Data protection for staff

What is this document about?

This Statement explains to members of University staff how their personal data, including special category data, collected from them by the University, may be used, including some examples of how such data is processed.

Who is this for?

The statement is of primary interest to all staff (both past and present) whose data is processed by the University, and may be of general interest to the wider public.

How does the University check this is followed?

• Staff are made aware of the Statement in their employment contracts and induction paperwork
• Queries about the use of personal data from staff suggest that this Statement is known about and read
• Periodic information governance audits also check that the information in the statement is known about and understood

Who can you contact if you have any queries about this document?

All enquirers may contact the University’s Data Protection Officer, Samantha Hill, on 023 9284 3642 or Samantha.hill@port.ac.uk.

The University of Portsmouth processes data about you to administer your employment whilst at the University as a member of staff, and after you have left in order to provide references and to confirm your employment at the University, for example in relation to pension enquiries. If you have any questions about how the University processes your data, then the following contact information may be useful.

The University’s correspondence address is:

The University of Portsmouth
University House
Winston Churchill Avenue
Portsmouth
PO1 2UP

Main switchboard: 023 9284 8484

The University’s Data Protection Officer is:

Samantha Hill – Information Disclosure Manager
Email: Samantha.hill@port.ac.uk
Direct telephone number: 023 9284 3642

‘Personal data’ is any information that relates to an individual (in this case, you, as a (former) member of staff) who can be identified either directly by that information or by a combination of that information and other identifiers, such as your name, staff ID number, job title.

‘Special Category data’ is information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, the processing of genetic or biometric data in order to identify an individual, data concerning heath or data concerning an individual’s sex life or sexual orientation. The University does not collect all of this data but will collect some for the purposes listed below.

‘Criminal offence data’ is any personal data relating to criminal convictions and offences.

We will collect your personal and special category data - and potentially criminal offence data - directly from you on employment, through the completion of staff surveys and possibly from third parties for example, when working with a recruitment agency, references from former employers, and in the case of health referrals.

The University of Portsmouth processes your personal data, and your special category data, for a variety of purposes, involving all aspects of the administration of your employment (as well as once you leave the University) including

• your welfare
• your use of University facilities
• for statistical purposes,
• for management and planning purposes, and
• for the purposes of equal opportunities monitoring.

The University will generally contact you to keep you informed of events relevant to your employment through All Staff emails but if you sign up to University initiatives, for example, the staff discount scheme, you will be contacted directly on either your University email address or any other email address you provide.

Your responsibilities - In order for the University to be able to process your data properly, it is your responsibility to inform us as soon as possible if data we hold about you is incorrect or requires updating. As a member of staff you are able to see a range of data about yourself on the Employee Self Service (ESS) part of the Human Resources (HR) system, including personal information, data relating to protected characteristics, emergency contact details, current job details, absences, bank details, pay history, HESA details and career development details. You can change / update many of these items yourself and you are encouraged to do so on a regular basis. Where it is not possible for you to update your own details, staff in HR will be able to do it for you once informed of the details that need to be changed.

We collect the contact details of a person nominated by you as a contact for you if needed. You must notify that person that we are holding this data, which will only be used in an emergency. You must remember to update this information as and when necessary.

The University’s legal basis for processing the majority of your personal data is that the processing is necessary for the performance of the employment contract you enter into with the University.

The University is also under a legal obligation to process some data concerning you and to provide that data to third parties, for example, Her Majesty’s Revenue and Customs or the Health and Safety Executive.

The University may use your work contact details to keep you informed of initiatives such as opportunities for study or partake in research and for volunteering purposes. Some contact details will also be passed to the recognised trade unions in order for them to contact you. We believe that this processing is necessarily within the University’s legitimate interests.

If we process any special category data about you (or criminal offence data), when requesting the data we will either:

• ask for your specific consent to process this data
• use the legal bases that the processing is necessary in the field of employment or for the purpose of the assessment of the working capacity of an employee
• consider whether it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
• process the data to enable us to promote and maintain equality of opportunity or treatment between different groups of people

Under the Equality Act 2010, the University has a legal responsibility to make reasonable adjustments if you disclose a disability at any time during your employment. This data is defined as special category data and will be processed by Cordell Health Ltd, the third party contracted by the University to provide occupational health services to the University.

The data we request from you at the time of, or during your employment, is necessary to administer your work at the University. Any failure to provide the data may result in the termination of your employment.

Only those members of staff within the University who need to have access to the data you provide when you begin, and continue, your employment, and those who update information via the Staff Self-Service portal, to administer your employment, will routinely have access to your data. Therefore, staff within HR and the Finance Department will have access to the parts of your personal data that it is relevant for them to be able to access to carry out their work, as may some administrative staff within your Faculty / department / school, your Head of School or department as your line manager, and the Executive Dean of your Faculty or the Head of your Professional Service group. It may also be necessary for other staff to have access to this data in relation to other University processes, but this access will be contained to only those individuals who need the access and only for so long as is needed for them to carry out the work which requires the access.

