Data protection for staff

What is this document about?

This Statement explains to members of University staff how their personal data, including special category data, collected from them by the University, may be used, including some examples of how such data is processed.

Who is this for?

The statement is of primary interest to all staff (both past and present) whose data is processed by the University, and may be of general interest to the wider public.

How does the University check this is followed?

• Staff are made aware of the Statement in their employment contracts and induction paperwork
• Queries about the use of personal data from staff suggest that this Statement is known about and read
• Periodic information governance audits also check that the information in the statement is known about and understood

Who can you contact if you have any queries about this document?

All enquirers may contact the University’s Data Protection Officer, Samantha Hill, on 023 9284 3642 or Samantha.hill@port.ac.uk.

The University of Portsmouth processes data about you to administer your employment whilst at the University as a member of staff, and after you have left in order to provide references and to confirm your employment at the University, for example in relation to pension enquiries. If you have any questions about how the University processes your data, then the following contact information may be useful.

The University’s correspondence address is:

The University of Portsmouth
University House
Winston Churchill Avenue
Portsmouth
PO1 2UP

Main switchboard: 023 9284 8484

The University’s Data Protection Officer is:

Samantha Hill – Information Disclosure Manager
Email: Samantha.hill@port.ac.uk
Direct telephone number: 023 9284 3642

The University of Portsmouth processes your personal data, and your special category data, for a variety of purposes, involving all aspects of the administration of your employment (including once you leave the University), for statistical purposes and for the purposes of equal opportunities monitoring.

In order for the University to be able to process your data properly, it is your responsibility to inform us as soon as possible if data we hold about you is incorrect or requires updating. As a member of staff you are able to see a range of data about yourself on the Employee Self Service (ESS) part of the Human Resources (HR) system, including personal information, data relating to protected characteristics, emergency contact details, current job details, absences, bank details, pay history, HESA details and career development
details. You can change / update many of these items yourself and you are encouraged to do so on a regular basis. Where it is not possible for you to update your own details, staff in HR will be able to do it for you.

We collect the contact details of a person nominated by you as a contact for you if needed. You must notify that person that we are holding this data, which will only be used in an emergency. You must remember to update this information as and when necessary.

The University’s legal basis for processing the majority of your personal data is that the processing is necessary for the performance of the employment contract you enter into with the University.

The University is also under a legal obligation to process some data concerning you and to provide that data to third parties, for example, Her Majesty’s Revenue and Customs or the Health and Safety Executive.

The University may use your work contact details to keep you informed of initiatives such as opportunities for study or partake in research and for volunteering purposes. Some contact details will also be passed to the recognised trade unions in order for them to contact you. We believe that this processing is necessarily within the University’s legitimate interests.

If we process any special category data about you (such as, ethnicity, trade union membership, or health data), when requesting the data we will either:

• ask for your specific consent to process this data
• use the legal bases that the processing is necessary in the field of employment or for the purpose of the assessment of the working capacity of an employee
• consider whether it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
• process the data to enable us to promote and maintain equality of opportunity or treatment between different groups of people

We require the data we ask you to provide at the start of your employment and failure to provide this data may cause you not to be, or not to continue to be, employed by the University of Portsmouth.

We retain your full employment record after the end of your employment, so that we can provide references or pension details when asked to do so. (After six years we will only retain sufficient data to confirm that you were employed by the University and for how long.)

If you have been employed in a post where you may / have been in contact with various hazardous substances, we may keep your record for longer than six years for health reasons. Further details of the situations where we might keep your data for longer than six years can be found at section 6 of the University’s Record Retention Schedule.

Only those members of staff within the University who need to have access to the data you provide when you begin your employment, and those who update information via the Staff Self-Service portal, to administer your employment, will have access to your data. Therefore, staff within HR and the Finance Department will have access to your data, as may some administrative staff within your Faculty / department / school, your Head of School or department as your line manager, and the Executive Dean of your Faculty. It may also be necessary for senior members of the University staff to have access to this data if a staff disciplinary case requires investigation or for due diligence purposes. If you disclose any special category data at any time during your employment, that data may be shared with specific departments, such as the University’s Occupational Health service, but this will only be done with your prior knowledge / consent.

It is not possible to list all of the bodies with whom we might have to share your personal data, but the following are examples of when the University will release data about you to third parties either where you ask us to, where we have a legitimate reason to use that data in connection with your employment here at the University or where the University is under a legal requirement to provide data:

• Data may be released to third parties such as HMRC, in relation to matters associated with your employment. We are required to pass data about you (in coded and anonymised form) to the Higher Education Statistics Agency (HESA) which then creates your HESA Staff Record. Some of this anonymised data will be passed to other statutory bodies involved with the funding of education, but it cannot be used in any way that could affect you personally. For further details of how your HESA Staff Record may be used by HESA please go to https://www.hesa.ac.uk/about/regulation/dataprotection/notices .

• Details of any reportable accidents are referred to the Health and Safety Executive (HSE). Data provided to the HSE will include the personal data of any individual involved in the accident.
• If you are referred to the University’s Occupational Health department, your data will be disclosed to staff working with that department, some of whom may be external professionals
• Your data will be used to produce anonymised statistic to show workforce trends
• Your data will be passed to Pension Funds administrators – Local Government Pensions Scheme or Teachers Pensions as appropriate, the NHS Pensions Agency and the NEST pension scheme
• We will release data to the police and other enforcement agencies in emergencies and where it is required by these agencies for the detection or prevention of crime

• Data may be released to the third party organisations that host University data. For example,:
  • the University’s staff card supplier, for use in the production of your staff card.
  • th

Although the University does store some data in the cloud via Google Apps for Education, the servers for the data are EU based.

Data supplied to the Staff Travel Management and Expenses Service may be stored on servers based outside of the EU but this processing is covered by standard contractual clauses. 

The data supplied to UPSU for the Totem card is stored securely on UPSU servers hosted by Amazon Web Servers, which utilise a global network of servers. For further details of this arrangement, please contact UPSU on hello@upsu.net.

You are entitled to request a copy of the data you provide to us in an electronic format so that you may pass that data to another body (the right to data portability), as well as to request a copy of the data we hold about you (a Subject Access Request).

You are also entitled to raise an objection to the processing where the processing of data we hold about you is likely to cause you damage or distress, and to request either the rectification of any incorrect data, the restriction of any further processing of your data or the erasure of your data (right to be forgotten).

You have the right to withdraw your consent for processing your personal data where we have originally asked for your consent. However, where we collect your personal data under another legal basis, it may not be possible for us to remove all of your personal data from our records if you request this.

If you require any further information on, or wish to object to, any of the uses to which we put your data, you should contact Samantha Hill, the University’s Data Protection Officer on 023 9284 3642 or Samantha.hill@port.ac.uk .

Finally, you have the right to complain about the processing of your data to the UK regulator, the Information Commissioner’s Office. For more information about this body and how to make a complaint, please see the ICO website.