Privacy Notice - Employees
Part 1: Generic Privacy Notice Information
To ensure that we process your personal data fairly and lawfully we are required to inform you:
- Why we collect your data
- How it will be used
- Who it will be shared with
We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.
Our privacy notices comprise two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.
The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:
Telephone: (0191 33) 46246 or 46103
Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.
Data Protection Officer
The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:
Amanda Wilcox, email: firstname.lastname@example.org
Your rights in relation to your personal data
Privacy notices and/or consent
You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.
Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.
Accessing your personal data
You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage. [link: internal to this site]
Right to rectification
If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.
Once we have determined what we are going to do, we will contact you to let you know.
Right to erasure
You can ask us to erase your personal data in any of the following circumstances:
- We no longer need the personal data for the purpose it was originally collected
- You withdraw your consent and there is no other legal basis for the processing
- You object to the processing and there are no overriding legitimate grounds for the processing
- The personal data have been unlawfully processed
- The personal data have to be erased for compliance with a legal obligation
- The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).
Once we have determined whether we will erase the personal data, we will contact you to let you know.
Right to restriction of processing
You can ask us to restrict the processing of your personal data in the following circumstances:
- You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
- The processing is unlawful and you want us to restrict processing rather than erase it
- We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
- You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.
Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.
Making a complaint
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: Information Commissioner’s Office
Part 2: Tailored Privacy Notice for Employees
Employees: Type(s) of personal data collected and held by the University and methods of collection
The University collects and processes personal data relating to our employees to manage the employment relationship. The University is committed to being transparent about how it collects and uses that data and to meeting our data protection obligations.
This section of the Privacy Notice provides you with the privacy information that you should be aware of as an employee of the University.
Please note that for ease of reference the contents of this privacy notice apply (where applicable) to current and former employees, workers and contractors/self-employed individuals but the terms employee and employment shall be used throughout.
This notice does not form any part of any contract of employment or other contract to provide services nor does it infer employment status.
The University collects a range of information about you, which includes (but is not limited to):
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the University;
- recruitment information including copies of right to work documentation, references, CV/resume, covering letter(s) and any other documents submitted as part of the application process, health declaration questionnaire and information completed by the employee prior to commencing employment;
- information about your current and previous remuneration with the University, including entitlement to benefits such as pensions, salary sacrifice arrangements or insurance cover;
- details of your bank account, national insurance number and tax status;
- information about your marital status, emergency contact, dependents and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your start date, schedule (days of work and working hours), hours worked and attendance at work;
- information about your location and place of work;
- employment records including job titles, work history, training records and professional memberships;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any HR processes such as disciplinary, grievance or sickness absence procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information obtained through electronic means including, where applicable, swipe card access, computer logon information and software usage; and
- information about medical or health conditions, including whether or not you have a disability for which the University may make reasonable adjustments.
We may also collect, store and use the following “special categories” of more sensitive personal information:
- equal opportunities monitoring information including information about your ethnic origin, sexual orientation and religion or belief;
- trade union membership;
- information about your health, including any medical condition, health and sickness record;
- information about criminal convictions and offences and disclosure and barring.
The University collects this information in a variety of ways. For example, data is collected through applications, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of and/or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments or as part of any health declarations.
The University collects personal data about you from third parties, such as references supplied by former employers (following consent), information from employment background check providers, and (if applicable) information related to criminal record checks and disclosure and barring.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
The University may also seek an academic reference from third parties as part of the academic promotion process and will forward a copy of your standard proforma progression CV to referees.
The collection of health information related to outbreaks of infectious disease (such as Covid-19 or any subsequent such health issues) will also be necessary.
Employees: Lawful basis
The University has a legitimate interest in processing personal data before, during and after the employment relationship. The University needs to process data to take steps prior to potentially entering into a contract with you. Thereafter the University needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract.
The University needs to process data to ensure that it is complying with our legal obligations. We may also use your personal information where we need to protect your (or someone else’s) interests or where it is in the public interest. When we process your personal information we will do so provided your fundamental rights do not override those interests.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with details of the information that we would like and the reason we need it, so that you can consider whether you wish to consent.
