To ensure that we process your personal data fairly and lawfully we are required to inform you:
We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.
Our privacy notices comprise two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.
The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:
Telephone: (0191 33) 46246 or 46103
Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.
The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:
Kristina Holt, email: firstname.lastname@example.org
You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.
Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.
You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage. [link: internal to this site]
If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.
Once we have determined what we are going to do, we will contact you to let you know.
You can ask us to erase your personal data in any of the following circumstances:
Once we have determined whether we will erase the personal data, we will contact you to let you know.
You can ask us to restrict the processing of your personal data in the following circumstances:
Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: Information Commissioner’s Office
The University collects and processes personal data relating to our employees to manage the employment relationship. The University is committed to being transparent about how it collects and uses that data and to meeting our data protection obligations.
This section of the Privacy Notice provides you with the privacy information that you should be aware of as an employee of the University.
Please note that for ease of reference the contents of this privacy notice apply (where applicable) to current and former employees, workers and contractors/self-employed individuals but the terms employee and employment shall be used throughout.
This notice does not form any part of any contract of employment or other contract to provide services nor does it infer employment status.
The University collects a range of information about you, which includes (but is not limited to):
We may also collect, store and use the following “special categories” of more sensitive personal information:
The University collects this information in a variety of ways. For example, data is collected through applications, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of and/or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments or as part of any health declarations.
The University collects personal data about you from third parties, such as references supplied by former employers (following consent), information from employment background check providers, and (if applicable) information related to criminal record checks and disclosure and barring.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
The University may also seek an academic reference from third parties as part of the academic promotion process and will forward a copy of your standard proforma progression CV to referees.
The collection of health information related to outbreaks of infectious disease (such as Covid-19 or any subsequent such health issues) will also be necessary.
The University has a legitimate interest in processing personal data before, during and after the employment relationship. The University needs to process data to take steps prior to potentially entering into a contract with you. Thereafter the University needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract.
The University needs to process data to ensure that it is complying with our legal obligations. We may also use your personal information where we need to protect your (or someone else’s) interests or where it is in the public interest. When we process your personal information we will do so provided your fundamental rights do not override those interests.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with details of the information that we would like and the reason we need it, so that you can consider whether you wish to consent.
Data will be stored in a range of different places, including in your electronic and hard copy personnel file, electronically (and sometimes in hard copy) in your department, within the Recruitment/HR management systems, within the University’s document systems and in other IT systems (including the University's email system and SharePoint).
HR data will be stored in a range of different places, predominantly in HR but some employment data will be stored in your department (for example recent Annual Staff Reviews) or other material departments of the University (for example any Occupational Health records will be stored in Occupational Health).
HR data is stored securely and will only be accessed by colleagues with a legitimate interest in accessing your data.
Processing employee data allows the University to:
In addition employees should be aware of the following uses of data:
We process personal data related to the protected characteristics of employees including gender and race but we do so for the purpose of equal opportunities monitoring and employees are not obliged to provide such information to the University.
In some cases, the University needs to process data to ensure that it is complying with its legal obligations, for example, the University is required to check that all employees are entitled to work in the UK and thereafter may have to conduct regular checks of employee’s right to work status.
Registration with Computing and Information Services (CIS) means that an employee’s name, department/section, job title, email address and telephone number will appear in the University's electronic email and telephone directory which can be viewed on the internet. In exceptional circumstances employees can opt-out of the directory (in full or in part, such as declining contact details), either at the point of first registering with CIS or later by contacting the University’s Data Protection Officer. Employees also have their name and academic qualifications published in the Durham University Calendar and may have their name, academic qualifications and contact details published in external academic-related publications such as the Commonwealth Universities Yearbook. Employees may also have their details on the relevant departmental web pages but can ask that these be removed or deleted.
The University routinely logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policy and Regulations for the Use of University IT Facilities and, specifically, to prevent or detect crime.
Where an employee’s employment with the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Employees should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA.
Each employee is required to provide a digital image of themselves to CIS for reproduction on their University campus card, which will be used for the purpose of identification. The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material and employees may appear on the resulting images, which may be published.
Employee personal data (not including sensitive personal data) may be processed for academic research purposes (i.e. where there is only benefit to the researcher alone or the researcher and University combined) on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use sensitive personal data, such as ethnicity or health, explicit consent will be sought beforehand from the individuals concerned.
We will only use information relating to criminal convictions and disclosure and barring where we are legally entitled to do so. This will include enquiring about unspent convictions during the recruitment process and we will obtain information about criminal convictions and safeguarding where we consider that it is appropriate given the nature of the requirement for the role. Less commonly, we may use information relating to criminal convictions and/or disclosure and barring where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
Some of the reasons for processing your data overlap and there may be several grounds which justify our use of your personal data.
