Staff Data Privacy Notice
How we manage your data
This section of the HR web pages provides information on how we use and store the personal data of our staff, people who apply for a job and some types of visitor. We are committed to being transparent about how we collect and use the data to meet our Data Protection obligations.
We are responsible for managing the personal data for the following groups:
- Job applicants
- Employees on a salaried contract
- Staff who work on a casual or claims basis
- Academic Visitors, Honorary Appointments and Emeritus Professors
- External Consultants who require access to University systems
- Former colleagues who are members of a University administered pension scheme
Further information and guidance on Data privacy and information security is available from the Academic Registry section of the University website. The University also has a published Records Retention Schedule which should be read in conjunction with the University's Data Protection policy.
1. What personal information do we hold about you?
We will keep a record of the details you provided on your application form (or equivalent), any supporting documents we request as part of the recruitment and selection process, additional details provided by any referees and records following any interview process.
1.1 Applicant Data
If you are successful, the information you give us will be transferred to your confidential staff record. If you are unsuccessful, we will retain the information for one year for reporting purposes. The information will be anonymised before it is included in any management report. You can instruct us to destroy your information at any time during the 12-month retention period by emailing us at HR@lboro.ac.uk
1.2 Staff Data
The range of information that we collect and process about you includes:
- Your name, address and contact details, including email address and telephone number, date of birth and gender
- The terms and conditions of your employment
- Details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and within the University
- Information about your salary, pay progression and awards, any entitlement to benefits such as pensions or insurance cover
- Details of your bank account and national insurance number
- Information about your marital status, next of kin, dependants and emergency contacts
- Information about your nationality and entitlement to work in the UK
- Details of periods of leave taken by you, including holiday*, sickness absence, family leave, special leave and study leave
- Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- Assessments of your performance, including PDR, performance rating, training you have participated in, performance improvement plans and related correspondence
- Information about medical or health conditions, including whether you have a health condition for which the University needs to make reasonable adjustments
*Holiday records are maintained within the School or Service.
We will maintain this information during the time you work with us. We will retain the records for a minimum of 6 years after you have left us, for statutory purposes. More detail of the Records Retention Schedule can be found on the Information Governance webpage.
1.3 Sensitive personal data
In addition to the information in Section 2.2, we may process some information about you that is sensitive personal data. This includes information concerning your ethnic origin, sexual orientation, religious beliefs and health conditions, to provide care, help or suitable adjustments.
For certain roles, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practise in certain regulated professions. The access and sharing of your sensitive personal data are controlled very carefully. You will normally be given further details about our use of any such data when we collect it from you.
We only collect sensitive personal data with your consent.
2. Why do we collect your information?
In most cases, your personal information is either necessary for the performance of our contractual obligations with you or necessary for compliance with a legal obligation - for example, to deduct income tax.
It may also be required so we can fulfil tasks required in the public interest - for example annual HESA reporting. For certain positions, it is necessary to carry out criminal record checks to ensure individuals are permitted to undertake the role in question.
We will process your personal information for a range of contractual, statutory or public interest purposes, including the following:
- Assess your suitability for a role or task including right to work checks
- Administer payroll, pension and other standard employment functions
- Ensure effective HR and business administration
- Deliver facilities, services and benefits to you and where appropriate, to monitor your use of those facilities in accordance with University policies - for example, the acceptable use of IT
- Operate security (including CCTV), governance, audit and quality assurance arrangements
- Communicate effectively with you by post, email and phone
- Support your training, safety and wellbeing requirements
- Enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us)
- Obtain Occupational Health advice to ensure we comply with our duties in relation to individuals with health conditions, meet our obligations under Health and Safety law and ensure you receive the pay or other benefits to which you are entitled
- Fulfil and monitor our responsibilities under equalities, immigration and public safety legislation
- Where relevant, to monitor, evaluate and support your research and enterprise activity
- In order to provide accurate information to potential funders when preparing and submitting funding applications
- Compile statistics and conduct surveys and research for internal and statutory reporting purposes
- There may be occasions when, to fulfil your role and support the University strategy, you will be required to share limited personal data with external professional organisations. You may choose to manage your subscription personally but if the School or Service is involved in submitting personal data on your behalf, you will be informed and able to review and amend the submission data accordingly.
- For monitoring and institutional reporting, for example for Athena SWAN, Race Equality Charter, Equal Pay reports.
If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. We will not use your personal information to carry out any wholly automated decision-making that affects you.
3. Who has access to your data at the University?
People and Organisational Development, including Payroll and Pensions, have access to your personal data and are responsible for maintaining your personal file and your records on the HR system (we currently use iTrent).
Other colleagues, including your line manager and other managers in your School or Service, IT, Finance, Planning, Research will have limited access to your records, as necessary, to perform their duties and business tasks.