Employees: How personal data is stored
Data will be stored in a range of different places, including in your electronic and hard copy personnel file, electronically (and sometimes in hard copy) in your department, within the Recruitment/HR management systems, within the University’s document systems and in other IT systems (including the University's email system and SharePoint).
HR data will be stored in a range of different places, predominantly in HR but some employment data will be stored in your department (for example recent Annual Staff Reviews) or other material departments of the University (for example any Occupational Health records will be stored in Occupational Health).
HR data is stored securely and will only be accessed by colleagues with a legitimate interest in accessing your data.
Employees: How personal data is processed
Processing employee data allows the University to:
- run and make a decision on recruitment and promotion processes;
- determining the terms on which you work for us;
- check you are legally entitled to work in the UK;
- paying you and, if you are an employee/worker/deemed a worker due to IR35 regulations, deducting tax and national insurance contributions;
- liaising with your pension provider;
- business management and planning including accounting and auditing;
- making decisions about salary, benefits and compensation;
- assessing qualifications and skills for a particular job or task, including decisions about promotions;
- providing you with relevant facilities such as access to IT and the Library;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes (or other relevant HR processes), gather evidence for any disciplinary or grievance processes (or other relevant HR processes), to ensure acceptable conduct within the workplace;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- manage sickness absence and operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that the University complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law (including, where there are legitimate interests to do so, reporting health issues to appropriate third parties in the interests of public health), and ensure that employees are fit for work and are appropriately supported by the University;
- contact third parties such as medical professionals or emergency contact concerning the health of an employee, with an employee’s consent or, if that consent cannot or will not be given, in exceptional circumstances and in the legitimate interests of the employee, the University or in the public interest without the employee’s consent;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- education, training and development requirements;
- make decisions about requests for flexible working;
- ensure effective general HR and business administration to operate the employment contract;
- making decisions about your continued employment or engagement including the potential termination of your employment;
- to monitor your use of our information and communication systems to ensure compliance with our IT policies and to ensure network and information security including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution;
- to gather data to review and take action on employee retention and attrition rates;
- equal opportunities monitoring;
- preventing and detecting crime, such as use of CCTV or attaching photos to campus cards;
- maintaining contact with former employees;
- to engage with the University's recognised trade unions about matters pertaining to University groups of staff or individual employees;
- making statutory or external returns, for example to the Higher Education Statistics Agency (HESA);
- fundraising and marketing;
- provide references on request for current or former employees;
- making decisions in relation to academic promotion processes;
- to respond to and defend against legal claims;
- to facilitate the arranging of travel and accommodation, provision of travel cover via University systems for travel on University business and the handling of any claims;
- provide facilities, such as the IT service and Library service;
- any other reasonable and related purpose.
In addition employees should be aware of the following uses of data:
We process personal data related to the protected characteristics of employees including gender and race but we do so for the purpose of equal opportunities monitoring and employees are not obliged to provide such information to the University.
In some cases, the University needs to process data to ensure that it is complying with its legal obligations, for example, the University is required to check that all employees are entitled to work in the UK and thereafter may have to conduct regular checks of employee’s right to work status.
Registration with Computing and Information Services (CIS) means that an employee’s name, department/section, job title, email address and telephone number will appear in the University's electronic email and telephone directory which can be viewed on the internet. In exceptional circumstances employees can opt-out of the directory (in full or in part, such as declining contact details), either at the point of first registering with CIS or later by contacting the University’s Data Protection Officer. Employees also have their name and academic qualifications published in the Durham University Calendar and may have their name, academic qualifications and contact details published in external academic-related publications such as the Commonwealth Universities Yearbook. Employees may also have their details on the relevant departmental web pages but can ask that these be removed or deleted.
The University routinely logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policy and Regulations for the Use of University IT Facilities and, specifically, to prevent or detect crime.
Where an employee’s employment with the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Employees should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA.
Each employee is required to provide a digital image of themselves to CIS for reproduction on their University campus card, which will be used for the purpose of identification. The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material and employees may appear on the resulting images, which may be published.
