Privacy Notice for Staff
Your Personal Data
The University of Glasgow will be what is known as the ‘Data Controller’ of your personal data processed in relation to your employment relationship. This privacy notice explains how The University of Glasgow will process your personal data.
Changes to this notice
The University may update this notice at any time and may also provide you with further more detailed notices on specific occasions where we collect and process personal data about you. Such additional privacy notices are supplemental to this main privacy notice. You should check this notice regularly to be aware of any changes. However, where any change affects your rights and interests, we will bring this to your attention and clearly explain what this means for you.
What we collect and why we need it
We are collecting your basic personal data such as
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the University;
- recruitment information including copies of right to work documentation, references, CV/resume, covering letter(s) and any other documents submitted as part of the application process, health declaration questionnaire and information completed by the employee prior to commencing employment;
- information about your current and previous remuneration with the University, including entitlement to benefits such as pensions, salary sacrifice arrangements or insurance cover;
- details of your bank account, national insurance number and tax status;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record (where applicable);
- details of your start date, schedule (days of work and working hours), hours worked and attendance at work;
- information about your location and place of work;
- employment records including job titles, work history, training records and professional memberships;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any HR processes such as disciplinary, grievance or sickness absence procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information obtained through electronic means including, where applicable, swipe card access and computer logon information; and
- Information about medical or health conditions, including whether or not you have a disability for which the University may make reasonable adjustments.
We will also collect, store and use the following “special categories” of more sensitive personal information:
- equal opportunities monitoring information including information about your ethnic origin, sexual orientation, disability and religion or belief. This data is only held if you included it in your application form at the recruitment stage, or if you choose to update your personal profile within the HR system;
- trade union membership (where applicable);
- information about your health and sickness record;
- Information about criminal convictions, offences and disclosure and barring (where applicable).
We are collecting your basic personal data such as
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the University;
- recruitment information including copies of right to work documentation, references, CV/resume, covering letter(s) and any other documents submitted as part of the application process, health declaration questionnaire and information completed by the employee prior to commencing employment;
- information about your current and previous remuneration with the University, including entitlement to benefits such as pensions, salary sacrifice arrangements or insurance cover;
- details of your bank account, national insurance number and tax status;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record (where applicable);
- details of your start date, schedule (days of work and working hours), hours worked and attendance at work;
- information about your location and place of work;
- employment records including job titles, work history, training records and professional memberships;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any HR processes such as disciplinary, grievance or sickness absence procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information obtained through electronic means including, where applicable, swipe card access and computer logon information; and
- Information about medical or health conditions, including whether or not you have a disability for which the University may make reasonable adjustments.
- Occupational health shall store occupational health records where active cases are ongoing and the information is required for that reason.
- Health surveillance assessments are stored under the ‘control of substances hazardous to health’ (COSHH) and any other health and safety executive legislation where appropriate, by Occupational Health.
We will also collect, store and use the following “special categories” of more sensitive personal information:
- equal opportunities monitoring information including information about your ethnic origin, sexual orientation, disability and religion or belief. This data is only held if you included it in your application form at the recruitment stage, or if you choose to update your personal profile within the HR system;
- trade union membership (where applicable);
- information about your health and sickness record;
- Information about criminal convictions, offences and disclosure and barring (where applicable).
The University collects this information in a variety of ways. For example, data is collected through applications, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of and/or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
The University collects personal data about you from third parties, such as references supplied by former employers (following consent), information from employment background check providers, and (if applicable) information related to criminal record checks and disclosure and barring.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
The University needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.
The University needs to process data to ensure that it is complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
Legal basis for processing your data
We must have a legal basis for processing all personal data.
All information detailed above is collected as part of our contract with the individual.
In other cases, the University has a legitimate interest in processing personal data before, during and after the end of the employment relationship. For example, processing employee data allows the University to:
- run recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace and to ensure a safe and secure working environment;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensure effective general HR and business administration;
- provide references on request for current or former employees; and
- respond to and defend against legal claims.
