UWE Bristol Staff Data Privacy Notice
Introduction and purpose of this Privacy Notice
The University needs to process certain information about its employees, workers and contractors for various employment related purposes. UWE Bristol is committed to protecting the privacy and security of your personal data. This Privacy Notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with applicable data protection legislation.
UWE Bristol is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. This notice applies to current and former employees, workers and contractors. This notice is to provide you with information about how we process personal information, it does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.
UWE Bristol will always comply with its legal requirement in processing your personal data. In particular, your personal data will only be processed in a way which is consistent with the requirements of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act, 2018 as enacted and amended in UK law. Your personal data will only be processed in a way which is compatible with UWE Bristol’s policies, procedures and collective agreements.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
What personal details do we hold
UWE Bristol collects and uses personal data (including “special categories” of more sensitive personal data). We will collect, store and use the following categories of personal information about you:
- personal contact details, including email and telephone numbers
- date of birth
- marital status
- emergency contact details
- National Insurance number
- bank account details, payroll records and tax status information
- salary, deductions, annual leave, pension and benefits information
- start date (and if applicable, end date)
- recruitment information (including copies of right to work documentation, references and other information provided as part of the recruitment process)
- employment records (including job titles, work history (with previous employers and UWE Bristol), leave and reasons for leave, working hours, training records and professional memberships and qualifications)
- compensation history (if applicable)
- lecture capture (sound and visual)
- probation, performance and development review information
- disciplinary and grievance information
- CCTV footage and other information obtained via electronic means such as ANPR and swipe card records
We may also collect, store and use the following “special categories” of more sensitive personal data:
- information about your race or ethnicity, religious beliefs, sexual orientation
- membership of a recognised trade union. Please note that this information is only collected and processed for the purposes deducting and passing on union subscriptions directly from salary. UWE Bristol does not use this information for any other purpose.
- information about your health, including any medical condition, health and sickness records, whether or not you have a disability for which UWE Bristol needs to make Reasonable Adjustments
- information about criminal convictions and offences (this is not a “special category” but must be processed with appropriate additional safeguards).
How we will use information about you
We will only process your personal data when the law allows us to. We will always comply with UWE Bristol’s policies and procedures in processing your personal data. Most commonly, we will use your personal information in the following circumstances (legal bases):
- where we need to perform the contract that we have entered into with you
- where we need to comply with a legal obligation
- where it is necessary for our legitimate interests, including the efficient and effective running of the University (or those of a third party), and your interests and fundamental rights do not override those
- where required to carry out a task in the public interest.
Exceptionally, we may also use your personal data in the following situations:
- where we need to protect your or someone else’s vital interests.
We need to process the data listed above primarily for entering into contracts of employment, and as necessary for the proper administration of the employment relationship (including meeting certain legal obligations as employers, such as administering income tax and national insurance), both during and after employment. The purposes and relevant legal bases for processing are listed in more detail in the table below:
|Staff administration (including recruitment, appointment, training, promotion, performance assessment, disciplinary matters, grievance processes, absence records, leave records, occupational health advice, pensions, and any other employment related matters)||
|Access to, and security of, University facilities (including library services, computing services, sports and conference facilities and welfare services)||
|Accounting and financial purposes including pay, workforce planning and other strategic planning activities||
|Internal and external auditing purposes and other business management and planning purposes||
|Meeting health and safety obligations and equality of opportunity monitoring obligations||
|Carrying out statutory duties to provide information to external agencies||
|Collection of CCTV images for the prevention/detection of crime and prosecution of offenders||
|Lecture capture for purpose of enhanced educational provision||
|Recording (video/audio) of organisational activities for purpose of enhanced business and/or educational provision (e.g. the recording of staff meetings)||
|To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution||
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit) or we may be prevented from complying with our legal obligations (such as our duty of care to ensure the health and safety of our workers).
Our obligations as an employer
We will use your particularly sensitive personal data in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family related leave, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate reasonable adjustments, to monitor and manage sickness absence and to administer benefits.
- We will use information about your race, nationality or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- We will use trade union membership information to pay trade union premiums.
Special categories of more sensitive personal data
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:
- in limited circumstances, with your explicit written consent
- where we need to carry out our legal obligations or exercise rights in connection with employment.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
Do we need your consent?
We do not need your consent if we use special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.
In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data (for example in relation to obtaining an Occupational Health report). If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
Information about criminal convictions
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally permitted to do so, eg the role requires a DBS check. Where appropriate, we will collect information about criminal convictions as part of the external or internal recruitment process or we may be notified of such information directly by you in the course of you working for us. We have in place an appropriate policy and safeguards which are required by law when processing such data.
Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using solely automated means, however we will notify you in writing if this position changes.
How long do we keep your personal data?
Data is retained only for as long as is required to meet the purpose(s) for which it is collected and processed (for example to fulfil contractual obligations or meet legal requirements). Please refer to our University Records Management Policy and Records Retention Schedules for more detailed information. These are available by contacting our Data Protection Office by email at email@example.com.
Who may your data be shared with and why?
|Government departments and other UK agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security||In order to meet statutory requirements and otherwise as necessary in the public interest, and with consideration of your rights and freedoms. (Includes HMRC, Department for Work and Pensions, Home Office UK Borders Agency, Passports and Immigration, and the police.)|
|Office for Students and its agents||Such as the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency. You are advised to refer to the collection notices on the HESA website for further details.|
|NHS organisations||Where this is necessary for management purposes in connection with the performance of your contractual or honorary contract duties|
|Professional bodies (eg General Medical Council, Royal Society of British Architects, SRA)||Where this is necessary for accreditation purposes and/or the performance of your contractual duties|
|Potential employers or providers of education whom you have approached||For the purposes of confirming your employment with UWE|
|Members of the public||When required by the Freedom of Information Act 2000 and the disclosure does not breach any of the Data Protection Principles|
|Pension providers||Administration of pensions|
|Consultants and training providers||Staff administration, eg in context of staff training and development|
|Professional legal advisers||Provision of relevant legal advice|
|Occupational Health providers||Provision of Occupational Health services|
Your personal data may also be processed on UWE Bristol’s behalf by third party software and other service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers (“data processors”) to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
The University may from time to time make other disclosures without your consent. However, these will always be in accordance with the provisions of the applicable Data Protection legislation and your interests will always be considered.
Transfers to third countries
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world depending on the circumstances. Any transfers made will be in full compliance with all aspects of the Data Protection legislation and with due regard to your rights and freedoms.
How do we keep your data secure?
Access to your personal data is strictly controlled on a need to know basis and data is stored and transmitted securely using methods such as encryption and access controls for physical records where appropriate.
Under the General Data Protection Regulation you have the following qualified rights:
- the right to be informed about and access your personal data held by the University
- the right to rectification if the information is inaccurate or incomplete
- the right to restrict processing and/or erasure of your personal data
- the right to data portability
- the right to object to processing
- the right to object to automated decision making and profiling (we do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes).
If you wish to exercise any of these rights please contact the Data Protection Officer (firstname.lastname@example.org). You also have an unreserved right to complain to the Information Commissioner’s Office.