How the University uses staff personal data (fair processing notice)

About this notice

This notice explains how the University of Bristol (the University) collects, uses, and shares the personal data of prospective, current and former employees, workers, self-employed contractors and consultants, voluntary workers, and honorary and associate staff (you/your). It also outlines your rights when it comes to how we handle your data.

Unless the University processes your personal data on behalf of another organisation for purposes that have been determined by that organisation, the University is a ‘data controller’ in relation to your personal data, and is registered as such with the Information Commissioner’s Office (ICO) (registration number Z6650067).

Personal data is processed for a variety of reasons (as set out below) and all such personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any subsequent relevant legislation.

In this notice:

  • Personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media on which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymous data) but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data).
  • Processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

Changes to this notice

The University may update this notice at any time, and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly for any changes. However, where any change affects your rights and interests, we will make sure we bring this to your attention and clearly explain what this means for you.

How we collect your personal data

Most of the personal data set out in this notice will have been provided by you during the application and recruitment process, or in the course of your working relationship with the University.

The University may sometimes collect personal data about you from third parties including:

  • Your CV from any recruitment agencies that were authorised by you to approach the University regarding a position
  • References from former employers, colleagues, or other relevant parties
  • Information collected as a result of formal background checks, e.g. DBS checks
  • Information requested from external sources to assist in the consideration of promotion to academic posts
  • Information from government bodies or other official agencies, for example, in relation to visa and tax information
  • Third party employees who provide staff on secondment to the University
  • Other relevant information in the public domain

Types of personal data processed

Depending on your role, this notice sets out the types of personal data that the University may collect and process about you, including “special categories of personal data” which are particularly sensitive and require us to take additional steps to ensure their security and confidentiality. This includes (non-exhaustive list):

  • Your name and contact details, and other personal details such as your date of birth, next of kin and emergency contacts;
  • Your application and information provided as part of the application process – for example, references;
  • Your University employee number;
  • Immigration and right to work status information (for example, visa details, passport details);
  • Details relating to your current employment or engagement at the University;
  • Details of your schedule (days of work and working hours) and attendance and hours at work including time sheets for hourly paid staff;
  • Details relating to any previous employment at the University;
  • Details of your qualifications, skills, registrations, experience with previous employers (including references) and with the University;
  • Information about your remuneration and tax status;
  • Entitlement to benefits, including pensions;
  • Correspondence and other information relating to access to staff support facilities and wellbeing services;
  • Details of your bank account;
  • Probation and initial service review objectives and plans and outcomes;
  • Data relating to you which is generated as part of the day-to-day activities you carry out as part of your University role - for example, your attendance on campus in university buildings with Ucard access;
  • Details of periods of leave taken by you, including holiday, sickness absence and other types of leave, and the reasons for the leave;
  • Performance development review records;
  • Your use of a University credit card (where applicable);
  • Promotions and internal appointments information;
  • Length of service information;
  • Health and safety related incidents and reports related to you;
  • Workforce planning and organisational structure data related to individuals, including you, and their roles;
  • Details of any disciplinary or grievance procedures in which you have been involved;
  • Details relating to any declarations made by you about outside work interests or conflicts of interest;
  • Details relating to any gifts and hospitality you may have received in the performance of your role;
  • General information relating to employee, worker or contractor and management queries and cases;
  • Data captured by the University’s CCTV systems;

Special category data

We may collect, or you may choose to provide us with, special categories of personal data, such as information relating to your:

  • Race or ethnicity
  • Religious or similar beliefs
  • Sex life or sexual orientation (whether or not indicated by your gender or gender identity)
  • Physical and mental health: including details of sickness, medical conditions, disability status, occupational health reports, and reasonable adjustment requirements
  • Criminal convictions or offences
  • Trade union membership

We take additional steps and measures to ensure the security and confidentiality of these sensitive special categories of data.

Personal data provided by you about others

You may provide us with personal data about other individuals: for example, next of kin/emergency contact details and information about your family circumstances and dependents. You should notify the relevant person that you are providing their contact details to the University as your listed next of kin/emergency contact.

