Staff data privacy policy

The University collects and processes a range of personal data, including special category personal data, which allows us to fulfil our duties as an employer. We gather this data before and during your employment, and keep information in line with our published University Retention Schedule.

Personal data is any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier.

Special category data is any sensitive personal data such as your racial or ethnic origin, health, sex life or sexual orientation, religious beliefs, political opinions, trade union membership, criminal convictions, health or disability.

The data the University holds may include:

• Personal Details such as your name, date of birth, bank account details, National Insurance number, nationality, a copy of your passport, a copy of other identity documents such as a driving licence, documents supporting your right to work (e.g. work permit or visa details), information about criminal convictions, your staff photograph, vehicle registration and insurance details
• Contact Details such as your home address, email address and telephone numbers
• Employment details such as information about your contractual status and role at the University, your CV and application form, your salary history and allowances and other payments, staff benefits and salary sacrifice arrangements, network memberships, absence records, information about your previous employment history, records of hours worked and risk assessments, staff uniform sizes
• Performance details such as records relating to your performance, development and training, details of any grievances, disciplinary proceedings, investigations or tribunals, data relating to evaluation and work allocation
• Education Details such as your qualifications, your places of study and when you graduated
• Family Details such as your emergency contact, next of kin, marital status and information relating to your dependents and other family members
• Health details such as records of any sickness absences, information relating to a disability, health and safety records or occupational health records.
• Information that allows you to join the University network, including IP, Mac address, access points and other electronic identifiers.

Your personal and sensitive personal data may be used in the administration of the following processes:

• The recruitment and selection of new and existing employees, temporary workers and consultants
• Storing details of unsuccessful job applicants and speculative job enquiries and CVs, and matching them to future vacancies
• Conducting employment screening for new and existing staff. This includes co-ordinating reference checks and declarations in relation to previous employment, qualifications, identity, your eligibility to work, medical records, security and criminal convictions (DBS)
• The contractual administration of our staff, including temporary and casual workers, consultants and voluntary or honorary appointees
• Maintaining staff records in the HR databases, including the Employee Self Service system
• The payment of salaries, allowances, pensions, additional payments and salary deductions (including Income Tax and National Insurance contributions)
• Providing staff benefits and administering salary exchange arrangements
• The re-imbursement of expenses, including travel, accommodation and subsistence
• Managing staff wellbeing, including organising occupational health referrals, recording health and safety information and completing accident report forms
• Recording and reporting absence – including annual leave, sickness, parental leave, study leave and jury service
• Managing performance, training, and development
• Recording information relating to disciplinary and grievance procedures, staff disputes, investigations or employment tribunals
• Equality, diversity and inclusivity monitoring
• Management reporting of staff
• Management and organisational planning, including statistical analysis
• Supporting staff with making applications for research or other funding and regulatory approvals
• Providing access to the Employee Engagement Survey
• Maintaining lists of staff network groups
• Holding information necessary for business continuity and emergency purposes
• Providing IT services and access to University systems
• Managing security and controlling access to car parks and University buildings
• Producing photographic staff cards
• Adding your work contact details to the staff directory
• Communicating information via the weekly bulletin and team brief and on the University website
• Audio or video recording of lectures, presentations or training events
• Statutory returns such as the Higher Education Statistics Agency (HESA) and HMRC
• Managing compliance with legal requirements such as the Equality Act, UKVI requirements, the prevention and detection of crime and safeguarding national security.

The majority of staff data is processed under the conditions of the performance of our employment contract with you or to comply with a legal obligation such as employment legislation or HESA.

Some processing is carried in the public interest such as when the University is carrying out staffing reviews, wherever possible this data will be anonymised.

We hold emergency contact details which will may be used to protect your vital interest in an emergency situation.

Where required we will obtain your consent to use your personal information, for example to set up a job alert by email.

Some information is processed in order to ensure the security of our network and to protect data in our care.

The University is committed to ensuring the confidentiality of your data. Controls are in place to manage and limit access to your personal information on systems or in hardcopy form. Your personal data is primarily held in the HR Services team and by your College or Service.

For operational and business continuity purposes, your personal data may be shared with other relevant members of the University including Senior Managers. Your personal data is also shared across relevant IT systems and databases to facilitate the management and delivery of University services.