4. Who do we share your data with outside the University?
We share your data with third parties to obtain pre-employment references from other employers, to undertake digital right to work checks and obtain necessary criminal records checks from the Disclosure and Barring Service.
Your personal information is shared as permitted or required by law, on a considered and confidential basis, with a range of external organisations, including the following:
- The external providers of any staff benefit or pension including Universities Superannuation Scheme (USS) and Local Government Pension Scheme (LGPS)
- Higher Education Statistics Agency (see HESA’s statement about the uses made by them of your personal information published here ).
- Prospective and actual research funders or sponsors. This may include providing personal information for a Research Passport.
- Collaborators involved in the development of funding applications with you
- University subsidiaries including LUEL
- Relevant Government Departments including Her Majesty’s Revenue and Customs (HMRC) and UK Visa and Immigration (UKVI)
- Any relevant simultaneous employers – for example an NHS Trust
- Certified providers of Identity document validation technologies (IDVT) for the purpose of completing right to work checks.
- If you agree, the relevant Trade Union
- On occasion and where necessary, the police and other law enforcement agencies
- On occasion and where necessary, auditors
Your data may also be shared, on a considered and confidential basis, with third party contractors of official University business, such as travel, parking or significant events like graduation.
We will provide references about you to external enquirers where you have requested or indicated that we should do so. An example would be to a bank for a mortgage reference. These are requested via Recruitment@lboro.ac.uk and you can request a copy for your records.
We will include your basic contact details in our internal online directory. Separately, Schools and Services may request you to provide other information for their webpages.
Except for the organisations listed above, we will not normally publish or disclose any personal information about you unless you have requested it, consented to it or it is an emergency.
5. How do we hold your data?
We hold your personal information securely in the HR system iTrent. We also maintain an HR file for other records during your employment. The University Occupational Health Service maintain their own records.
You can also view and update some of your personal data via MyHR, including contact and bank details.
Funding applications and associated information (including costing information) are held within the Costing Pricing and Award Management (CPAM) element of the Agresso system and in electronic format within the Research and Enterprise Offices.
6. What are my rights?
You have the following rights in Data Protection law. You can:
- Access and obtain a copy of your information on request. This is called a Data Subject Access Request. Information on how to make a DSAR can be found on the Information Governance webpages
- Require us to change incorrect or incomplete data
- Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- Object to the processing of your data where we rely on its legitimate interests as the legal ground for processing; and
- Ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether your interests override our legitimate grounds for processing data
7. What if you do not provide personal data?
Certain information such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter into a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising out of the employment relationship.
You may also have to provide us with personal information to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
8. Who can I contact?
If you need further help with your personal information, please email HR@lboro.ac.uk and we will ask an appropriate colleague to help you with your enquiry.
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the University’s Information Governance webpages at
9. How do I complain?
If you are not happy with the way your information is being handled, please email HR@lboro.ac.uk in the first instance or contact your HR support direct. The most appropriate HR colleague will endeavour to resolve your concerns.
If you are still not satisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF ().
10. Are changes made to this webpage?
This webpage was last updated in May 2018. It is reviewed when necessary and at least annually, with appropriate communications via the University website and your School or Service.
GDPR - Handling Staff Personal Data
These guidelines have been compiled to help you comply with your role in handling staff personal data. The General Data Protection Regulations which come into force on 25 May 2018 are stricter than the Data Protection Act 1998 and the penalties are significant if we breach the regulations. The guidelines apply to everyone but are most relevant to staff working in HR, plus administrators and managers who regularly view or deal with staff personal data. For the purposes of the GDPR, the University is a Data Controller for all the following categories of staff, who are defined in the regulations as a ‘data subject’:
- All job applicants
- All University employees on any form of salaried contract
- People who work for the University on a casual or claims basis
- Visitors or Contractors who require access to University systems and / or an ID card
- Former staff who are members of a University pension scheme
Personal data is anything which relates to and identifies a living individual.
Examples are name, current address, payroll number, photo, gender, age. Sensitive personal data is subject to another level of control in GDPR and is information about religious or other beliefs, political opinions, trade union membership, offences, sexual orientation, health. GDPR has three changes which all organisations must comply with:
- A requirement for greater transparency about personal data is processed. This will result in, for example, more use of Privacy Notices
- All data breaches must be reported to the Information Commissioner’s Office in 72 hours
- A Data Subject Access Request must be completed within 30 calendar days and there is no charge. However, extensions are permitted if the request is difficult to comply with within these timescales.
All colleagues have a responsibility in enabling the University to comply with these timescales.
The Basics
Do:
- Be clear on why you are holding the personal data – is it for statutory purposes, necessary for the performance of the employment contract, for a legitimate business reason, vital for the protection of life or necessary to perform a public duty (the six reasons permitted in GDPR)?
