1) Introduction

1.1) Purpose

The University is committed to being transparent about how it collects and uses your data, and to meeting its data protection obligations. This policy and the University’s UK GDPR Compliance Statement, sets out the University's commitment to data protection and your individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, workers and former employees and workers, referred to as HR-related personal data.

1.2) Definitions

"Personal data" is any information that relates to you as an individual which identifies you from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and biometric data.

"Criminal records data" means information about your criminal convictions and offences, and information relating to criminal allegations and proceedings.

1.3) Data protection principles

The University processes your HR-related personal data in accordance with the following data protection principles:

  • The University processes personal data lawfully, fairly and in a transparent manner.

  • The University collects personal data only for specified, explicit and legitimate purposes.

  • The University processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.

  • The University keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.

  • The University keeps personal data only for the period necessary for processing.

The University adopts appropriate measures to make sure that your personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

The University will tell you the reasons for processing your personal data, how it uses your data and the legal basis for processing in its privacy notices. It will not process your personal data for other reasons.

Where the University processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment or immigration law, this is done in accordance with a policy on special categories of data and criminal records data.

The University will update your HR-related personal data promptly if you advise us that your information has changed or is inaccurate. You can update the majority of your HR-related data through the Employee Self Service (ESS).

Personal data gathered during your employment or period of work is held in your personnel file (in hard copy or electronic format, or both), and on HR, Payroll and IT systems. The periods for which the University holds your HR-related personal data are contained in its privacy notices to you.

The University keeps a record of its processing activities in respect of your HR-related personal data in accordance with the requirements of the General Data Protection Regulation (UK GDPR).

2) What information does the University collect?

The University collects and processes a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;

  • the terms and conditions of your employment;

  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;

  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;

  • details of your bank account and national insurance number;

  • information about your next of kin, dependants and emergency contacts;

  • information about your nationality and eligibility to work in the UK;

  • information about your criminal record (where appropriate);

  • details of your schedule (days of work and working hours) and attendance at work;

  • details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;

  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;

  • information about medical or health conditions, including whether or not you have a disability for which the University needs to make reasonable adjustments;

  • details of trade union membership; and

  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, disability and religion or belief.

The University collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the University collects personal data about you from third parties, such as references supplied by former employers, companies or organisations providing specific services to, or on behalf of, the University such as its Occupational Health service and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in the organisation's HR and Payroll systems and in other IT systems (including the University's email system).

3) Why does the University process personal data?

The University needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.

In some cases, the University needs to process your data to ensure that it is complying with its legal obligations. For example, it is required to check your eligibility to work in the UK, to deduct tax, to comply with health and safety laws and to enable you to take periods of leave to which you are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that you are permitted to undertake the role in question.

In other cases, the University has a legitimate interest in processing your personal data before, during and after the end of your employment relationship. Processing your data allows the organisation to:

  • run recruitment and promotion processes;

  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of your contractual and statutory rights;

  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;

  • operate and keep a record of your performance and related processes, to plan for career development, and for succession planning and workforce management purposes;

  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that you are receiving the pay or other benefits to which you are entitled;

  • obtain occupational health advice, to ensure that it complies with duties in relation to disabilities, meet its obligations under health and safety law, and ensure that you are receiving the pay or other benefits to which you are entitled;

  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that you are receiving the pay or other benefits to which you are entitled;

  • ensure effective general HR and business administration;

  • provide references on request for current or former employees;

  • respond to and defend against legal claims; and

  • maintain and promote equality in the workplace.

Where the University relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by your rights and freedoms and has concluded that they are not.

Some special categories of personal data, such as information about your health or medical conditions, is processed to carry out employment law obligations (such as those in relation to disabilities and for health and safety purposes). Information about trade union membership is processed to allow the University to operate check-off for union subscriptions.

Where the University processes other special categories of personal data, such as information about ethnic origin, sexual orientation, disability or religion or belief, this is done for the purposes of equal opportunities monitoring.

4) Your rights

As a data subject, you have a number of rights in relation to your personal data.

4.1) Subject access requests

You have the right to make a subject access request. If you make a subject access request, the University will tell you:

  • whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;

  • to whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;

  • for how long your personal data is stored (or how that period is decided);

  • your rights to rectification or erasure of data, or to restrict or object to processing;

  • your right to complain to the Information Commissioner if you think the University has failed to comply with your data protection rights; and

  • whether or not the University carries out automated decision-making and the logic involved in any such decision-making.

The University will also provide you with a copy of your personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise. If you want additional copies, the University will charge a fee, which will be based on the administrative cost to the University of providing the additional copies.

You can obtain copies of information that we hold about you by submitting a subject access request to the Data Protection Team by emailing dataprotection-queries@lists.bath.ac.uk

In some cases, the University may need to ask for proof of identification before the request can be processed. The University will inform you if it needs to verify your identity and the documents it requires.

The University will normally respond to your request within a period of one month from the date it is received. In some cases, such as where the University processes large amounts of your data, it may respond within three months of the date the request is received. The University will write to you within one month of receiving the original request to tell you if this is the case.

If a subject access request is manifestly unfounded or excessive, the University is not obliged to comply with it. Alternatively, the University can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the University has already responded. If you submit a request that is unfounded or excessive, the University will notify you that this is the case and whether or not it will respond to it.

