Staff privacy notice

This statement explains how and why the University of Plymouth collects, uses and shares your personal data and your rights in relation to that data.

Our privacy statement explains what types of personal information will be gathered and how this information will be used. In this statement “University”, “us”, “our” and “we” means University of Plymouth and also includes the University’s subsidiary company University of Plymouth Services Limited.
The University is committed to protecting your personal and sensitive personal data, working in accordance with current data protection legislation. We are registered as a data controller with the Information Commissioner’s Office under registration number Z7546246 for the University of Plymouth and ZA779873 for University of Plymouth Services Ltd. The University will process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and this privacy notice is issued in accordance with the GDPR articles 13 and 14.
The Data Protection Officer
The University has appointed a Data Protection Officer who can be contacted at dpo@plymouth.ac.uk 
This privacy notice outlines how the University collects, processes and uses your information. This notice is applicable to all current employees and other colleagues who have a temporary or ongoing association with the University, including visiting faculty, honorary appointees and Emeritus Professors.

Why do we collect your data?

The University collects information in order to fulfil its obligations as an employer. There is always a lawful basis for processing of your information including, but not limited to, the performance of an employment contract and compliance with the University’s legal obligations, which are outlined below. Where information is not provided by employees, the actions below will not be able to be undertaken. The University will not process personal data for marketing purposes or transfer personal data outside of the EU framework and data is not subject to automated data processing. 
It is important that the information held about you is accurate and current. Please ensure you update your information through Employee Self Service when necessary.

What type of data do we collect?

The following are examples of personal data (not exhaustive) which may be collected, stored and used:
  • Personal contact details such as name, date of birth, title, addresses, telephone numbers, and personal email addresses
  • Marital status and dependants
  • Gender
  • Next of kin and nominated emergency contact information
  • National Insurance number, bank account details, payroll records and tax status information
  • Salary, annual leave, pension and benefits information
  • Copy of driving licence where your employment involves driving for the University
  • Recruitment information (including copies of right to work documentation, references and other information included in an application form, CV or cover letter or as part of the application process)
  • Employment records (including job titles, conflicts of interests, work history, working hours, training records and professional memberships)
  • Compensation history, including allowances and bonus payments
  • Records of any incidents or accidents you may have been involved with or witness to
  • Salary benchmarking and pay modelling
  • Personal development information (including PDR, training and progression)
  • Disciplinary, grievance, sickness absence and performance management information
  • Information relating to maternity, paternity, shared parental or adoption leave
  • CCTV footage and other information obtained through electronic means such as swipe/identity card records
  • Information about your use of our information and communications systems
  • Photographs
  • Passport and UKVI information
  • Information relating to Research Passports in order to facilitate research in the NHS
We may also collect, store and use the following types of special category personal data:
  • Information related to protected characteristics as defined within the Equality Act for monitoring and institutional reporting, for example, our Annual Equality Report, Equal Pay, Gender Pay Gap Report, Race Equality Charter and Athena Swan submissions
  • Trade union membership
  • Information about your health, including any medical condition, health and sickness records, and disability information
  • Information about criminal convictions and offences

When and how do we collect your data?

The University will collect your information in different ways prior to and during its relationship with you. These will include:
  • Information you provide directly to us such as through the application or recruitment process or during your period of employment. You will have read the Staff applicant privacy policy when you applied.
  • Information provided by other sources such as employment agencies, referees or former employers (some of which may be post-employment e.g. in relation to tax and/or pension).

How do we use your data?

