The University is subject to data protection legislation which regulates how organisations are allowed to use personal data. This notice is intended to meet the transparency requirements of the legislation and to ensure that all individuals in the categories above know how their data will be processed.

Under the legislation the University is the ‘data controller’. This means that the University is responsible for how it uses and processes your personal data and for complying with requests from you in relation to your personal data, where appropriate under the legislation.

We have set out below: where we obtain your information; the main purposes for which we will use your information; who it is shared with; if it is transferred internationally; and information relating to retention.

For each type of processing we are required to identify our ‘lawful basis for processing’. This is set out in Appendix 1.

Your personal data will be managed securely. Access will be restricted to only those staff or authorised agents who require it and on a ‘need to know’ basis. The University will employ any technical and organisational measures necessary to protect your data.

The University strives to ensure that your personal data is accurate and up-to-date. Staff also have a responsibility to update changes to their contact information via iTrent. In addition, you should advise the University of any inaccuracies in the personal data held about you.

The University will retain your personal data only for as long as is necessary for the purposes described. Details of how long the University retains staff information is set out in the relevant retention schedule available on the Records Management Intranet pages.

Please note that after you cease to work with the University, we will still require to hold your personal data for a period of time to satisfy statutory/legal obligations and/or to meet administrative requirements. Limited, anonymised information will also be retained to allow the University to perform statistical analyses.

You have the right to:

• find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information;
• ask us to correct inaccurate or incomplete data.
• withdraw consent to process your personal data at any time, if you were asked for and provided consent.

If you think we are acting unfairly or unlawfully you can:

• object to the way we are using your data;
• complain to the UK Information Commissioner’s Office.

Under certain conditions you also have the right to ask us to:

• restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns;
• erase your information or tell us to stop using it to make decisions about you;
• comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing;
• provide you with a portable electronic copy of data you’ve given us.

Please contact the Data Protection Officer if you wish to exercise/enquire about any of these rights.

Contact Details

Data Protection Officer University Square Luton, LU1 3JU United Kingdom
Email: DPO@beds.ac.uk

To find out more about data protection and your rights please see:

• The Information Commissioner’s Office website
• The University’s Data Protection webpages

We obtain personal data about you from a variety of sources:

• directly from you in your application (this includes references from individuals you have listed on your application);
• or throughout your time as an employee/engagement with the University, e.g. Annual Development Reviews and any updates you make;
• as a result of any University policies/procedures e.g. disciplinary/complaints; and
• from agencies from which we are legally-obliged to seek information (such as Disclosure and barring services, previous employers, in relation to data required for submissions to the Higher Education Statistics Agency, HESA).

When you become a member of staff we will create a central ‘personal file’ for you. This consists of the information provided in your application and other additional information added during the course of your employment. Other information may be held in different locations, depending on your engagement with other areas of the University or the business function of that area. Personal information may be held in electronic or hard copy format on various University systems relating to:

• personal and contact information (including emergency contacts);
• education records (including qualifications, skills and personal statements);
• evidence of your right to work in the UK;
• provision of, access to and use of IT systems and information;
• employment and training details;
• references;
• banking details;
• casework and attendance records;
• goods or services provided;
• visual images; audio-visual recordings
• occupational health, safety and wellbeing.

‘Special category’ and criminal conviction data, as defined in the legislation, is also processed where it is necessary and lawful for us to do so. In most cases for special category data you have the option whether or not to provide this information (or the option to choose ‘prefer not to say’). Special category data is subject to additional protections and refers to data revealing:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• physical or mental health;
• sexual life or sexual orientation;

Data relating to criminal convictions and offences is subject to strict processing requirements and is only processed when necessary and in accordance with the law. This data will be held for the minimum amount of time necessary.

The University collects, holds and uses a wide range of information about you for various reasons including:

• administrative and financial management purposes;
• academic and research purposes;
• performance management;
• to meet our duty of care to you;
• to meet our legal obligations;
• public safety and the prevention and detection of crime;
• archiving and research purposes;
• promotion of the University;
• ensuring health and safety (including monitoring);
• ensuring equality of opportunity;
• providing occupational health services;
• attendance/absence management (includes leave of any kind and medical information submitted, where appropriate);
• management and security of the campus/estate and facilities (including CCTV and access management);
• equal opportunities monitoring.