How the University uses personal data about you

Depending on your role, the University may process personal data (including special categories of personal data) about you for the following purposes:

  • The administration of prospective, current and past employees, including self-employed, contract personnel, temporary staff or voluntary workers, and work overseas
  • The recruitment and selection process
  • Administration of non-University staff contracted to provide services on behalf of the University
  • The administration of payroll services
  • Planning and management of the University’s workload or business activity
  • Occupational health service
  • Administration of agents or other intermediaries
  • Pensions administration
  • Disciplinary matters, staff disputes, employment tribunals
  • Staff training and development
  • Ensuring staff are appropriately supported in their roles
  • Vetting checks
  • Assessing the University’s performance against equality objectives as set out by the Equality Act 2010

Lawful grounds for processing your personal data

We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:

  • To perform a contract the University has entered into with you, or take steps before entering into a contract with you at your request (for example, your employment contract or contract for services)
  • To comply with the University’s legal obligations (for example, complying with employment and tax, immigration, health and safety and safeguarding laws, preventing and detecting crime, assisting the police and other authorities with their investigations)
  • Where necessary for our legitimate interests or those of a third party, provided your interests and rights do not override those interests (for example, evaluating the suitability of a candidate for a role or defending employment claims brought by you)
  • To protect your vital interests or those of another person (for example, where we know, or have reason to believe, that you or another person may suffer harm)

In circumstances where you have a choice as to whether we should process your personal data, we will ask you for your consent. The method used to obtain your consent will depend on the scope and context of the processing that we propose.

In relation to special categories of personal data and personal data relating to criminal convictions and offences, we may request your explicit consent unless a legal provision applies which allows us to process such personal data without doing so.

Sharing your personal data with third parties

Where the University has lawful grounds for doing so, the University may share your personal data with the following third parties:

  • Higher Education Statistics Agency (HESA) 
  • UK Visas and Immigration 
  • HM Revenue and Customs (HMRC), overseas tax authorities and overseas social security departments
  • Where staff are also employed by, contracted or seconded to, or perform duties for third parties including the NHS and other institutions, relevant information will be shared with the third party as required
  • Pension schemes – including UBPASUSS and others (as set out in the scheme rules)
  • Office for Students
  • Research sponsors, funders and partners
  • Trade unions (for the provision of membership services)
  • Potential employers (where a reference is requested)
  • Department for Work and Pensions (DWP) as required by the Social Security Administration Act 1992
  • Child Maintenance Service as required by the Child Support Information Regulations 2008
  • Universities and Colleges Employers Association (UCEA)
  • Bodies providing external awards (e.g. REF, TEF, Athena Swan, other teaching and research awards)
  • Official auditors
  • Insurance providers
  • International tax advisories, international legal advisors and international payroll providers
  • In the case of TUPE, the transferee organisation
  • Supplier and service providers (such as JISC for staff surveys), and suppliers for recruitment activity (such as eSkill for pre-employment assessment tests)

When the University uses other organisations to handle personal data on its behalf (acting as data processors), it makes sure there is a written contract in place. This contract requires those organisations to follow data protection law and to keep your personal data secure.

Parents, family members, and guardians are considered to be third parties. Your personal data will not be shared with them unless you have given permission, or unless data protection law allows or requires the University to do so.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.

Where your personal data are stored

Some of your personal data may be held in hard copy files stored in secure locations. Most personal data about you, including your personnel file, will be stored on servers within the UK or elsewhere within the European Economic Area (EEA). However, some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

  • to a country or territory that is the subject of an adequacy decision confirming that it ensures an adequate level of protection for the rights and freedoms of data subjects.
  • where the transfer is subject to one or more appropriate safeguards prescribed by law, including standard contractual clauses or the international data transfer agreement.
  • in the case of a third party based in the United States of America, where such third party is certified under a relevant certification scheme approved by the UK Government.
  • if the transfer is otherwise permitted by law, or necessary for the performance of a contract, or where you have given your explicit consent.

How the University keeps your personal data secure

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in any unauthorised way, or altered or disclosed. In addition, the University limits access to your personal data to the persons and organisations, including those described above, who have a lawful and legitimate need to access it. For further information, visit the University’s Information Security page.

The University has also put in place procedures to deal with any suspected personal data security breach, and will notify you and any applicable regulator of a suspected breach where legally required to do so.

How long the University will retain your personal data

The University must only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and to satisfy any legal, regulatory, accounting or reporting requirements.

Specified retention periods are captured in the University's Record Retention Schedule and applied to each category of personal data that we may process about you.