- Benchmarking purposes.
- data provided to appropriate College/School/Institute for Athena Swan purposes (details available on Athena Swan web site
- providing personal information to University Corporate systems (where appropriate) to co-ordinate corporate systems.
- partial post code data is shared with relevant University Colleagues to contribute to our strategic travel and transport policies.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities – processing necessary for the purposes of preventative or occupational medicine).
We process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out our obligations and exercise specific rights in relation to employment. Employees are entirely free to decide whether to provide such data and there are no consequences of failing to do so.
What we do with it and who we share it with
- Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers and business support administrators in the business area in which you work and staff support services staff e.g. IT, Occupational Health (where appropriate) if access to the data is necessary for performance of your role.
- There may be some occasions where the University will confidentially report limited details of a disciplinary process and/or outcome to another party. This would occur in very limited circumstances described in more detail in the Disciplinary Procedure, including but not limited to where it is deemed appropriate to do so as the least intrusive means of ensuring the psychological safety and wellbeing of survivors of alleged sexual harassment, bullying or discrimination. Such disclosures would be based on an appropriate Legitimate Interests Assessment in the circumstances.
- We share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks, where appropriate, from the Disclosure Scotland. Under the terms of agreement with the Home Office, access must be given for any compliance audits.
- We also share your data with third parties that process data on our behalf for the provision of benefits (Edenred).
- We will share your data with third parties that process data on our behalf for the provision of travel management services (Selective Travel), primarily for Grades 7 – 10 but this may also include other grades of staff.
- The University will not transfer your data to countries outside the European Economic Area unless your employment requires study or a placement at another organisation. In these instances, it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Employees should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA. In addition, personal data may be transferred outside the EEA where data for University systems is stored in an overseas location.
- Some HR processes are administered through automated means.
- To enhance the security of our systems and protect against cyber threats, we may share your data with a trusted third-party cyber security provider.
The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties e.g. IT security policy, encryption policy, all HR policies etc.
Where the University engages third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Registration with Information Services (IS) means that an employee’s name, department/section, job title, email address and telephone number will appear in the University's electronic email and telephone directory which can be viewed on the internet. In exceptional circumstances employees can opt-out of the directory (in full or in part, such as declining contact details), either at the point of first registering with IS or later by contacting your Head of HR. Employees may also have their details on the relevant departmental web pages but can ask that these be removed or deleted.
The University routinely logs information about use of IT facilities for statistical purposes and to ensure effective systems operations. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Regulations for the Use of University ICT Systems and Facilities and, specifically, to prevent or detect crime.
Each employee is required to provide a digital image of themselves for reproduction on their University campus card, which will be used for the purpose of identification. The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material and employees may appear on the resulting images, which may be published.
Employee personal data (not including special categories) may be processed for academic research purposes (i.e. where there is only benefit to the researcher alone or the researcher and University combined) on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use special categories data, such as ethnicity or health, explicit consent will be sought beforehand from the individuals concerned.
Some of the reasons for processing your data overlap and there may be several grounds, which justify our use of your personal data.
The University may need to disclose the personal data of employees to organisations contracted to work on its behalf, which could include its pension providers, insurers or professional advisors such as lawyers or auditors and Uniforum. The University may also disclose data to external organisations undertaking market research or academic researchers provided no personal data is published. In certain circumstances the University passes the personal data of employee debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal financial or HR processes.
The University has a statutory requirement to disclose employee personal data to the Higher Education Funding Council for England (HEFCE) and JISC (formerly HESA) and/or their nominees/successors. The JISC return does not include any names of staff or contact details. The University may also disclose personal data to HEFCE and its partner bodies during the Research Excellence Framework (REF). The University processes your data, including salary information for benchmarking and provides anonymised or coded data to UCEA, XpertHR or appropriate HEIs.
