Staff Privacy Notice

1. Identity and contact details of the Data Controller

The University of Gloucestershire is registered with the Information Commissioner’s Office as a Data Controller and is committed to protecting the rights of individuals in line with UK Data Protection legislation.

A copy of this registration can be found here.

2. Contact details of the Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with UK Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer at:

Data Protection Officer
University of Gloucestershire
Registrar’s Directorate
Fullwood House
The Park
Cheltenham, GL50 2RH
Email: dpo@glos.ac.uk

3. What information do we collect about you?

‘Personal information’ means any information that relates to or identifies you as an individual.
The GDPR defines personal data as:
’Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
‘Special categories’ of personal data (sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or a natural person’s sex life or sexual orientation.

The University will keep a record of the details you provided on your application form, any supporting documents requested and additional details provided by any referees and recorded following any interview process. We will maintain various administrative and financial records about your employment at the University, and about your use of the academic and non-academic facilities and services that we offer. Where relevant, we may supplement these records with personal data from the public domain (e.g. your publications) or other sources (e.g., where relevant, the Higher Education Academy).

Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including some databases that are shared between the University systems. Access to your personal information is limited to staff who have a legitimate interest in it for the purpose of carrying out their contractual duties, and our use of your personal information will not be excessive.
Personal data we collect about employees includes your:
Name
Date of birth
NI number
Nationality
Passport, visa and birth certificate details
Contact details (home address, personal telephone numbers, personal email addresses)
Emergency contact details (we will assume you have checked with the individuals before you supply their contact details to us)
Staff number
Job title

Special category data we collect about employees includes your:
Racial and ethnic origin
Religion or belief
Sexual orientation
Gender identity data
Disability data
Health records

You are able to review the majority of your personal data and special category data we hold via Staff Records Online. You will be able to update many items of your data directly in Staff Records Online. Where it is not possible, for security reasons, instructions are given on who to contact to update the details.

When you visit www.glos.ac.uk the University uses a third party service provided by Google Analytics to collect standard internet log information and details of visitor behaviour patterns. Google Analytics use “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. For information about how Google Analytics uses your personal information, please see the Google Privacy Policy: https://policies.google.com/privacy?hl=en
and how Google safeguards your data: https://support.google.com/analytics/answer/6004245

4. How will your information be used?

The University will process your personal information for a range of contractual, statutory or public interest purposes, including the following:

• To assess your suitability for a particular role or task (including any relevant right to work checks).
• To administer remuneration, payroll, pension and other standard employment functions.
• To administer HR-related processes, including those relating to performance/absence management, disciplinary issues and complaints/grievances.
• To support you in implementing any health-related adjustments to allow you to carry out a particular role or task.
• To operate security (including CCTV), governance, audit and quality assurance arrangements.
• To deliver facilities (e.g. IT, libraries), services (e.g. Pre-employment screening, Occupational
• Health provision) and staff benefits to you, and where appropriate to monitor your use of those facilities in accordance with University policies (e.g. on the acceptable use of IT).
• To communicate effectively with you by post, email and phone.
• To support your training, health, safety, welfare and religious requirements.
• To compile statistics and conduct surveys and research for internal and statutory reporting purposes.
• To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation (i.e. the Resident Labour Market Test for Tier 2 General).
• To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).

5. What is our lawful basis for processing your personal data?

We process your personal information for these purposes, under Articles 6 and 9 of the GDPR, as they are either necessary for the performance of our contractual obligations with you (e.g. to manage your employment contract), or necessary for compliance with a legal obligation (e.g. equal opportunities monitoring), or necessary for the performance of tasks we carry out in the public interest (e.g. non-statutory reporting or research).
We require you to provide us with any information we reasonably ask for to enable us to administer your contract. If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. We will not use your personal information to carry out any wholly automated decision-making that affects you.

6. Who your personal information is shared with?

Your personal information is shared as permitted or required by law, on a considered and confidential basis, with a range of external organisations, including the following:

• Higher Education Statistics Agency (see HESA’s statement about the uses made by them of your personal information published at https://www.hesa.ac.uk/about/regulation/dataprotection/notices).
• Prospective and actual research funders or sponsors.
• The external providers of any staff benefits or pensions.
• Relevant Government Departments (e.g. Department for Education, Home Office, Foreign and Commonwealth Office, Department of Health), executive agencies or non-departmental public bodies (e.g. UK Visas and Immigration, HM Revenue and Customs, the Health and Safety Executive), and Higher Education bodies (e.g. Office for Students, UK Research and Innovation).
• Any relevant professional or statutory regulatory bodies (e.g. Nursing and Midwifery Council).
• Any relevant simultaneous employers (e.g. NHS Trusts).
• If you agree, the relevant trade unions.
• On occasion and where necessary, the police and other law enforcement agencies.
• On occasion and where necessary, auditors.
• Companies or organisations providing specific services to, or on behalf of, the University (e.g. occupational health providers, employee screening providers, employee survey providers, data benchmarking organisations, training providers and legal advisers).
• We will provide employment references containing information only (specifically confirming dates of employment and job title) to prospective new employers. We will provide references about you to external enquirers or organisations only where you have provided consent that we should do so.
• We will include your basic contact details in our internal online directory, the Staff Contact Directory.
• With your agreement, your university contact details will also be made available on our external contact directory. Many departments additionally expect staff to maintain a publicly available personal profile or webpage.
• Some information about University Governance and structure, including Council and committee membership is published on the University webpages.
• Other than as set out above, we will not normally publish or disclose any personal information about you to other external enquirers or organisations unless you have requested it or consented to it, or unless it is in your vital interests to do so (e.g. in an emergency situation).

7. Transfers to third countries and safeguards in place

On occasion, the types of sharing detailed above may involve the transfer of your personal information outside of the European Economic Area (e.g. to report to an overseas research funder). Such transfers usually are necessary in order to meet our contractual obligations with you, and are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

8. How long will your information be held?

We store your personal information as part of your staff record for the duration of your employment (and it may be used as part of our assessment of any future application you make for further employment at the University).
After you leave records relating to your employment are retained for up to seven years after your leaving date so that the details of your employment can be confirmed, for statistical or historical research, and for statutory reporting requirements.
Certain payroll and pension details (specifically relating to your pension contributions) will then be archived and held for 75 years after your leaving date to adhere with statutory requirements.
Certain health records details (for example, relating to any exposure to hazardous substances) will then be archived and held for 40 years after your leaving date to adhere with statutory requirements.
Information about how long different types of information are retained by the University is published at:
http://www.glos.ac.uk/governance/information/pages/records-management.aspx

9. What are your Rights?

Under Data Protection Legislation you have the following rights:
• to request access to, and copies of, the personal data that we hold about you;
• to request that we cease processing your personal data;
• to request that we do not send you any marketing communications;
• to request us to correct the personal data we hold about you if it is incorrect;
• to request that we erase your personal data;
• to request that we restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
• to receive from us the personal data you have provided to us, in a reasonable format specified by you, to another data controller;
• to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights and freedoms.

Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.

Any requests or objections should be made in writing to the University’s Data Protection Officer, contact details are in Section 2 of this Privacy Notice.

10. How to make a complaint

If you have queries, concerns or wish to raise a complaint regarding the way in which your personal data has been processed you should contact the Data Protection Officer in the first instance, using the contact details under Section 2 of this Privacy Notice.

If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk