Staff applicant privacy notice

The data controller processing your data is the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office and are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, Elizabeth Powis, who can be contacted via

As part of any recruitment process, the University of Surrey collects and processes personal data relating to job applicants relating to University and Surrey Sports Park roles. The University is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

By registering to use our online recruitment and talent system and submitting a job application to us, you agree to the terms of this data privacy statement and for your personal information (which might include sensitive personal information) to be processed and held by the University of Surrey and by selected third parties however any data shared with us will remain inside the EEA.

This people process management software solution is hosted by the University of Surrey and provided to University of Surrey by Stonefish Software Limited, 125 Nottingham Road, Stapleford, Nottinghamshire NG9 8A

The University collects a range of information about you. This includes:

  • Your name, address and contact details, including email address and telephone number
  • Your date of birth
  • Identifiers issued by public bodies e.g.  NI Number, ORCID, HESA ID
  • Details of your qualifications, skills, experience and employment history
  • Information about your current level of remuneration, including benefit entitlements
  • Whether or not you have a disability for which the University needs to make reasonable adjustments during the recruitment process
  • Information about your entitlement to work in the UK
  • Equal opportunities monitoring information, including gender, information about your ethnic origin, gender identification, sexual orientation, health, and religion or belief.

The University collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

The University will also collect personal data about you from third parties, such as references supplied by former employers, including information from employment background check providers and information from criminal records checks. The University will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so. On occasion Academic references are collected before the interview to complement the interview process, if you have not given consent for us to do so the University will contact you before requesting references.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

The University needs to process data at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the University needs to process data to ensure that it is complying with its legal obligations. These include:

  • Checks to ensure a successful applicant's eligibility to work in the UK before employment starts
  • Perform criminal records checks from the Disclosure and Barring Service (for applicable roles)
  • Perform professional registrations and qualifications checks (for applicable roles). 

The University has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the University to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The University may also need to process data from job applicants to respond to and defend against legal claims.

The University processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

The University processes other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of monitoring of the University’s policies in meeting our obligations under the Equality Act 2010, and other  initiatives including Athena Swan, Race Equality Charter and to provide anonymised statistical reporting, this equal opportunities monitoring is done with with the explicit consent of job applicants, which can be withdrawn at any time. This data is not used in the recruitment decision-making process.

Access to the information you provide to us shall be restricted to authorised users only and is treated in the strictest confidence and shall only be used for the purposes of processing your application and for processing of the aforementioned anonymous statistics. 

In order for us to process your application your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

The University takes the matter of IT security very seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

University IT security

Details on University wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security.

It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

Application security

The application employs extensive security measures to protect against the loss, misuse, and unauthorised alteration of data security includes the following standard features*:

  • Protection against improper logins
  • Role based permissions are utilized to ensure that data is only accessible to those with appropriate access rights
  • Enforced segregation of duties including secondary controls and restrictions are applied to privileged accounts
  • All data is encrypted including backups
  • Once data has reached our retention limits the disposition rules will be invoked and relevant data is disposed of securely.

*Note this is not an exhaustive list.

Third parties

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

If your application for employment is unsuccessful, the University will hold your job application and other information supplied on file for one year after the end of the relevant recruitment process. However if the successful candidate is sponsored by the University under a Certificate of Sponsorship, the University has a statutory obligation to retain the personal data and associated interview notes of all candidates who were shortlisted and invited for interview until it’s next UKVI audit or for the duration of the successful candidates sponsorship.

Should you make any subsequent applications during this time you agree to ensure that your personal data such as name, address and details of your current employer is updated as necessary. If you agree to allow the University to keep your personal data on file by registering for job alerts or our talent community, the University will hold your data on file for a further five years for consideration for future employment opportunities. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in the staff privacy notice.

The University uses an external platform to enable you to apply for positions within the University and to enable us to manage your application within our recruitment processes.

We will not share your data with other third parties, unless your application for employment is successful and it makes you an offer of employment. The University will then share your applicable data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service (if applicable) to obtain necessary criminal records checks. Some of your data may be shared with government bodies such as UK Visa and Immigration (UKVI) to ensure the University can demonstrate compliance.

If your application is successful the University will also share relevant health data (where necessary) with its internal Occupational Health department for the purposes of ensuring the University meets its employment obligations.

By using this site you will allow the University to share information with UKVI and Immigration for the purposes of applying for a Certificate of Sponsorship (if applicable), (this data includes name, address, contact phone number, date of birth, gender, job data and passport information).

The University will not transfer your data outside the European Economic Area.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.

You are under no statutory or contractual obligation to provide data to the University during the recruitment process. However, if you do not provide the information, the University may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

For some roles the University's recruitment processes will be are based solely on automated decision-making. This is where there is a minimum requirement which is required for the advertised role, these are associated with:

  • Qualifications either professional or educational that must be met in order for the application to proceed
  • Right to work in the UK
  • UK driving licence.

Should the minimum requirement not be met the system will not allow you to progress your application.