Privacy notice for staff

1. Introduction

1.1 This notice is for all University of West London staff and explains the purpose for which UWL holds information about you¹ (i.e. your¹ personal data).

1.2 ‘Personal data' means any of your information which identifies you or which can be linked with other data to identify you such as a name, staff ID number, your photograph etc.

1.3 Your personal data may include “special categories of data” described under GDPR.  Special categories data include information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

1.4 This data privacy notice is in accordance with General Data Protection Regulation (GDPR), in effect from 25th May 2018. The University of West London is registered with the Information Commissioner’s Office (ICO) for the purpose of Data Protection. The University’s Data Protection Policy can be found on our website.  If you wish to obtain further information about the University's registration, it can be viewed at the Register of Data Controllers (University registration number: Z4666761). Further information can also be obtained from the Information Commissioner's Office.

1.5 The University may process data relating to criminal convictions if your employment requires a Disclosure and Barring Service Check. Particular safeguards will be put in place for the collection and processing of special categories of data and criminal convictions.

1.6 Staff personal data is kept in accordance with the University’s Data Protection Policy and is kept securely and used only for legitimate purposes in connection with your employment.

2. How is data collected?

2.1 The University collects your personal data from your application and from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments. For example, data might be collected through CVs or resumes; obtained from your passport or other identity documents such as your driving licence.  

2.2 In some cases, the University also collects personal data from third parties, such as references supplied by former employers, information from employment background checks and from criminal records checks permitted by law. Please note that UWL seeks information from third parties with your consent.

3. Purpose of collecting and processing staff data

3.1 The University needs to collect, retain and process your personal data for reasons related to recruitment or your employment by the University.

3.2 The University collects and processes data for the following reasons:

• run recruitment and promotion processes;
• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
• operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
• ensure effective general HR and business administration;
• provide references on request for current or former employees;  
• respond to and defend against legal claims;
• maintain and promote equality in the workplace.
• to progress car parking and permit applications.

3.3 Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations such as those in relation to employees with disabilities. Moreover, UWL may also process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, which is done for the purposes of equal opportunities monitoring only and to provide anonymised statistical reports.

3.4 The University will routinely publish some sources of information about the University that include personal data. These may include staff work telephone/email directory, graduation programmes and audio-visual representations of graduation ceremonies, prospectuses, annual reports, newsletters and staff profiles on the University website.

4. Lawful basis for collecting and processing data

4.1 Under GDPR the University must have a lawful basis for collecting your data. The basis for collecting and processing most of your data is for the performance of a contract; to enter into a contract and compliance with legal obligation. For example, UWL needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer various entitlements. The provision of this data is part of the contract you form with the University when you accept an offer of employment.  

4.2 In some cases, the University needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with Health and Safety laws and to enable employees to take periods of leave to which they are entitled.

4.3 The basis for collecting and processing your data is outlined in Appendix 1.

5. Disclosures to third parties

5.1 The University will disclose your data to third parties where this supports the administration of recruitment, your employment or where we are legally obliged to.  

5.2 The processing of some of this information may be undertaken on the University’s behalf by organisations contracted for that purpose. Such organisations will be bound by an obligation to process data in accordance with GDPR and any specific contractual obligations with the University. The minimum personal information necessary for fulfilling that contract will be passed to the third party for these purposes.  

5.3 In order to process your recruitment and employment effectively, the University deploys IT systems that may entail the transfer of data. Any such transfer will be covered by a specific contract that will include protection of personal data.  

5.4 Details where the University transfers personal data are contained in Appendix 2.  

6. Transfers to countries outside the European Union (EU)

6.1 On occasions where we have to achieve the purpose for which we are processing your personal data, we may need to share your personal data with other organisations based within the EU or if outside the EU in countries that have comparable levels of data protection.

6.2 When it is necessary to share your data with organisation outside of the EU, we will ensure that they are appropriate safeguards in place.

7. How does the University store and protect data?

7.1 The University of West London takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.  

7.2 Data will be stored in a range of places, including in your personnel file, in the University's HR management systems, recruitment system and in other IT systems. Data will not be stored for any longer than is necessary and in line with GDPR.

8. Your rights

8.1 Under GDPR you have a right to request a copy of your personal data held by the University.  The University is required to fulfil this request within 20 working days.

8.2 You can:

• access and obtain a copy of your data on request;
• require the University to change incorrect or incomplete data;
• require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
• object to the processing of your data where the University is relying on its legitimate interests as the legal grounds for processing.

8.3 Any request for such a copy should be made in writing to the University Secretary.  

8.4 If you believe that the organisation has not complied with your data protection rights, you can contact the Information Commissioner.

9. Your responsibilities

9.1 You have a responsibility to keep your personal details accurate and up to date, which can be done through MyView and should notify the University of any changes.

9.2 Staff at the University may, during the course of their employment, have access to personal data about other individuals.  Staff are expected to treat any personal data relating to other people which may be accessed whilst at the University in a responsible and professional manner, in line with the University’s Data Protection Policy.  This responsibility is in addition to any obligations arising from professional ethics or codes of conduct.

9.3 Information obtained in the expectation of a duty of confidence should be treated confidentially and generally not disclosed without the data subject’s consent.

9.4 Staff have a responsibility to report any breaches of data protection immediately to the   University Secretary and the Information Security Manager in accordance with the Data Breach Notification Process.

10. Additional notices and guidance policies

10.1 UWL Replay – UWL regularly make audio recordings of lectures in which you may be involved. These recordings will be made in accordance with the University’s policy on Lecture Capture and it is assumed that you generally consent to being recorded, however, there is a right to opt out and request an edit of recordings.

10.2 Other policies and guidance documents such as the University’s Data Protection Policy, the Data Breach Notification Process, the CCTV Policy and policies relating to IT Security and Usage provide further useful information about the way in which the University processes your personal data. University policies can be found on the HR intranet and University's Policy and Regulations webpage.

10.3 You are also advised to refer to the collection notices on the HESA website for further details.

¹ Reference to "you", “your” refers to staff engaged by the University of West London. For these purposes “staff” include hourly paid staff, hourly paid lecturers, LCM examiners, and contract and agency staff. This notice relates to information about you (staff) which will be collected and processed by UWL and passed to relevant organisations under GDPR as described.