Special categories of sensitive personal information require higher levels of protection. We may process such data in the following circumstances:
Less commonly, we may process this information where it is needed in relation to legal claims, or where it is needed to protect your interests (and you are not capable of giving your consent) or where you have already made the information public.
In an HR context we would anticipate use of sensitive personal information in the following ways:
Your information may be shared internally, including with members of the HR and recruitment team, with the University’s Finance team which includes the Payroll and Pension’s Team, your line manager, managers and business support administrators in the business area in which you work, with relevant Durham University committees for the purpose of progression and staff support services staff if access to the data is reasonable for the purpose of your contract.
The University may share your data with third party agencies to satisfy any legal requirements or where there is a legitimate interest to do so (such as public health) including in respect of your right to work in the UK and, if applicable information on any criminal convictions and/or disclosure and barring.
The University may need to disclose the personal data of employees to organisations contracted to work on its behalf, which could include its pension providers, insurers or professional advisors such as lawyers or auditors. The University may also disclose data to funders of research and externally funded activities, research collaborators and selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published. In certain circumstances the University passes the personal data of employee debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal financial or HR processes.
Where considered legitimate and/or necessary the University may share data with the University's recognised trade unions.
The University has a statutory requirement to disclose employee personal data to the Office for Students (OfS) and the Higher Education Statistics Agency (HESA) and/or their nominees/successors. The University may also disclose personal data to OfS and its partner bodies during the Research Excellence Framework (REF).
The University may share your data with third party agencies to satisfy any legal requirements or where there is a legitimate interest to do so, such as public health. Data would be shared to allow the University to receive external advice on infection control to protect the university community, and to support the identification, modelling and management of local and national outbreaks of infectious disease. Data would only be shared with third parties where necessary and the processing would only identify individuals if required.
Every year, the University sends some staff employee data to HESA. The data is sent in coded form and employee names are not given. For each anonymous individual, a HESA record is created. The HESA employee record is used for:
The HESA record is used by the organisations listed below, or agents acting on their behalf, to carry out their public functions connected with education in the UK:
The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.
HESA use the HESA record to produce anonymised data in annual statistical publications. These include some National Statistics publications and online management information services.
Research, equal opportunity, journalism, other legitimate interest/public function
HESA will also supply anonymised data to third parties for the following purposes:
Anonymised data for the above purposes is supplied by HESA to the following types of user:
HESA will take precautions to ensure that individuals are not identified from the anonymised data which they process.
An individual has the right to a copy of the information HESA holds about them. Because the information HESA holds about individuals does not include names and is a copy of the information held by the University, individuals should contact the University if they wish to see the information. If individuals have any concerns about their information being used by HESA, please contact HESA directly by emailing email@example.com.
Further information about the HESA record is available from www.hesa.ac.uk/. Individuals who wish to opt out of any non-statutory purposes should request their HESA number from the University and then contact HESA directly.
The NHS Research Passport initiative is a national scheme. It allows universities and relevant NHS trusts to share certain information about employees who hold contracts of employment that require them to engage in health-related research in the NHS. Where required, the University will issue a form to the relevant NHS trust to verify that a number of checks have been undertaken (which will allow the trust to issue a contract or letter of access to the employee):
On occasion the University may engage with a third party provider to facilitate your contract of employment or to meet a legal requirement or where we have another legitimate interest in doing so.
Third party service providers includes (but is not limited to) our pension providers, benefit providers and any other relevant service which the University may procure to a third party provider such as auditing and legal services.
The University requires any third parties to respect the security of your data and to treat it in accordance with the law. All third party service providers are required to enter into a formal data-sharing agreement with the University and must demonstrate that they have appropriate security, safeguards and policies in place to process your data.
The University will require that any third party storing your data does so securely with access limited to staff who have a requirement to access the data for reasonable and legitimate purposes.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the University in whole or in part. We may also need to share your personal information with a regulator or to otherwise comply with the law.
The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees legitimately in the performance of their duties or by third parties as outlined in this Privacy Statement.
The University will only retain your data for as long as necessary to fulfil the purposes we collected it for which includes satisfying any legal, accounting or reporting requirements.
The University Records Retention Schedule (Section 20: Human Resources) outlines how long we will keep your data.
In some cases, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
You have obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about matters which could impact on your employment, for example criminal convictions. You may also have to provide the University with data so that you can use your statutory rights, for example to take maternity or paternity leave and failing to provide such data may mean that you are unable to exercise your statutory rights.
Some information, such as contact details, your right to work in the UK and payment details, must be provided to enable the University to enter a contract of employment with you. If you do not provide such information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently and, in some cases, we may not be able to continue employing you.
When someone visits www.durham.ac.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit
We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.
If you have any questions which you feel have not been covered by this Privacy Notice, please email us or write to:
Information Governance Unit, University Secretary’s Office, Durham University, Stockton Road, Durham DH1 3LE
Telephone: (0191 33) 46246 or 46103 Email: firstname.lastname@example.org