Data Sharing with Third Parties
On occasion the University may engage with a third party provider to facilitate your contract of employment or to meet a legal requirement or where we have another legitimate interest in doing so.
Third party service providers includes (but is not limited to) our pension providers, benefit providers and any other relevant service which the University may procure to a third party provider such as auditing and legal services. We may also share data with external interview panellists for recruitment and selection purposes.
The University requires any third parties to respect the security of your data and to treat it in accordance with the law. All third party service providers are required to enter into a formal data-sharing agreement with the University and must demonstrate that they have appropriate security, safeguards and policies in place to process your data.
The University will require that any third party storing your data do so securely with access limited to staff who have a requirement to access the data for reasonable and legitimate purposes.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the University in whole or in part. We may also need to share your personal information with a regulator or to otherwise comply with the law.
We may share relevant limited factual employment information for the purposes of providing employment references to other employers. Where applicable we may share additional information on reasons for dismissal to other prospective employers when responding to reference requests.
We may require to report a disciplinary outcome to an external body (e.g. a research funder) in line with applicable contractual terms or other relevant protocols. The University will make such disclosures at its sole discretion, providing the individual concerned with prior notification. The University will also report any potential criminality to the relevant authorities (e.g. Police).
How long do we keep it for?
We will hold your personal data for the duration of your employment plus 8 years following the end of your employment. We will, however keep a record of your employment at the University indefinitely for tax and pension reasons. See retention schedule.
How we use special categories data
Special categories of personal information require higher levels of protection. We may process such data in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out any legal obligations.
- Where it is needed in the substantial public interest,
Less commonly, we may process this information where it is needed in relation to legal claims, or where it is needed to protect your interests (and you are not capable of giving your consent) or where you have already made the information public.
In an HR context, we would anticipate use of special categories data in the following ways:
- using information about your physical or mental health or disability status to ensure that you are fit for work, to ensure your health and safety in the workplace, to manage sickness absence, to administer benefits, and to consider any potential reasonable adjustments and support you if you have any health concerns. All health related information is stored securely, is only accessible by those with a legitimate interest to view that data such as Occupational Health, HR and your line manager and, if being sent in electronic format must be password protected;
- information related to leaves of absence including sickness absence or family related leave, to comply with our legal obligations;
- we will also use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting; and
- we will use trade union membership information to pay trade union premiums and to comply with any relevant legal obligations.
What are your rights?
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the University to change incorrect or incomplete data;
- require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the University is relying on our legitimate interests as the legal ground for processing.
If you wish to exercise any of these rights, please contact dp@gla.ac.uk.
*Please note that the ability to exercise these rights will vary and depend on the legal basis on which the processing is being carried out.
Due to a change in data protection legislation, confidential references are no longer available to individuals as part of their Right to Access. Although the University is not required to release this information to applicants upon request, in the interests of good practice and transparency, we will continue to adhere to this practice unless you specifically detail on the reference that it is confidential and should not be disclosed.
You have some obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the University to enter a contract of employment with you. Data cannot be withheld from the Home Office on their request if you are a sponsored employee (sponsored under the points based immigration system) and in receipt of a Tier 2, Tier 4 or Tier 5 visa. If you do not provide other information, this will hinder our ability to efficiently administer the rights and obligations arising from and associated with the employment relationship.
Individuals have the right to request that the data held on them by the University Occupational Health is deleted but it is important to note that this is not an absolute right, meaning that other rights and legal duties must be safeguarded, e.g. fulfilling an employer’s legal obligation to protect the health and safety of its employees as set out in the Health & Safety at Work Act 1974 and where the individual has been subjected to Health Surveillance assessments under specific Health and Safety Executive legislation.
Complaints
If you wish to raise a complaint on how we have handled your personal data, you can contact the University Data Protection Officer who will investigate the matter.
Our Data Protection Officer can be contacted at dataprotectionofficer@glasgow.ac.uk
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) https://ico.org.uk/