It is not possible to list all of the bodies with whom we might have to share your personal data, but the following are examples of when the University will release data about you to third parties either where you ask us to, where we have a legitimate reason to use that data in connection with your employment here at the University or where the University is under a legal requirement to provide data:

• Data may be released to third parties such as HMRC, in relation to matters associated with your employment. We are required to pass data about you (in coded and anonymised form) to the Higher Education Statistics Agency (HESA) which then creates your HESA Staff Record. Some of this anonymised data will be passed to other statutory bodies involved with the funding of education, but it cannot be used in any way that could affect you personally. For further details of how your HESA Staff Record may be used by HESA please go to https://www.hesa.ac.uk/about/regulation/dataprotection/notices .

• Details of any reportable accidents are referred to the Health and Safety Executive (HSE). Data provided to the HSE will include the personal data of any individual involved in the accident, including witnesses.
• If you are referred to the University’s Occupational Health service, your data will be accessible by Cordell Health Ltd staff, and potentially other external professionals, as well as Corporate Health and Safety staff if appropriate.
• Your data will be used to produce anonymised statistic to show workforce trends.
• Your data will be passed to Pension Funds administrators – Local Government Pensions Scheme or Teachers Pensions as appropriate, the NHS Pensions Agency and the NEST pension scheme
• We will release data to the police and other enforcement agencies in emergencies and where it is required by these agencies for the detection or prevention of crime

• We will provide data on request to the police and other enforcement agencies in emergencies and where crime detection or prevention can be aided by its release, for example, responding to information requests from the UK Visas and Immigration Service (UKVI). The University has a duty of care to all of its members of staff and therefore, if the University has a justifiable concern about a staff member’s welfare, the University may pass that member of staff’s contact details and information about the concern to an appropriate third party, for example, the police or a mental health team, to safeguard that member of staff. The University may also contact the person you have nominated as your emergency contact / next of kin in this situation. The University also has a duty of care to the wider community and may pass a staff member’s contact details to the public health authorities if required.
• Data may be released to the third party organisations that host University data, but only that required for them to provide their function. For example:

⮚ the University’s staff card supplier, for use in the production of your staff card.

⮚ the University of Northumbria in order to provide out of hours IS/Library help

⮚ Google Apps for Education

⮚ the University’s car parking provider, Parking Eye

⮚ the University’s Staff Travel Management and Expenses Service provider, in order to book travel arrangements and to contact you to provide travel updates etc

All instances of data sharing / hosting are covered by contractual arrangements or an operational agreement with the party concerned.

• Data relating to staff joining and leaving the University will be passed to the branch secretary or representative of the trade unions recognised by the University in order that membership records can be maintained
• Data may be released to specific third parties in order to carry out research relevant to the staff population but this will only be done where necessary, and when covered by a data processor agreement.
• If your post requires a Disclosure and Barring Service (DBS) check, the personal data you provide to the University on the DBS application form will be submitted to the University’s DBS checking supplier (Due Diligence Checking), which will review the data and submit the application to the DBS. The results of the DBS check are reported back to the University, but the details are sent directly to you as the applicant.

The University has a staff discount portal with a third party, Sodexo but this will change within this academic year to Vivup (also known as SME HCI Ltd). The University will provide Vivup with staff email addresses to enable initial registration and marketing communications to be issued (from which individuals can opt-out if desired).

We will not, however, release data to any third person without there being a reason compatible with our work to do so, except where you ask us to. This means that we will not release data to banks, friends, relatives etc., without your prior agreement, unless in an emergency. If you wish us to provide data in nonemergency situations, you should provide us with written consent to release the data.

Although the University does store some data in the cloud via Google Apps for Education, where possible the data will be located in the UK. However, data may also be stored on servers within the EU.

Data supplied to the Staff Travel Management and Expenses Service may be stored on servers based outside of the EU but this processing is covered by standard contractual clauses.

We retain your full employment record after the end of your employment, so that we can provide references or pension details when asked to do so. (After six years we will only retain sufficient data to confirm that you were employed by the University and for how long.)

If you have been employed in a post where you may / have been in contact with various hazardous substances, we may keep your record for longer than six years for health reasons. Further details of the situations where we might keep your data for longer than six years can be found at section 6 of the University’s Record Retention Schedule.

You are entitled to request a copy of the data you provide to us in an electronic format so that you may pass that data to another body (the right to data portability), as well as to request a copy of the data we hold about you (a Subject Access Request).

You will not be subject to decisions based on automated data processing without your prior consent

You are also entitled to raise an objection to the processing where the processing of data we hold about you is likely to cause you damage or distress, and to request either the rectification of any incorrect data, the restriction of any further processing of your data or the erasure of your data (right to be forgotten).

You have the right to withdraw your consent for processing your personal data where we have originally asked for your consent. However, where we collect your personal data under another legal basis, it may not be possible for us to remove all of your personal data from our records if you request this.

If you require any further information on, or wish to object to, any of the uses to which we put your data, you should contact Samantha Hill, the University’s Data Protection Officer on 023 9284 3642 or Samantha.hill@port.ac.uk .

Finally, you have the right to complain about the processing of your data to the UK regulator, the Information Commissioner’s Office. For more information about this body and how to make a complaint, please see the ICO website.