Employee personal data (not including sensitive personal data) may be processed for academic research purposes (i.e. where there is only benefit to the researcher alone or the researcher and University combined) on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use sensitive personal data, such as ethnicity or health, explicit consent will be sought beforehand from the individuals concerned.
We will only use information relating to criminal convictions and disclosure and barring where we are legally entitled to do so. This will include enquiring about unspent convictions during the recruitment process and we will obtain information about criminal convictions and safeguarding where we consider that it is appropriate given the nature of the requirement for the role. Less commonly, we may use information relating to criminal convictions and/or disclosure and barring where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
Some of the reasons for processing your data overlap and there may be several grounds which justify our use of your personal data.
Employees: How we use sensitive personal data
Special categories of sensitive personal information require higher levels of protection. We may process such data in the following circumstances:
- In limited circumstances, with your explicit written consent;
- Where we need to carry out any legal obligations which includes, where there is legitimate interests, for reasons of public health;
- Where it is needed in the public interest, such as for equal opportunities monitoring.
Less commonly, we may process this information where it is needed in relation to legal claims, or where it is needed to protect your interests (and you are not capable of giving your consent) or where you have already made the information public.
In an HR context we would anticipate use of sensitive personal information in the following ways:
- using information about your physical or mental health or disability status to ensure that you are fit for work, to ensure your health and safety in the workplace, to manage sickness absence, to administer benefits, and to consider any potential reasonable adjustments and support you if you have any health concerns. All health related information is stored securely, is only accessible by those with a legitimate interest to view that data such as Occupational Health, HR and your line manager and, if being sent in electronic format must be password protected;
- information related to leaves of absence including sickness absence or family related leave, to comply with our legal obligations;
- provision of information related to health to appropriate third parties where there is a legal obligation or a legitimate interest in doing so for reasons of public health;
- we will also use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting; and
- we will use trade union membership information to pay trade union premiums and to comply with any relevant legal obligations.
Employees: Who the University shares data with
Your information may be shared internally, including with members of the HR and recruitment team, with the University’s Finance team which includes the Payroll and Pension’s Team, your line manager, managers and business support administrators in the business area in which you work, with relevant Durham University committees for the purpose of progression and staff support services staff if access to the data is reasonable for the purpose of your contract.
The University may share your data with third party agencies to satisfy any legal requirements or where there is a legitimate interest to do so (such as public health) including in respect of your right to work in the UK and, if applicable information on any criminal convictions and/or disclosure and barring.
The University may need to disclose the personal data of employees to organisations contracted to work on its behalf, which could include its pension providers, insurers or professional advisors such as lawyers or auditors. The University may also disclose data to funders of research and externally funded activities, research collaborators and selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published. In certain circumstances the University passes the personal data of employee debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal financial or HR processes.
Where considered legitimate and/or necessary the University may share data with the University's recognised trade unions.
The University may also seek an academic reference from third parties as part of the academic promotion process and will forward a copy of your standard proforma progression CV to referees.
The University has a statutory requirement to disclose employee personal data to the Office for Students (OfS) and the Higher Education Statistics Agency (HESA) and/or their nominees/successors. The University may also disclose personal data to OfS and its partner bodies during the Research Excellence Framework (REF).
The University may share your data with third party agencies to satisfy any legal requirements or where there is a legitimate interest to do so, such as public health. Data would be shared to allow the University to receive external advice on infection control to protect the university community, and to support the identification, modelling and management of local and national outbreaks of infectious disease. Data would only be shared with third parties where necessary and the processing would only identify individuals if required.
Further Information about Disclosures to HESA:
Every year, the University sends some staff employee data to HESA. The data is sent in coded form and employee names are not given. For each anonymous individual, a HESA record is created. The HESA employee record is used for:
The HESA record is used by the organisations listed below, or agents acting on their behalf, to carry out their public functions connected with education in the UK:
- Department for Business, Energy and Industrial Strategy
- Welsh Assembly Government
- Scottish Government
- Department for the Economy, HE Division
- Office for Students
- Higher Education Funding Council for Wales
- Scottish Further and Higher Education Funding Council
- Research Councils
- Department for Education
The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.
