Staff privacy notice
Published 1 September 2019
Kellogg College, part of the University of Oxford, is committed to protecting the privacy and security of your personal information (‘personal data’). This notice describes how and why we collect and process your personal information in accordance with the General Data Protection Regulation (GDPR) and related UK data protection legislation. If you have any queries about this notice please contact the College Administrator in the first instance. firstname.lastname@example.org
This notice provides information about the use of personal information while you are a current or former employee, worker, consultant, officer, contractor, volunteer, intern, casual worker, agency worker, apprentice, affiliated lecturer or academic visitor at Kellogg College (the College). If you fall into one of these categories then you are a “data subject” for the purposes of this notice. As a member of staff (or equivalent) you also have certain legal and contractual responsibilities to protect the personal information of other people (e.g. other employees, students, research participants) by handling it appropriately.
This notice does not form part of any contract of employment or other contract to provide services.
2. What is 'personal information' (also known as personal data)?
‘Personal information’ means any information about you from which you can be identified from that information alone or taken together with other information. It does not include data where your identity has been removed and where you can no longer be identified (anonymised data). It is important that the personal information that we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
3. How does this notice relate to other information about data protection?
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you. By way of example only, this could be when you engage with College services such as the staff counselling or occupational health.
4. Who will process my personal information?
This notice explains how the College will hold and process your personal information. If you are employed simultaneously by another body, such as an NHS Trust, that organisation will provide you with its own statement setting out how it will use, share and disclose your personal information.
5. What personal information will be processed?
The College needs to collect, maintain, and use personal data relating to or about you. This includes:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Marital status and dependents
- Next of kin and emergency contact information
- National Insurance number
- Bank account details, payroll records and tax status information
- Salary, annual leave, pension and benefits information
- Start date
- Location of employment or workplace
- Copy of driving licence
- Copy of passport and where relevant visa and right to work documentation
- Recruitment information (including copies of right to work documentation, details of your experience, education and training, references and other information included in a CV or cover letter or as part of the application process, and/or confirmation that you have satisfied a Disclosure and Barring Service enquiry, if required for the role)
- Employment records (including job titles, work history, working hours, training records and professional memberships)
- Salary, benefits and compensation history
- details about your role(s) in the College, including any information relating to your undertaking of such role(s) (for example copies of performance information including Performance and Development Reviews, sickness records)
- Disciplinary and grievance information
- CCTV footage and other information obtained through electronic means such as swipecard records
- Information about your use of our information and communications systems.
- Information about your use of the academic and non-academic facilities and services that we offer
- A Register of Interests, covering all academic staff and any support staff, who have relevant interests to disclose. Where relevant, we may supplement these records with personal data from the public domain (e .g. your publications) or other sources
6. What constitutes “Special Category Data”?
The College may also process some information about you that is considered more sensitive and this is referred to as ‘special category’ personal data in the General Data Protection Regulation and Data Protection Act 2018. When we process this type of information we are required to apply additional protections. Special category personal data is defined as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data, and biometric data which is processed to uniquely identify a person. In the UK this also includes any personal information relating to criminal convictions and offences
7. What is the purpose of the processing under data protection law?
We will only use your personal information when the law allows us to do so by providing us with a legal basis or valid condition. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your vital interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
8. Examples of processing
Examples of the reasons or purposes the College will process your personal information including, where appropriate, special category personal data, include the following:
- To assess your suitability for a particular role or task (including any relevant right to work checks) and deciding whether or not to employ or engage you
- Determining the terms on which you work for the College
- Checking that you are legally entitled to work in the UK
- Paying you, and, where applicable, making deductions as required by law
- Liaising with your pension provider
- Administering the contract that we have entered into with you, including where relevant, its termination
- Business management and planning including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about salary reviews and benefits
- Assessing qualifications for a particular job, role or task, including decisions about
- Carrying out a disciplinary or grievance or investigation or procedure in relation to you or someone else
- Making decisions about your continued employment or engagement
- Assessing education, training and development requirements
- Monitoring compliance by you and the College with our policies and contractual obligations
- Monitoring and protecting the security (including the College’s network, information and electronic communications systems) of the College, of you, our staff, students or other third parties
- Monitoring and protecting the health and safety of you, our staff, students or other third parties
- Ascertaining your fitness to work and managing sickness absence
- To support you in implementing any health-related adjustments to allow you to carry out a particular role or task
- Dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work.
- Preventing fraud
- Paying trade union subscriptions
- Conducting data analytics studies, for example, to review and better understand employee retention rates
- To provide a reference upon request from a third party
- To comply with employment law, immigration law, contract law, health and safety law and other laws which affect the College
- To operate security (including CCTV), governance, audit and quality assurance arrangements, including producing a staff identity card which also involves the collection and storage of a digital photograph
- To deliver facilities (e.g. IT, libraries), services and staff benefits to you, and where appropriate to monitor your use of those facilities in accordance with College policies (e.g. on the acceptable use of IT)
- To communicate effectively with you by post, email and phone, in the form of newsletters and bulletins with the intention of keeping you informed about important developments and events relevant to your role at the College. Where appropriate you will be given an opportunity to opt out of receiving these communications.
