People Culture and Inclusion team privacy notice

The People Culture and Inclusion (PCI) team is part of the Department of Human Resources. The data controller processing your data is the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, Suzie Mereweather, who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the use of your personal data when you use certain services offered by the University of Surrey.

We hold and process personal data about current and former members of University staff on permanent and fixed term contracts only.

The personal data we process about you consists of

  • Personal information – your name, age, gender, nationality, staff number
  • Information about your job and contract of employment – your email address; your role title and department; information about your employment contract, such as hours, contract type (fixed term, permanent), family leave (including number of KIT days taken), your financial grade, your contract start and end date
  • Information relating to your performance in your role - any training and mentoring you have participated in, promotions, your appraisal outcomes.

For equal opportunities initiatives, we may process the following special category data:

  • Information on disability
  • Information about your ethnic origin.

We process only the data we need and keep that data up to date.

We receive this data directly from HR who collate information on you from a variety of different sources, depending on how and where you interact with the University.

We process this data when you:

  • Submit an application for a job at the University
  • Provide information at the start of your employment or update your personal record via the Human Resources Employee Self Service system
  • Apply for a promotion
  • Complete your training
  • Inform us about your training requirements
  • Participate in mentoring scheme
  • Take family leave
  • Complete your performance evaluation (for example appraisal or 360 report)
  • Request parental leave
  • Apply for apprenticeship.

We also receive data from the following third parties:

  • LinkedIn Learning
  • Apprenticeship training providers.

We receive data from third parties when you:

  • Apply for an apprenticeship – we collect your name, provider details and contract dates
  • Start any training course on the LinkedIn platform – we collect usage data, including time and frequency of login, duration of visit, courses accessed and completed.

We take our obligations around the handling of data very seriously and it is therefore important for you to know the lawful bases that we rely on to process your personal data.

We process your data in order to meet a relevant obligation under employment law or other legislation. We process your personal data in order to comply with the following legal obligation to which the University is subject to:

  • Compliance with the Equality Act obligation to avoid unlawful discrimination in the course of employment
  • Compliance with the Data Protection Act 2018, Bribery Act, the Counter-Terrorism and Security Act 2015 to ensure all staff are compliant with their mandatory training.

We process your personal data for these purposes when we:

  • Attempt to identify and mitigate the risk of discrimination against current employees by reporting on the Protected Characteristics defined in the Equality Act 2010
  • Compile statistics for regulatory and statutory reporting purposes (for example our equality annual reports, mandatory training reports)
  • Complete Equality Impact Assessments to ensure compliance with processes and policies
  • Complete equal opportunity initiatives such as Athena Swan Charter, Race Equality Charter.

In other circumstances, the University processes your data because we feel it is in our legitimate interest to do so.

Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact

We process your personal data for these purposes when we:

  • Fulfil People Culture and Inclusion strategic goals by fostering an inclusive and engaging culture across the University, and embedding inclusive values
  • Further the aims of the equality strategy through discussion and progress review
  • Support employees in their development by ensuring they can access the training, mentoring and development programmes relevant to their career progression, regardless of their protected characteristics.

Some special category data is processed to carry out our obligations and exercise specific rights in relation to employment.

We process information about ethnic origin and disability to carry out our employment obligations:

  • Under the employment law such as the Equality Act 2010
  • When we produce statistics for equal opportunity initiatives such as Athena Swan Charter, DisabledGo Programme and the Race Equality Charter
  • To ensure compliance with Equality and Diversity processes and policies.

We do not use the data we collect to make decisions about individuals, nor do we analyse information on an individual level.

Data that we use for these purposes is anonymised. You are free to decide whether or not to provide some of this data and there are no consequences if you choose not to provide it.

The University collects only the data we need and we keep the data up to date and only for as long as it is needed.

The University processes personal data and special category data in accordance with data protection legislation and its own Data Protection Policy.

We use personal and special category data relating to ethnicity and disability at a statistical level for Athena Swan Charter, DisabledGo Programme and Race Equality Charter. Your information may be shared internally with members of the charter groups, Human Resources Management and members of Equality Diversity and Inclusion Committee.

Your compliance with mandatory training is shared with your line manager.

We will keep your information for a maximum period of 5 years after the end of your employment with the University.

Reports and analysis required for equal opportunity initiatives (such as charters work) are destroyed permanently after 5 years.

Internally, we share your anonymised personal and special category data at a statistical level with:

  • The Equality Diversity and Inclusion committee
  • Athena Swan Charter working groups
  • Race Equality Charter working group
  • The DisabledGo working group
  • Human Resources Management
  • Equality working groups

We do this in order to:

  • Identify and mitigate the risk of discrimination against current employees by reporting on the Protected Characteristics defined in the Equality Act 2010
  • Meet our obligations under the initiatives including Athena Swan, DisabledGo and Race Equality Charter
  • Ensure compliance with Equality and Diversity processes and policies
  • Support employees in their development, training and progression
  • Justify the budget allocation to PCI activities.

We share your personal data externally with the following third parties:

  • LinkedIn Learning (LinkedIn provide a privacy notice for users of their service)
  • Apprenticeship Training Providers.

We do this in order to:

  • Track your LinkedIn activity to obtain information about the way you access this platform to analyse the effectiveness and usage of this service. We analyse the effectiveness of courses uptake at an aggregate level so that no individuals are identified from the data
  • Share your details with apprenticeship training providers to ensure your contract is in place.

We take the security of your data seriously. Details on university wide measures surrounding IT security can be found in the principal IT Security Policy (PDF) which sets out the definition of, commitment to and requirements of Information Technology and Security.

It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.