retention schedule available on SurreyNet.
Once it is no longer required for business purposes, core details of your employment with us (your name, details about your job such as contract type and the role titles you have held during your time with us) will be securely transferred to the University Archives for permanent preservation so that it can be made available for future historical research enquiries. All relevant safeguards are met in relation to this archival processing. More detail on this is included in the Archives and Special Collections Privacy Notice.
All other data we hold about you will be permanently destroyed.
Within the University, we share your data with:
- The Pensions team in order to enrol you in a pension scheme and ensure appropriate contributions can be made. More detail on how the Pensions team use your data is available in the Pensions Privacy Notice
- The Finance team in order to pay expenses claims and ensure that the University can budget to continue to meet its payroll obligations
- The Health and Safety team, in order to maintain statutory records regarding any accidents or hazardous exposure you sustain at work
- IT Services in order to provide you with an IT account, email address and access to relevant buildings, IT networks, systems and resources
- Our Internal Audit team, to ensure University compliance with policies and processes.
We also share your personal data, where required, with the following external third parties:
- Government departments and agencies where we have a statutory obligation to provide information (e.g. Her Majesty's Revenue and Customs (HMRC), the Office for Students (formerly the HEFCE), the Higher Education Statistics Agency (HESA), the Home Office (in connection with UK visas and immigration), and Office for National Statistics
- Our pension scheme providers in order to enrol you into a pension scheme and ensure contributions are paid correctly (please see the Pensions privacy notice for further details)
- Robens Centre for Occupational Health in order to ensure you are fit to work, and to provide care and support during your time working with us
- The Disclosure and Barring Service (DBS) where we need to make a criminal records check for certain roles
- On occasion and where necessary, the police and other law enforcement agencies.
- On occasion and where necessary, appointed external auditors
We will provide references about you to external enquirers or organisations where you have requested or indicated that we should do so.
We take the security of your data seriously. Details on University wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security. It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
As a data subject, you have a number of rights. You can:
- Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing (by making a subject access request)
- Require us to change incorrect or incomplete data
- Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- Object to the processing of your data where we rely on our legitimate interests as the legal ground for processing
- Receive from us the personal data we hold about you which you have provided to us in a reasonable format specified by you, including for the purpose of you transmitting that data to another data controller
- Ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University’s legitimate grounds for processing data
- Withdraw your consent for us to process your data where we do so with your consent
Not all of these rights apply in all circumstances. You can find full details of the rights that you have regarding your personal data, and when these apply, by visiting the University’s guidance on data subject rights on the Information Compliance SurreyNet page.
If you would like to exercise any of these rights, please contact us at email@example.com.
You can make a subject access request by completing the University's subject access request form, available on the University’s web page https://www.surrey.ac.uk/information-management/data-protection.
If you continue to have concerns about the use of your personal data, the Information Commissioner’s Office is an independent body set up to uphold information rights in the UK.
They can be contacted through their website: www.ico.org.uk, or their helpline on 0303 123 1113, or in writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.