Coronavirus information and guidance

Collection and use of employee personal data

The use of information that relates to people i.e. personal data, which is collected or received and then used by the University is legislated through the European and UK data protection laws, specifically:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“the GDPR”); and
  • The Data Protection Act 2018 (“the DPA”).

These data protection laws set out via a series of principles how organisations are expected to manage and safeguard personal data. In addition, the legislation provides a number of rights to individuals, so that they have a degree of control over their personal data, with access to rights of re-dress, if it is found that their personal data has not been managed correctly. The University takes these obligations seriously.

One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that organisations that collect/receive personal data must clearly and fully inform the individuals concerned, in writing, normally when personal data is collected, how their personal data will be used. Organisations are expected to provide those details through a privacy notice.

A privacy notice should:

  • confirm the identity of the organisation, that is responsible for making use of personal data in line with the data protection legislation, along with providing the contact details of who to approach with questions on how such data is managed;
  • set out how personal data will be used and the legal basis underpinning that use;
  • identify other organisations and/or individuals that personal data may be shared with (recipients);
  • note when personal data may be transferred to a country outwith the European Economic Area (“the EEA”) and what protections will be put in place to safeguard those data;
  • state how long personal data will be retained, or, where that is not possible, the criteria used to determine this;
  • summarise the rights available to individuals under data protection legislation and explain how those rights can be exercised;
  • advise on the right of complaint to the data protection regulator i.e. the UK Information Commissioners Office (“the ICO”);
  • note where there are any statutory or contractual obligations to provide an organisation with personal data; and
  • confirm where automatic decision-making takes place, including the provision of details of profiling and any consequences of such uses.

The purpose of this privacy notice is to inform employees as to: how their personal data will be used by the University and relevant third parties in the context of their employment and when their employment ends; the legal basis which underpins the use of personal data by the University or the transfer of personal data to others; what rights are available to individuals and how those rights can be exercised; and who to contact should there be any questions or issues of concern on how personal data are being used.

The statement aims to set a reasonable expectation amongst individuals as to how the University will use and manage their personal data during their time at the University and following their departure within the context of employment.