The University requires this information to manage the employment relationship with staff and the obligations and responsibilities, which arise from this. For example, the University may use your information to:
  • recruit and select new and existing employees, temporary workers and consultants including matching to future vacancies;
  • carry out any necessary checks to ensure that staff have the right to work in the UK and are eligible to work with children, patients or other vulnerable individuals and have suitable references in relation to previous employment etc.
  • administer contracts of employment and other contractual arrangements related to temporary and casual workers, consultant and voluntary or honorary appointees;
  • maintain accurate information for current members of staff in the HR databases, including Employee Self Service;
  • pay staff and ensure they are receiving the pay or other benefits (including pensions and reimbursement of travel and subsistence expenses) to which they are entitled and that the necessary deductions are being made i.e. tax, student loans etc.
  • provide staff benefits and administer salary exchange arrangements i.e. childcare vouchers, cycle to work etc.
  • manage the health and wellbeing of staff through maintenance of emergency contact details, pre-employment medical details, health screening for relevant roles, information related to disability, incident records, Personal Emergency Evacuation Plans, personal risk assessments and staff survey monitoring etc.
  • record staff absence including sickness, parental leave, jury service etc. and maintain absence management procedures for effective workforce management and employee wellbeing i.e. fitness to work and reasonable adjustments;
  • record and monitor staff performance, training, development and career progression;
  • operate and keep a record of disciplinary, grievance and other employee relations processes including employment tribunals to report on internal performance metrics and identify patterns or concerns in specific areas;
  • report and monitor data relating to protected characteristics to inform and develop action plans that promote equality, diversity and inclusion at the recruitment stages and within the workplace;
  • process specific reports and returns and participate in general statistical surveys for Governmental or regulatory bodies such as relevant Pension Providers, HMRC, HESA or the Office for Students;
  • facilitate internal day to day communications relevant to your employment with the University and promotion of your work, details on the staff directory which also covers managing the security and car parking through photographic staff ID cards;
  • fulfil and monitor legal responsibilities and obligations, for example, within the Equality Act, immigration and health and safety legislation;
  • provide references on request for current and former employees;
  • provide relevant management information to support the University with its effective financial forecasting, workforce management and business planning;
  • support staff with making applications for research or other funding and regulatory approvals;
  • support teaching and learning and staff development with audio or video recording of lectures, presentations or training events;
  • manage joint contracts of employment / secondments which require information to be shared with the honorary / host employer (usually NHS partners for clinical academic appointments).

What is the lawful basis for processing personal data?

The University processes staff data for the above purposes under the following conditions: 
  • Where consent has been provided
  • In order for the University to fulfil its obligations under the contract of employment
  • Where the University needs to comply with a legal obligation (for example, the detection or prevention of crime and financial regulations or health and safety legislation)
  • Where it is necessary for the University’s legitimate interests (or those of a third party) and the interests and fundamental rights of the member of staff do not override those interests
  • To protect the vital interests of the member of staff or of another person (for example, in the case of a medical emergency)
  • In order to perform a task carried out in the public interest
The University will only process special category data with the member of staff’s explicit consent or under the following conditions:
  • For the purposes of the member of staff and/or the University carrying out its obligations in the field of employment providing appropriate safeguards are in place to protect the individual’s fundamental rights and interests;
  • For the establishment, exercise or defence of legal claims;
  • When it is needed to protect the member of staff or another person’s vital interests and the member of staff is not capable of giving your consent (for example, in an emergency);
  • For reasons of substantial public interest; or
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
If your consent is required for any specific use of your personal data, it will be collected at the appropriate time.
Under the General Data Protection Regulation, individuals have a Right of Access, commonly referred to as a Subject Access Request (SAR). This allows you to request a copy of your own personal data that the University holds about you. Further information and how to request a SAR can be found at Your information rights.

Who internally has access to your data?

Information is held by Human Resources and is carefully controlled with access being granted only if it is needed for a legitimate business requirement i.e. related to one of the activities listed in the section on how we use your data. For example: 
  • For operational and business continuity purposes, your personal data may be shared with other relevant members of the University including Senior Managers 
  • Your personal data is also shared across relevant IT systems and databases to facilitate the management and delivery of University services, legal requirements, health and safety reports and equality reports
  • Finance have access to certain information they require for effective forecasting and to process BACS payments
  • Research and Innovation, Principal Investigators and University Peer Reviewers have access to certain information they require for the purposes of grant/project funding proposals 
  • Reporting Managers have access to certain information through Manager Self-Service to fulfil their obligations and manage your employment
  • Managers have access to certain information following incident reports in order to fully investigate those incidents and ensure appropriate control measures are in place
  • If your contract is a joint contract (e.g. with the NHS) or you are on secondment, then certain information will be shared with the host/ honorary employer in accordance with your contract.
We take your privacy and the security of your data seriously and requests for access to your data are only approved if there is a legitimate reason, which is covered by the relevant lawful basis. If your consent is required that would be collected in advance of your information being shared. 
Staff can access their personal details through Employee Self-Service.

Who do we share your data with outside of the University?

