XClose

Legal Services

Home
Menu

UCL Staff Privacy Notice

UCL Staff Privacy Notice. 21st May 2019, version 2.6

UCL ("we", "our", "us") are committed to protecting and respecting your privacy.
This privacy notice sets out how UCL processes your personal data in your capacity as a UCL staff member. For the purposes of this notice, UCL staff members include: prospective, current or past employees; contractors; consultants; workers; officers; volunteers; interns; agency workers; apprentices; honorary staff; affiliated academic staff members; and visiting staff members.
This notice applies to the personal data we collect from you and personal data which is passed to us by third parties. Please read the following carefully to understand how we process your personal data.
In addition to the information in this privacy notice, you may be given further information about the uses of your personal data in your capacity as a UCL staff member.
Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. We may also include information on updates to this notice in The Week@UCL and/or UCL Exchanges. 

What is personal data?

'Personal data' means any information which identifies you as an individual. It may include your name but it may also be other information such as your date of birth, nationality and gender which when combined identify you. This information may be collected in a variety of ways, including electronically, in paper form, by telephone or in person.   

UCL's data protection obligations

Under current data protection laws we are classed as a controller, which means we are legally responsible for the personal data we collect and hold about you. One of our responsibilities as a controller is to tell you about the different ways in which we use your personal data – what information we collect, our legal basis for doing so, why we collect it, where we collect it from and whether and with whom we will share it. We also need to tell you about your rights in relation to your personal data.

Personal data we collect about you

Types of personal data collected
UCL staff members (prospective)
We may collect and process the following information about you as part of considering you for a UCL staff member role.

First Name(s)
Last Name
Title
Other Name(s)
Preferred Forename
Your Address
Postcode
Telephone (Home)
Telephone (Work)
Telephone (Mobile)
Your personal email address
Details of your Secondary and/or Tertiary education
Professional qualifications
Statement in support of your application
Details within your submitted Curriculum Vitae (CV)
Details of your right to work in the UK and your immigration status (where applicable)
Data relating to you criminal convictions and offences, (where appropriate)
Information about your current employment and your employment history for the previous five (5) years including:
Name of Employer(s)
Address Line 1
Address Line 2
Town
County
Postcode
Job Title
Date From
Date To
Salary
Notice Required

In addition, we may contact your referees as provided in your application to confirm the employment information that you provide. 

As part of the application process you will also be asked to provide the following additional information: 

Disability type and severity
Your Ethnicity
Your Sex and Sexual Orientation
Your chosen Gender
Your Religious beliefs

You have the right to not provide this additional information to us in which case UCL will note to statutory bodies that you elected not to provide this information.

UCL staff members (actual)

In addition to the personal data we collect about you as part of considering you for a UCL staff member role (which will, where appropriate, continue to be processed by us whilst you are a UCL staff member), we will process further personal data about you in order to meet our responsibilities as an employer and to manage our relationship with you as a UCL staff member. This data may include the following information.

Sickness information including the reasons for the absence
Bank account details
Passport details
Visa details
Sick pay
Leave entitlement (including holidays, parental leave, maternity leave, paternity leave, adoption leave)
Parental pay (including statutory maternity pay)
Pensions data
Remuneration and benefits
Emergency contacts
Trade Union Membership
Occupational Health data
Information in relation to any complaints that you make
Data relating to performance and reviews
Data relating to any disciplinary or grievance proceedings in which you are involved
Data relating to your criminal convictions and offences, where appropriate
Other information relating specifically to your status as a UCL staff member

In accordance with our CCTV Policy https://www.ucl.ac.uk/estates/policies/2019/jan/cctv-policy we may also capture your image on CCTV whilst you are on UCL premises.

Special category personal data 

Some of the personal data we collect about you is classed as being within 'special categories of personal data' under current data protection laws, for example information relating to your ethnicity or any disability. Access to, and the sharing of, this information is controlled very carefully. You will be given more details about our use of any special category personal data when we collect it from you.  

