iTrent is the University’s HR and Payroll system and as such is used to securely hold both personal and business data. The University is committed to being transparent about how it collects and uses the data stored and to meeting its data protection obligations.
1) What information is stored on iTrent?
As the University’s HR and Payroll system, iTrent is used to collect and store a range of information about you. This includes:
your name, address and contact details, including email address and telephone number, date of birth and gender;
your position details
your bank details and pay related information
next of kin and emergency contact details;
details of your qualifications, skills, experience, training completed and employment history;
information about your remuneration, including benefit entitlements;
details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
whether or not you have a disability for which the University needs to make reasonable adjustments
assessments of your performance, including appraisals;
information about your eligibility to work in the UK; and
Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, disability and religion or belief.
The data held about you in iTrent may have been collected in a variety of ways. For example, data may have been entered by you via Employee Self-Service (ESS), your manager via Manager Self-Service (MSS) or it may have been entered centrally and have been collected from sources such as application forms, other internal systems such as the Student & Applicant Management Information System (SAMIS), employee relations cases or during other HR and Payroll processes.
The University may also collect personal data about you from third parties, such as references supplied by former employers, companies or organisations providing specific services to, or on behalf of, the University such as its Occupational Health service and information from criminal records checks permitted by law.
The University will seek information from third parties only in line with its legal responsibilities and data protection policies.
Data collected through iTrent may be used and stored in a range of different places, including in your personnel file and other HR (e.g. Stonefish e-recruitment system and the Tier 4 Booking System) and IT systems (including email).
2) Why does the University process personal data?
The University needs to process data to ensure its compliance with its legal contract with you, such as to ensure you are paid correctly.
In some cases, the University needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check and hold records that prove your ongoing eligibility to work both in the UK and within the role you carry out for the University.
The University has a legitimate interest in processing personal data held in iTrent which has been collected during your working life at the University. Processing the data held in iTrent allows the University to manage all of its HR and payroll processes which assures legal compliance, consistency and the best working experience for its employees and workers. The University may also need to process data held in iTrent to respond to and defend against legal claims.
The University may process information about whether or not you are disabled so it can make reasonable adjustments on your behalf. This is to carry out its obligations and exercise specific rights in relation to employment.
Where the University processes other special categories of data, such as information about ethnic origin, sexual orientation, disability or religion or belief, this is for equal opportunities monitoring purposes.
Where the University undertakes trend analysis (e.g. to understand sickness or turnover trends), your data will always be aggregated to ensure privacy. We undertake trend analysis for a range of reasons such as understanding average tenure, employee costs, sickness rates and job family changes. This type of analysis is undertaken against both legal and legitimate reasons to cover both statutory returns and to greater understand our workforce ensuring we have a high quality workforce in place both now and in the future.
The University will not use data held in iTrent for any purpose other than that detailed above.
3) Who has access to data?
The information collected and held in iTrent may be shared internally for the purposes mentioned above. This includes members of the HR team, your line manager (usually through MSS), department coordinators and members of senior management. Computing services staff also have security controlled access to your data which they require to complete their roles.
The University will not share your data with third parties unless we have clear data protection agreements with legal reasoning in place and we are in joint agreement that it is required to undertake one or more of the HR and Payroll process identified in Section 1.
Third party organisations who we may send your data to which is held in iTrent include:
- HESA – for legal statistical analysis.
Stonefish Software Ltd – to support the recruitment process.
UK Visas & Immigration (UKVI) in order to administer relevant recruitment checks and ongoing eligibility to work in the UK procedures.
Training providers e.g. HRD Bristol.
Where relevant and as required for some posts, NHS organisations or similar organisations (e.g. NHS Trusts or Local Education Training Boards).
Companies or organisations providing specific services to, or on behalf of, the University.
Your data may be transferred outside the European Economic Area (EEA) in order to meet our contractual obligations with you (e.g. to conduct reference checks). Such transfers are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.
4) How does the University protect data?
The University takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
Access to iTrent data is controlled using in-built system security controls. This means that your data can only be viewed and amended by you, your line manager and other internal contacts who need to process your data to undertake their roles. This may include and is limited to individuals who hold one or more of the following system roles:
Audit (View only)
Departmental / Faculty Coordinator
Each role is restricted so that each user can only see data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Further details about the University's security procedures in relation to HR-related data can be found in our Workforce Data Protection & Privacy Statement.
5) For how long does the University keep data?
For the majority of employees and workers, the University holds all iTrent records for the duration of your employment plus a further 7 years from the end date of your employment. The University, however, may have a legal obligation to hold your data for longer as set-out in the HR Data Retention Schedule.
Before you leave your employment at the University, the HR team will provide a limited set of information (your name, position, department, leaving reason (with some exclusions), joining and leaving date and contact details) on a confidential basis to the Department of Development & Alumni Relations (DDAR). This is so that you can become a member of the staff alumni of the University and continue to receive updates about the University. This data will then be managed in line with GDPR requirements under the DDAR Privacy Notice.
After the specified retention period following the end of your employment here, the University will no longer hold a record that you worked at the University and will not therefore be able to respond to requests for information that might be made in relation to your pension or eligibility to work evidence for example. Whilst the University endeavours to help both current and former employees and workers, your record will be removed completely at the end of the specified retention period to ensure that it complies with GDPR requirements that “data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
6) Your rights
As a data subject, you have a number of rights. You can:
view and update your data using ESS;
access and obtain a copy of your data on request;
require the University to change incorrect or incomplete data (where you cannot do so yourself using ESS);
require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
object to the processing of your data where the University is relying on its legitimate interests as the legal ground for processing.
You can update the majority of your HR-related data through ESS. It is expected that you will first use ESS to revise your own data before making a request to your relevant HR Operations Administrator under Section 6 above.
To make a subject access request, you should send the request to the Data Protection Officer, following the guidance.
If you believe that the University has not complied with your data protection rights, you can complain to the Information Commissioner.
7) What if you do not provide personal data?
The University requires your personal details for a variety of legal reasons as detailed above.
You have some obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights. Certain information, such as contact details, your eligibility to work in the UK and payment details, have to be provided to enable the University to enter into a contract of employment with you. If you do not provide other information, this will hinder the University's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
If, and restricted to cases where, by not providing personal data we are no longer able to comply with these legal obligations we may have to terminate your contract of employment.
8) Contact Details
University of Bath Address: University of Bath Claverton Down Bath BA2 7AY United Kingdom
Data Protection Officer: Mr David Jolly
Contact Details: +44 (0) 1225 386966, firstname.lastname@example.org
Address: Data Protection Team, Office of University Secretary, 4 West 3.3 and 3.5, University of Bath, Claverton Down, Bath, BA2 7AY, United Kingdom