- Ensure the personal data is stored securely and only appropriate colleagues can view and / or process in accordance with the Information Categories and Controls Policy
- Regularly review the personal data that you are holding and, where necessary, destroy it in accordance with the University’s Retention Schedule
- Review your emails regularly - it is good practice to delete emails older than 2 years which contain personal data unless you have a legitimate reason to retain the information for longer (refer to first bullet). If you want to retain the email, convert to a PDF document in a secure workspace with an appropriate filename including a destruction date for your future reference
- Ensure personal data is accurate, relevant and not excessive in relation to your needs
- Where possible keep hard copy personal data locked away and your desk clear
- Ask yourself the question – would I be comfortable with responding to a Data Subject Access Request (DSAR) with this personal data? If the answer is ‘no’, get rid of it immediately (although not if the information has already been requested as part of a DSAR)
Do not
- Keep any personal data if you don’t have a legitimate reason to do so
- Keep personal data for longer than is necessary and beyond the Retention Schedule
- Store personal data in an open access area, either physical or electronic
- Retain a document to use as a template without removing the personal data first
- Use personal data held for one purpose for a different purpose without the written consent from the data subject. An example would be a completed job application form being used in a training event with personal data visible or sharing a CV with someone else because you think the applicant might be suitable for another position without the consent of the data subject
- Write anything in an email or letter about a colleague that you wouldn’t be comfortable saying or sharing with them directly
Reporting a breach
Do:
- Report immediately any accidental or deliberate release of personal information to your Data Coordinator or line manager and dp@lboro.ac.uk
Do not:
- Attempt to cover up or ignore a data breach – this may have serious consequences for you and the University. Often, a breach is likely to be the result of a system failure or a gap in knowledge and training provision. The University is more concerned with taking corrective action rather than allocating blame to individuals.
Getting rid of personal data
Do:
- Establish a procedure to ensure you have Use the office confidential waste bags or the office shredder to dispose of any document containing any personal data
- Regularly empty your Deleted Items, Junk Email and Recycle Bin – electronic personal data needs to be ‘put beyond use’
- Refuse requests from family or friends for information about an employee, unless prior written permission has been received from the individual OR the release of the personal data is vital for the protection of life
Do not:
- Archive personal data instead of destroying it - information that is archived, is subject to the same data protection regulations as ‘live’ information. Only HR can archive staff personal data in accordance with their procedures
- Erase or alter data after you have received a Data Subject Access Request – you must comply with a DSAR from the University Data Protection Officer within the required timescale
Sending & Sharing
Do:
- Be clear on who you can share personal information with and the purpose of sharing. Check with your HR contact if you are not sure
- Please be very aware of sensitive personal information being shared over email and retain the information for only as long as you need it
- Where possible avoid sharing personal data outside of University corporate systems or premises. If you must do this, use encrypted removable media eg an encrypted USB pen drive
- Ensure that you have a contract (data processing agreement) in place when sharing personal data with a third party. Further advice on setting up a new or amending an existing contract can be obtained from Procurement.
- Send personal data (even if encrypted) via a secure remote access ie use your Lboro email not your personal email
Do not:
- Share sensitive personal information with a third party without understanding the basis for releasing the data OR obtaining the staff member’s consent
- Open email attachments from an unknown source
- Disclose any sensitive personal data over the telephone unless it is vital for the protection of life
- Disclose any personal data (including giving references) about an individual to an external organisation without first checking that the individual consents to such disclosure, or, in the case of the police contacting the HR Director first
Passwords
Do:
- Use a strong password (see the IT advice)
- Prevent others seeing you enter passwords or viewing sensitive personal information
Do not:
- Share your passwords with anyone else or write them down • Save passwords in web browsers if offered to do so
Security
Do:
- Log in using the secure University networks
- Log-off / lock your computer or device when leaving it unattended
- Avoid using your own device (computer, mobile phone) to view employee personal data
Do not:
- Log on to public Wi-Fi whilst working with employee personal data
- Store or download business data onto your personal devices unless first authorised by your manager
Processing and Saving Data
Do:
- Process and save personal data in accordance with your role – seek clarity from your line manager if you are unsure about this
- Save the personal data in accordance with your department’s access arrangements, so the relevant colleagues can continue to access it if you are not in work
Do not:
- Save personal data outside of University corporate systems
- Process personal data outside of agreed procedures
Working on-site
Do:
- Be aware of data security in relation to a visitor in your place of work
- Adopt a clear desk policy where practicable, particularly in relation to personal data
- Minimise your paper records; electronic data held, for example, in a secure workspace is always recommended
- Always use University corporate systems for data storage as there will be contracts in place to protect the University if data is lost. It also prevents data from being shared or stored outside of the EEA
Do not:
- Leave sensitive information unattended; lock it away in lockable drawers or log off or lock your work station
- Position screens where they can be read from outside the room. Invest in a privacy filter for your screen if you are concerned about others viewing your screen
- Assume that your main security threat is external