Personal data relating to criminal convictions and offences
In certain circumstances, we may process data relating to your criminal convictions and offences. Access to, and the sharing of, this information is also controlled very carefully. Where we process criminal records data, we will inform you separately and provide you with further information.

Information that we recieve from third parties

We work closely with third parties (including, for example, your employment agency or employer (where relevant), recruitment agencies, headhunters, business partners and compliance services e.g. UKVI, Disclosure and Barring Service) and may receive information about you from them (including, in certain cases, special category personal data or criminal convictions data). In particular, we may receive any of the following information from third parties: CVs, details of your right to work in the UK and your immigration status (where applicable), DBS certificate number and other information in connection with your activities as a UCL staff member. 

Purposes for which we process your personal data and the legal basis for processing

Overall, we will use your personal data to manage your relationship with us as a UCL staff member.  The main purposes for which we process your personal data as a UCL staff member are set out in the table below. 

Data protection laws require us to meet certain conditions before we are allowed to use your personal data in the manner described in this notice, including having a "legal basis" for the processing. Where we process special category personal data or criminal convictions data, we are required to establish an additional legal basis for processing that data.

We take our responsibilities under data protection laws extremely seriously, including meeting these conditions. The main legal bases on which your personal data are processed for a particular purpose are also explained in the table below.

Purpose 

Legal Basis

To consider you for a UCL staff member role

We will use your personal information to:

  • Process your application for a position at UCL;
  • Assess your suitability for a particular role or task and to decide whether to engage you; and
  • Communicate with you about your application and the application process.

In some cases, the information processed will include special category personal data such as information on your ethnicity and disabilities.

The information processed may also include criminal convictions data. This is because certain positions will require a DBS check to be carried out as part of the assessment of suitability. You will be notified prior to the processing if this is a requirement of the role for which you have applied.

For all personal data

Compliance with a legal obligation

In this context we will often process personal data in order to comply with our legal obligations, e.g. equalities legislation and immigration law.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

Performance of contract

The processing of your personal data may be necessary in relation to the contract we will enter into with you as a UCL staff member.

For special category personal data

Equality of opportunity or treatment

We process special category personal data in order to monitor equality of opportunity/treatment.

For criminal convictions data

Employment law obligations

We will only process criminal convictions information where this is necessary so that we can meet our obligations in the field of employment law.

 

To manage our relationship with you as a UCL staff member

We will use your personal information to:

  • Fulfil our obligations under our contract with you;
  • Carry out our obligations in relation to pay and salary review and other remuneration and benefits;
  • Provide and administer benefits (including pension, voluntary healthcare schemes, salary sacrifice schemes and others);
  • Support your training, health, safety and welfare requirements, including by making appropriate referrals to the Occupational Health Service and counselling services (where appropriate), and to make any necessary arrangements or adjustments to the workplace in the case of disability;
  • Undertake performance appraisals and reviews;
  • Undertake talent, performance and succession planning activities;
  • Carry out any necessary investigations in respect of, disciplinary matters or grievances in relation to you or another person;
  • Provide you with access to relevant systems to undertake your role and manage your use of facilities;
  • Communicate with you, e.g. in the form of e-newsletters and email bulletins, in order to keep you informed about important developments at UCL and events relevant to your role at UCL
  • Maintain sickness and other absence records;
  • Monitor compliance by you with UCL's policies and your other contractual and legal obligations. Please see UCL's Policy on Monitoring Computer and Network Use for further guidance on the monitoring that we may carry out;
  • Monitor your use of our networks to protect the security and integrity of UCL's IT network and information and electronic communications systems. Please see UCL's Policy on Monitoring Computer and Network Use for further guidance on the monitoring that we may carry out; and
  • Provide references and information to future employers.

We may process special category personal data e.g. data relating to health in order to make reasonable adjustments for disabilities and to provide relevant support to staff members with ill health.