In setting these retention periods, the University has taken into account:

  • the nature, sensitivity, and volume of the personal data
  • the potential risk of harm to you arising from the University’s continued retention of the personal data
  • the purposes for which the University may process your personal data
  • whether the University is required to retain any personal data by law or in accordance with its legitimate interests

Human Resources keeps records about your employment or engagement. Most of these records are kept for six years after you leave the University or your engagement ends, and are then securely destroyed. Some basic details, such as your role and the dates you worked with us, are kept permanently.

In some cases, the University may anonymise your personal data so that you can no longer be identified from it, in which case the University may retain such data indefinitely.

If notice of a claim or Pre-Action or Early Conciliation correspondence is received, then we may retain and process relevant personal data to defend the claim for the duration of the proceedings. We may dispose of any personal data after the conclusion of the claim, however, please be aware that all litigation documents disclosed or evidence given may be a matter of public record.

Contact directory

Employees’ (and sometimes independent consultants’ and contractors’) contact details will be publicly available via the University Contact Directory. This will include name, job title, work address, email address, and telephone number. This information is classified as ‘public’ in the University’s data classification scheme. Some further information, such as CVs, photos and research interests, may also be made available on departmental/school websites and specialist directories such as Explore Bristol Research and Pure.

The information is made available on the basis of the University’s legitimate interest in ensuring that colleagues, students and, where applicable, members of the public, can contact our staff and to promote the University’s work.

Where there is good reason, members of staff may apply to the University Secretary to have their contact details removed from public view. This may be a temporary or permanent change, depending on the circumstances. If you wish to make such an application, please email: data-protection@bristol.ac.uk

The University will not release a blanket list of staff email addresses into the public domain to prevent a rise in spam emails received by staff, and other associated security risks.

Email

Email for staff is provided by a third party. This requires the University to disclose some personal data (name and email address) to this third party, who will also have access to the contents of email and calendar accounts.

Staff using the service are also subject to the third party's terms of use and privacy policy, and are notified of these terms when issued with their account.

Staff email addresses are issued and used for communicating about University business. You may give further consent for your email address to be used for other purposes during your time here, e.g. joining a specific mailing list.

Mass emails are only sent in line with the University’s Mass Emailing Policy.

Your responsibilities

You must ensure that any personal data collected and processed by you in the course of performing your duties and obligations is held in accordance with the University’s Data Protection Policy. Any research involving the use of personal data should only be conducted following an ethical review. You are also subject to the University’s Information Security Policy.

Members of staff are able to notify the University of any changes to their contact details via MyERP. It is important the University has an accurate record of staff details in case there is a need to contact staff in emergency circumstances.

UCard

The UCard Privacy Policy sets out how personal data, and other information related to the UCard, is handled.

CCTV

The University operates CCTV around its properties for security and crime detection purposes. For further information, please see the University’s CCTV Code of Practice.

Your rights

You have a number of rights in relation to the processing of your personal data by the University:

  • Access: You have the right to request access to, and to be provided with, a copy of the personal data held about you, together with certain information about the processing of such personal data, to check that the University is processing it lawfully and fairly.
  • Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
  • Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the University to continue processing it, or where you have exercised your right to object to the processing of your personal data.
  • Restriction: You have the right to request restriction of how the University processes your personal data; for example, to confirm its accuracy or the University’s reasons for holding it, or as an alternative to its erasure.
  • Objection: You have the right to object to the University’s processing of any personal data which is based on the legitimate interests of the University or those of a third party, based on your particular circumstances. You also have the right to object to the University processing your personal data for direct marketing purposes.
  • Portability: You have the right to receive, or request that the University transfers, a copy of your personal data in an electronic format where the basis of the University processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
  • Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how the University processes your personal data.

To exercise any of these rights, you must contact the University's Data Protection Officer at data-protection@bristol.ac.uk. The University may be entitled to refuse any request in certain circumstances, and, where this is the case, you will be notified accordingly.

If the University is using your personal data based on your consent, you can withdraw that consent at any time and you do not need to give a reason. If you do withdraw your consent, the University may not be able to provide some services to you, or those services may be affected.

You do not usually have to pay a fee to use your data protection rights. However, the University may charge a reasonable fee or refuse to comply with a request if it is clearly unfounded or excessive. If this is the case, you will be told.

To keep your personal data secure, the University may ask you to confirm your identity before dealing with any request about your personal data.

Questions or comments

If you have any questions or comments regarding this notice or you wish to exercise any of your rights (see above), you should contact our Data Protection Officer by email at data-protection@bristol.ac.uk