- To invite you to participate in staff surveys and to compile statistics and conduct research for internal and statutory reporting purposes
- If you are a also a student at Kellogg College we may also use your staff data for student administration purposes
- To support your training, health, safety, and welfare requirements
- To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation and to monitor the effectiveness of our equality and diversity practice
- To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us )
9. How we will use your Special Category personal information
We will only process special category personal information in certain situations in accordance with the law. For example, we can do so if we have your explicit consent and, in some circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do, we will provide you with full details for the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent, which you can withdraw at any time. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We do not need your consent to process special category personal data when we are processing it for the following purposes as these satisfy another legal condition:
- where we need to carry out our legal obligations
- where you have made the data public
- where it is necessary to protect your vital interests or those of another person and where you/they are physically or legally incapable of giving consent
- where processing is necessary for the establishment, exercise, or defence of legal claims
- where it is needed to assess your working capacity on health grounds
In particular, we will use your special category personal information in the following ways:
- your race, national or ethnic origin, religious, philosophical or moral beliefs or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting
- information relating to leaves of absence, which may include sickness absence or family related leaves to comply with employment and other laws
- your information about your physical health or mental health or disability status to ensure your health and safety in the workplace and to assess your fitness to work, provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits
- your information about trade union membership to pay any subscriptions and to comply with our legal obligations in respect of trade union members
10. How we will process criminal convictions and offences information
- We will only process information relating to criminal convictions if it is appropriate given the nature of the role and where it is in accordance with the law. This will usually be where such processing is necessary to carry out our legal obligations.
- Less commonly, we may use information relating to criminal convictions where it is necessary for the establishment, exercise or defence of legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
11. What if I fail to provide personal information
We require you to provide us with any information we reasonably ask to achieve one or more of the purposes described above, for example to enable us to administer your contract or to comply with our legal obligations. If you fail to provide certain information when requested this will hinder our ability to administer your rights and obligations relating to your relationship with the College or we may be prevented from complying with our legal obligations.
12. Who will my personal information be shared with?
Your personal information is shared as permitted or required by law, on a considered and confidential basis, with a range of external organisations, including the following:
- The University of Oxford, of which Kellogg College is part, and through the University, other relevant third parties
- Higher Education Statistics Agency
- Prospective and actual research funders, sponsors, or donors
- The external service providers of the College, including payroll, benefits, rewards, occupational health, IT service providers and pension providers
- Insurance providers
- The College’s professional advisers
- Relevant Government Departments (e.g. Department for Education, Home Office, Foreign and Commonwealth Office, Department of Health), executive agencies or non- departmental public bodies (e.g. UK Visas and Immigration, HM Revenue and Customs, the Health and Safety Executive), and Higher Education bodies (e.g. Higher Education Funding Council for England, UK Research and Innovation) and for members of staff working overseas, the applicable and relevant government or regulatory agencies of the overseas countries.
- Any relevant professional or statutory regulatory bodies
- Organisations of which the College is a member
- Any relevant simultaneous employers (e.g. NHS Trusts)
- If you are a member of a pension scheme we will share information with the administrators of that scheme
- The relevant trade unions
- The police and other law enforcement agencies
- Companies or organisations providing specific services to, or on behalf of, the College
- We will provide references about you to external enquirers or organisations where you have requested or indicated that we should do so
- We may include your basic contact details on our website
- Information about senior staff and certain other staff (e.g. appointments or committee memberships) is published by the College
- We may disclose your name if this appears in information to be disclosed in response to a Freedom of Information request
On occasion, the above types of sharing may involve the transfer of your personal information outside of the European Economic Area (e.g. to report to an overseas research funder). Such transfers usually are necessary in order to meet our contractual obligations with you, and are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.
In addition to the above, we may publish or disclose any personal information about you to external enquirers or organisations if you have requested it or consented to it, or if it is in your vital interests to do so (e.g. in an emergency situation).
13. How does the College protect personal information?
The College takes the security of your data seriously. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Your personal information is created, stored and transmitted securely both in paper format and in bespoke databases, such as the HR information system.
14. What are my rights in connection with my personal information?
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
If you would like to exercise any of these rights, you should contact the College Administrator in the first instance by emailing email@example.com. Alternatively you can write to The College Administrator, Kellogg College, 62 Banbury Road, Oxford OX2 6PN, UK
15. How long is my information kept?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the College we will retain and securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations
16. Who can I contact if I have any queries?
If you have any questions about how your personal information is used by the College as a whole, or wish to exercise any of your rights, please consult the College’s data protection webpages. If you need further assistance, please contact the College Administrator firstname.lastname@example.org
17. How do I complain?
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
18. Are changes made to this notice?
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This notice was last updated 1 September 2019.