The University takes steps to ensure that the personal information we share internally is reasonable and relevant for us to carry out our duties to you. We may also share data with other external bodies for the following reasons:

• The University is required to send anonymised data on our staff to the Higher Education Statistics Agency (HESA) on an annual basis. For further information on how HESA collect and process information please see their website: https://www.hesa.ac.uk/about/regulation/data-protection/notices
• If your appointment is externally funded, information may be shared with the relevant funding body
• The University provides data to external organisations for the purposes of gaining professional accreditations or memberships (e.g. AACSB, AMBA. EQUIS). This information may include your name, career history, membership of professional associations and your publications.
• Information about your right to work and visa sponsorship is shared with the Home Office and UKVI
• Certain roles at the University require high-level pre-employment screening checks, and in these cases you’ll be asked to share your data with Agenda, our external provider of screening services
• For roles that require security and criminal records checks, you’ll be asked to share your data with the Disclosure and Barring Service (DBS) and GBG, our external provider of online disclosure services
• Recruitment information relating to Professorial or Senior roles may be shared with external assessors
• The University may provide information including your name, job title and dates of employment, in response to a reference request from a potential future employer
• With your consent, the University may share information relating to your salary and employment status for the purposes of providing a financial reference (such as a Mortgage or Tenancy request)
• With your consent, data may be shared with the external providers of certain staff benefits (including the car scheme, the cycle to work scheme and childcare vouchers)
• We are required to share information with HMRC in relation to Income Tax and National Insurance contributions
• Data is shared for the administration of our pension schemes, including USS, ERSS, NHSPS, NEST and ERBS
• We provide data to ORC to enable them to invite you to the Employee Engagement Survey. We only receive anonymous data from ORC
• Staff salary information in support of pay benchmarking
• With your consent, your personal data may be shared with staff and healthcare professionals in support of an occupational health referral and health screening
• We may share data with the Trade Unions for members who elect to pay their TU membership fees via salary deduction
• Where staff transfer to another organisation under TUPE regulations, we are required by law to provide certain personal information to the new employer
• Where staff are seconded to an external organisation we will share certain personal data with the host employer
• Where personal staff data is held on a University system whose software is supplied by a third party, this will be subject to a formal data sharing agreement between the University and the supplier
• The University may be required to disclose personal data for the purposes of an internal or external audit or investigation
• We may share data with external regulators in relation to research and teaching activities, for example, the Home Office, Defra, Medicines & Healthcare Regulatory Authority, Human Tissue Authority. 

Certain personal information about our staff is available in the public domain and is shared on our website. Data that is publicly available world-wide and may be disclosed to third-parties, includes;

• Names of members of Council and Senate
• Names and academic qualifications of staff
• Staff biographies
• Workplace contact details
• Other information relating to staff that they have agreed to share in the public domain or on our website.

If you have any concerns regarding this please contact your line manager or your HR representative.

The University may be asked to share your personal data with other third parties for the reasons listed below, and in these cases we will always consider your rights and ensure we are meeting our obligations under GDPR and other relevant legislation.

• It is required to safeguard national security
• It is necessary for the prevention or detection of crime
• It is necessary for the discharge of regulatory function including securing the health, safety and welfare of personas at work
• It is to be used for research purposes only
• It is available to the public under law (including Freedom of Information legislation)
• It is necessary to establish, exercise or defend legal rights
• There is a legal duty to disclose the information

In certain cases, the University may also share personal data with third party organisations outside of the EU. In these cases, data will only be shared with your consent, and will be subject to data sharing agreements with the relevant partner to ensure compliance with data protection legislation.

The University does NOT sell data to third parties or allow third parties to sell on data where data is shared with them.

The University will keep your personal information for no longer than is necessary for the purposes it has been collected. Data is held and destroyed in line with our published University Retention Schedule and in accordance with statutory legislation.

The University Retention Schedule and our procedures for disposing of data are reviewed on a regular basis.

Your personal data is held securely on University databases, shared drives and email inboxes located on University servers. Data is also held manually in paper form. The University has controls in place to ensure access to the electronic and physical locations that hold personal information are monitored and limited to relevant university staff only.

All staff are required to complete the University’s Information Governance online training and have a contractual obligation to maintain confidentiality. The course is also available on ELE to all associate and post-graduate accounts.

The University ensures that appropriate data sharing agreements are in place prior to sharing your personal data with any third party.

Any incident or breach of the Data Protection Act must be reported via the SID helpdesk and dealt with immediately, in line with the University’s Data Breach Policy.

You have a number of rights in relation to the personal data that is collected and held about you by the University. For further information please see how to make a request or contact dataprotection@exeter.ac.uk.

This Privacy Notice will be kept under review. Any changes will be updated on our website and communicated as appropriate. This Privacy Notice was last updated in May 2018.

The University’s Data Protection Officer is responsible for monitoring compliance with relevant legislation in relation to personal data and can be contacted at dataprotection@exeter.ac.uk.

You can contact the HR team at humanresources@exeter.ac.uk or the University Data Protection Officer if you have any queries or concerns about the University’s processing of your personal data.