4.2) Other rights

As a data subject, you have a number of rights in relation to your personal data. You can:

  • access and obtain a copy of your data on request;

  • require the University to change incorrect or incomplete data;

  • require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;

  • object to the processing of your data where the University is relying on its legitimate interests as the legal ground for processing; and

  • ask the University to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University's legitimate grounds for processing data.

You can update the majority of your HR-related data through the Employee Self Service (ESS). It is expected that you will first use ESS to revise your own data before making a request to your relevant HR Operations Administrator under Section 4.2 above.

5) What if you do not provide personal data?

The University requires your personal details for a variety of legal reasons as detailed above.

You have some obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your eligibility to work in the UK and payment details, have to be provided to enable the University to enter into a contract of employment with you. If you do not provide other information, this will hinder the University's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

If, and restricted to cases where, by not providing personal data we are no longer able to comply with these legal obligations we may have to terminate your contract of employment.

6) Sharing data

The University will disclose personal information about you as permitted or required by law to a range of external organisations, including the following:

  • The external providers of any staff benefits or pensions.

  • Relevant Government Departments (e.g. Department for Education, Home Office, Foreign and Commonwealth Office, Department of Health), executive agencies or non-departmental public bodies (e.g. UK Visas & Immigration, HM Revenue and Customs, the Health and Safety Executive, the Disclosure & Barring Service), and Higher Education bodies (e.g. Higher Education Funding Council for England, UK Research and Innovation).

  • Higher Education Statistics Agency

  • Prospective and actual research funders or sponsors.

  • Any relevant professional or statutory regulatory bodies (e.g. General Medical Council).

  • Any relevant simultaneous employers (e.g. NHS Trusts).

  • Relevant trade unions, if agreed.

  • Where necessary, the police and other law enforcement agencies.

  • Where necessary, auditors.

  • Where necessary, subsidiary companies of the University.

  • Companies or organisations providing specific services to, or on behalf of, the University.

  • External organisations where an employee or worker has requested or indicated that we can provide a reference for them.

Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, other managers in your department/faculty/school in which you work (where appropriate) and Computing Services staff if access to the data is necessary for performance of their roles.

Your data may be transferred outside the European Economic Area (EEA) in order to meet our contractual obligations with you (e.g. to conduct reference checks). Such transfers are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

7) For how long does the University keep data?

The University will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set-out in the HR Data Retention Schedule.

If you have left, or are thinking of leaving the University, it is important to note that the University will only retain your data for the period as set-out in the HR Data Retention Schedule. It is therefore important that you take copies of your payslips and any other personal information that you may need using ESS prior to leaving and obtain any other evidence of your employment within the specified retention period as the University will not hold a record of your employment beyond this time.

8) Data security

The University takes the security of your HR-related personal data seriously. The University has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that your data is not accessed, except by employees in the proper performance of their duties.

You are required to follow the requirements of University policies for the proper use of data and data systems including the IT Acceptable Use Policy.

Where the University engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

8.2) Impact assessments

Some of the processing that the University carries out may result in risks to privacy. Where processing would result in a high risk to your rights and freedoms, the University will carry out a data protection impact assessment to determine the necessity and proportionality of processing.

This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

8.3) Data breaches

If the University discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The University will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

8.4) International data transfers

Your data may be transferred outside the European Economic Area (EEA) in order to meet our contractual obligations with you (e.g. to conduct reference checks). Such transfers are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

9) Your responsibilities

You are responsible for helping the University keep your personal data up to date. You should let the University know if data provided to the University changes, for example if you move house or changes your bank details.

You may have access to the personal data of other individuals (and of our students, clients and other stakeholders) where this data is required in order for you to carry out your role in the course of your employment or period of working. Where this is the case, the University relies on you to help meet its data protection obligations to staff (and to students, clients and other stakeholders).

If you have access to personal data, you are required:

  • to access only data that you have authority to access and only for authorised purposes;

  • not to disclose data except to individuals (whether inside or outside the University) who have appropriate authorisation;

  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);

  • not to remove personal data, or devices containing or that can be used to access personal data, from the University's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and

  • not to store personal data on local drives or on personal devices that are used for work purposes.

  • to follow the requirements of University policies for the proper use of data and data systems including the IT Acceptable Use Policy.

Further details about the University's security procedures can be found in its Data Security Policy.

Failure to observe these requirements may amount to a disciplinary offence, which will be dealt with under the University's Disciplinary Policy (or under the University’s statutes - Statute 25 Part III – for academic and other identified staff). Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to summary dismissal (dismissal without notice).

10) Training

The University will provide training to all individuals about their data protection responsibilities through directed online training as part of the induction process and at regular intervals thereafter.

If your role requires regular access to personal data (whether staff, student or other), or you are responsible for implementing this policy or responding to subject access requests under this policy, you will receive additional training to help you understand your duties and how to comply with them.

11) Automated decision-making

Employment decisions are not based solely on automated decision-making.

12) Contact Details

The University has appointed Mr David Jolly as its Data Protection Officer. Their role is to inform and advise the University on its data protection obligations. They can be contacted using the contact details below. Questions about this statement, or requests for further information, should be directed to the Data Protection Officer.

  • Data Protection Officer: Mr David Jolly

  • Contact Details: +44 (0)1225 386966, d.j.jolly@bath.ac.uk

  • Address: Data Protection Team, 4 West 3.3, University of Bath, Claverton Down, Bath, BA2 7AY, United Kingdom

Related resources