The University also has a legal duty of care to its staff, students and others affected by its undertaking. It is therefore necessary for the University to maintain a list of key staff or third party key contacts who the University (usually via Security Department) can contact in the event of (or in order to prevent) an emergency or significant loss or disruption affecting the safety or continued operation of the University.

Detailed information regarding the purposes for which we process your personal data and our legal basis for processing can be found in Appendix 1.

In some situations the University will share your personal data with external organisations. Often this is where we have a contractual agreement with an organisation to provide services to us, or we have a legal obligation to provide information e.g.: pension administrators/ providers; insurers; auditors; researchers; other organisations in the course of funding, accrediting or reviewing the quality of University activities.

In other cases, we may share data where it is in our legitimate interests to do so, in which case we will undertake an appropriate assessment to evaluate and reconcile the interests of the University with those of the data subjects.

Your information will be shared internally, including with members of the HR and recruitment teams (including payroll), your line manager, managers and administrative staff in the business area in which you work and staff in ICT and other professional services, if access to the data is necessary for performance of their roles.

The University shares your data with third parties in order to obtain pre-employment references from other employers and to obtain employment background checks from third-party providers. For certain roles, you will need to apply to Disclosure and Barring Services (DBS), this includes posts requiring clearance under the Safeguarding scheme. The University will countersign your form and will be notified of the outcome; in such cases, obtaining relevant clearance may be a condition of your continuing employment with the University. Relevant information will only be retained for as long as necessary for recruitment and administrative purposes.

The University also shares your data with third parties that process data on its behalf, in connection with payroll, the provision of benefits and the provision of occupational health services.

In addition to those listed above we also may share your data when requested by the following bodies:

• partner organisations involved in joint/collaborative course provision or where staff participate in teaching/administrative staff mobility or exchanges;
• relevant UK government departments, e.g. HMRC, Home Office UK Visas and Immigration;
• Higher Education Statistics Agency (HESA). For more information on what HESA does with your personal data see the HESA Staff Collection Notice.
• law enforcement agencies;
• relevant authorities dealing with emergency situations at the University;
• research funding bodies or bodies managing financial administration/monitoring of research funds, including research councils and EU funding bodies;
• professional, statutory and regulatory bodies e.g. UK Public Services
• Ombudsman, Office of UK Information Commissioner; Health & Safety Executive
• potential employers;
• Accreditation bodies,
• Collective organisations of which the University is a member, such as the Universities and Colleges Employers' Association (UCEA), and other agencies with which the sector collaborates for employer benchmarking purposes;
• any other authorised third party to whom the University has a legal/contractual obligation to share data with.

The University makes some information publicly available via its website to enable individuals, including students, potential students and research partners to identify individuals they wish to communicate with. Your name, department/section, job title, email address and telephone number will normally appear in the University’s staff and telephone directory. Staff may choose to provide an image of themselves to accompany their entry in the staff directory.

It is expected that staff, particularly those involved in learning, teaching and research, will provide information to be published on the website for academic/business purposes including academic qualifications and professional recognition, brief biography, professional/research interests, activities and outputs.

Certain activities, such as lectures, may be recorded or audio recorded to support online learning, or to implement recommended reasonable adjustments for staff or students with disabilities or additional requirements. If the University wishes to use images of staff etc. in its publicity material (where the individual is the focus of the image), consent will be obtained.

Some personal data may be transferred internationally for example:

• where the University is involved in collaborations/course provision with or for organisations and educational institutions overseas,
• where the University is involved in staff and student exchanges and academic partnerships;
• where the University works with overseas student recruitment agencies and partner institutions limited staff data may be transferred;
• information published on the University’s website is accessible internationally;
• the University may engage third parties to provide systems/services which are hosted
  outside the European Union;
• in emergency situations for international staff we may transfer data internationally where it is necessary to ensure your vital interests, e.g. contacting next of kin in medical emergencies.

Whenever we transfer data internationally we will make sure that appropriate safeguards are in place to protection your information and your rights to privacy.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the university to enter a contract of employment with you. If you do not provide the required information, this will hinder the university’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Retention periods for staff records held and managed by Human Resources are as set out in the University’s retention schedule. Staff data held in other areas may be subject to different retention periods. If you have been given access to the Staff Intranet, the University’s retention schedules can be accessed from the Records Management pages. If you don’t have access to the Staff Intranet, please contact DPO@beds.ac.uk