HESA use the HESA record to produce anonymised data in annual statistical publications. These include some National Statistics publications and online management information services.
Research, equal opportunity, journalism, other legitimate interest/public function
HESA will also supply anonymised data to third parties for the following purposes:
- Equal opportunities monitoring – the HESA record may contain details of ethnic group and any disabilities. This data is only used where it is needed to promote or maintain equality of opportunity or treatment between persons of different racial or ethnic origins, religious beliefs or different states of physical or mental conditions.
- Research – this may be academic research, commercial research or other statistical research into education where this is of benefit to the public interest.
- Journalism – where the relevant publications would be in the public interest e.g. league tables.
Anonymised data for the above purposes is supplied by HESA to the following types of user:
- Local, regional and national government bodies who have an interest in higher education.
- Higher education sector bodies.
- Higher education institutions.
- Academic researchers and students.
- Commercial organisations (e.g. recruitment firms, housing providers, graduate employers).
- Non-governmental organisations and charities.
HESA will take precautions to ensure that individuals are not identified from the anonymised data which they process.
An individual has the right to a copy of the information HESA holds about them. Because the information HESA holds about individuals does not include names and is a copy of the information held by the University, individuals should contact the University if they wish to see the information. If individuals have any concerns about their information being used by HESA, please contact HESA directly by emailing email@example.com.
Further information about the HESA record is available from www.hesa.ac.uk/. Individuals who wish to opt out of any non-statutory purposes should request their HESA number from the University and then contact HESA directly.
NHS Research Passport
The NHS Research Passport initiative is a national scheme. It allows universities and relevant NHS trusts to share certain information about employees who hold contracts of employment that require them to engage in health-related research in the NHS. Where required, the University will issue a form to the relevant NHS trust to verify that a number of checks have been undertaken (which will allow the trust to issue a contract or letter of access to the employee):
- Disclosure and Barring Service clearance
- Occupational health clearance
- Identity (passport/birth certificate)
- Two references (from normal recruitment process)
- Permission to work in the UK
- Evidence of professional registration (if appropriate)
- Evidence of qualifications
- The University’s Human Resources webpages hold further information about the NHS Research Passport.
On occasion the University may engage with a third party provider to facilitate your contract of employment or to meet a legal requirement or where we have another legitimate interest in doing so.
Third party service providers includes (but is not limited to) our pension providers, benefit providers and any other relevant service which the University may procure to a third party provider such as auditing and legal services.
The University requires any third parties to respect the security of your data and to treat it in accordance with the law. All third party service providers are required to enter into a formal data-sharing agreement with the University and must demonstrate that they have appropriate security, safeguards and policies in place to process your data.
The University will require that any third party storing your data does so securely with access limited to staff who have a requirement to access the data for reasonable and legitimate purposes.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the University in whole or in part. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Employees: How the University protects data
The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees legitimately in the performance of their duties or by third parties as outlined in this Privacy Statement.
Employees: How long personal data is held by the University
The University will only retain your data for as long as necessary to fulfil the purposes we collected it for which includes satisfying any legal, accounting or reporting requirements.
The University Records Retention Schedule (Section 20: Human Resources) outlines how long we will keep your data.
In some cases, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Employees: If you fail to provide personal data
You have obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about matters which could impact on your employment, for example criminal convictions. You may also have to provide the University with data so that you can use your statutory rights, for example to take maternity or paternity leave and failing to provide such data may mean that you are unable to exercise your statutory rights.
Some information, such as contact details, your right to work in the UK and payment details, must be provided to enable the University to enter a contract of employment with you. If you do not provide such information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently and, in some cases, we may not be able to continue employing you.
Employees: Visitors to our websites/webpages
When someone visits www.durham.ac.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.
Employees: Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit
Employees: Changes to this privacy notice
We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.
Employees: Further information
If you have any questions which you feel have not been covered by this Privacy Notice, please email us or write to:
Information Governance Unit, University Secretary’s Office, Durham University, Stockton Road, Durham DH1 3LE
Telephone: (0191 33) 46246 or 46103