The University will disclose certain personal detail to external bodies for the legitimate interests of the University or of third parties as detailed below.
Disclosure to Details and legitimate grounds for processing data
UK Visas and Immigration To meet obligations as a sponsor licence holder.
Right to Work checks The use of a third party supplier to provide digital right to works checks.
Disclosure and Barring Service and First Advantage Group acting as an umbrella body on behalf of the University To ensure applicants’ suitability for particular positions of trust where clearance is required.
NHS employers To facilitate the management of joint Follett employment contracts and honorary contracts
Other Employers To facilitate the management of external secondment employment contractual arrangements
HESA (Higher Education Statistics Agency) 
From Oct 22 HESA merged with JISC* 		For statistical analysis purposes and for government agencies to carry out statistical functions. For more information on HESA’s privacy statements please visit https://www.hesa.ac.uk/about/website/privacy Or for specific information on the most up to date staff data collection for HESA visit the HR Community under H for HESA on the A to Z. 
*Any personal data processed by HESA as controller has now transferred to Jisc.  How data is handled can be found here: (https://www.hesa.ac.uk/about/regulation/data-protection/notices) 
REF (Research Excellence Framework) REF is the UK’s system for assessing the quality of research in UK higher education institutions. For more information on REF’s data privacy please visit: https://www.ref.ac.uk/
Other Statistical agencies and professional bodies For returns and benchmarking purposes e.g. DLA Piper and UCEA for salary surveys, DSC and MSC surveys etc.
Funding bodies e.g. OfS / ERDF, UKRI To support the requirement for statistical returns, funding applications, to demonstrate compliance within funding regulations or to review/identify equality of opportunity between groups/applications.
Relevant professional or statutory regulatory bodies e.g. General Medical Council, General Dental Council, Nursing and Midwifery Council, The Health and Care Professions Council. Relating to fitness to practice, safeguarding and other reporting activities relating to professional registration.
Advance HE To support our Athena Swan submission in relation to gender equality.
Stonewall To support our Stonewall submission in relation to LGBTQ+.
Mortgage companies and letting agencies For mortgage and letting verification purposes. Information will only be disclosed with written consent of the employee.
HM Revenue and Customs (HMRC) For the collection of income tax and national insurance contributions from employees.
Pension providers: Teachers’ Pension Scheme, Local Government Pension Scheme, NHS Pension Scheme, Universities’ Superannuation Scheme, Aviva, Legal and General, My Money Matters To allow provision of pensions by these providers.
UK government and other agencies e.g. Police, DWP, UKVI, FCO, Unions, ONS Relating to detection of crime, safeguarding national security, benefits, union membership, collection of tax or other payments, and government reporting activities.
UK Enforcement Organisations e.g. HSE, Home Office, Local Authority and Devon and Somerset Fire and Rescue Service Relating to investigation and enforcement of UK Health and Safety, Fire and other statutory legislation.
Third party software suppliers Where external computer systems are used, for example, the iTrent HR/Payroll system, there may be occasions where access is granted to ensure operational management. A formal agreement will be entered into by third parties and the University to protect employee data.
Occupational health service providers: Medigold, Sodexo, Care First (employee assistance programme) For specialist advice and support with regard to employees health in relation to their place of work and associated activities (inc Health Surveillance).
University of Plymouth subsidiaries To allow for processing of payments under consultancy clauses.
Audit companies To enable internal / external audit / investigation
Publicly available on website To enable effective communication certain information is included on the University website i.e. name, work contact details, biographies, committee membership etc.
Transfer of Undertakings Protection of Employment (TUPE) Where your employment has transferred to another employer, your details will be passed to your new employer under the TUPE regulations.
Office of the Independent Adjudicator for Higher Education (OIAHE) When a student complaint is escalated to the OIAHE, we are legally required to provide relevant information, which may include staff personal data (e.g., names, job titles, roles in decision making, and where necessary, sensitive data such as health information). This is to enable the OIAHE to review the complaint in line with the Higher Education Act 2004.

How long we keep your data

The University will only keep your personal data for as long as necessary to fulfil the purposes for which we collected it. Details of retention periods for the different aspects of your personal information are available via the University’s retention schedule.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

What rights do I have?

As a data subject you have a number of rights in relation to your personal data. You can:
  • access and obtain a copy of your data on request
  • require the University to amend incorrect or incomplete data
  • require the University to stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data where the University is relying on its legitimate interests as the legal ground for processing 
  • require us to erase your personal data
  • require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal)
  • receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller.
Please note that the above rights are not absolute, and the University may be entitled to refuse requests where exceptions apply. 
If you wish to exercise any of these rights or if you have a complaint about the way you believe your data is being processed, in the first instance, please email: dpo@plymouth.ac.uk.
If you have a complaint and you remain dissatisfied with how your complaint has been dealt with you can take your complaint to the Information Commissioner’s Office (ICO) for a review. They can be contacted at icocasework@ico.org.uk.

Reminder of individual’s responsibility

Individuals also have a responsibility for the security of their data. Please remember the University will never ask you to share your password and nor should you share them with anyone else. University policy and guidance on information security can be found at https://www.plymouth.ac.uk/students-and-family/governance/information-governance/information-security

Changes to this notice

This privacy notice is reviewed annually or when required to ensure compliance with data protection legislation. If significant changes are made to this notice and the way we treat your personal information we will make this clear and may seek to communicate this directly to you

When leaving the University

Please see the Leavers privacy notice

Staff Privacy Notice PDF