For all personal data

Performance of contract

The processing of your personal data may be necessary in relation to the contract we have entered into with you as a UCL staff member.

Compliance with a legal obligation

In this context we will often process personal data in order to comply with our legal obligations, e.g. in respect of tax, sick pay or parental leave.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

Vital interests

Your personal data may be processed by UCL and transferred to the emergency services where this is required to protect your vital interests.

Legitimate interests

There are circumstances in which we may rely on the legitimate interests of a third party when processing your personal data. In particular, if we provide a reference to a future employer on your behalf, we will generally rely on the legitimate interests of that employer.

For special category personal data

Employment law obligations

We may process certain special category personal data where this is necessary so that we can meet our obligations in the field of employment law.

Occupational health purposes

We may process special category personal data, in particular health information, in an occupational health context.

Counselling

We may process special category personal data, in particular health information, in order to provide you with counselling services.

Vital interests

Your special category personal data may be processed by UCL and transferred to the emergency services where this is required to protect your vital interests.

Legal claims

Your special category personal data may also be processed by UCL where this is necessary for the establishment, exercise or defence of legal claims.

Internal and statutory reporting, audit and other legal obligations, including compliance with health and safety law and monitoring equality of opportunity or treatment

We will use your personal information to:

  • Comply with our legal obligations, including our health and safety obligations and our obligations under freedom of information law;
  • Produce statistics and research for internal and statutory reporting purposes;
  • Manage our accounts and records; and
  • Monitor our compliance with our responsibilities under equalities legislation.

This may include the processing of special category personal data, e.g. information about disabilities or ethnicity, in addition to religious beliefs, sexual orientation and political opinions.

For all personal data

Compliance with a legal obligation

Much of our processing of your personal data in this context will be in order to comply with our legal obligations, e.g. health and safety legislation, freedom of information legislation and UK equal opportunities monitoring.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

For special category personal data

Equality of opportunity or treatment

We process certain types of special category personal data in order to monitor equality of opportunity/treatment.

Employment law obligations

We may also process certain special category personal data where this is necessary so that we can meet our obligations in the field of employment law.

The provision of commercial services to third parties and the provision of healthcare services

We may, in certain circumstances, process your personal data in the following contexts:

  • Providing commercial services to third parties; or
  • Providing healthcare services for patients of NHS partner hospitals.

Legitimate interests

In these circumstances we may rely on UCL's legitimate interests when processing your personal data.

 

Identification and security, including information security

We will use images of you in order to issue you with a UCL staff ID card.

We will also process your personal data to managing our access control systems and for other security purposes, including in relation to information security and our IT systems and also via on-premises CCTV security cameras.

Legitimate interests

In these circumstances we will generally rely on UCL's legitimate interests in maintaining a secure environment for staff members and students when processing your personal data, and in protecting our IT systems.

 

Marketing/publicity purposes

We may take photographs or videos of you during your employment at UCL, including where you attend events such as graduation. These images will generally be used for UCL's marketing/publicity materials.

Your personal data may also be processed by UCL in a social media context, including where students are given permission to take over a particular UCL-operated social media account for a specific time period. For example, we may publish an interview with you or information about your work on our social media platforms, or share photographs or other images of you. This will generally be for UCL's marketing/publicity purposes.

Legitimate interests

When using your personal data for marketing or publicity purposes, we will generally rely on our legitimate interests in promoting UCL, including our courses, our activities and our overall aims and objectives.   


Please note that where the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and you do not provide us with the personal data required, UCL may not be able to process your application or enter into a contract of employment with you, as applicable.  
We do not generally process your personal data based on your consent (as we can usually rely on another legal basis). If we do process your personal information based on your consent, we will inform you of this before we start the processing and you will have the right to withdraw your consent at any time. See the "Your Rights" section below.
 

Third parties with whom we may share your personal data

Your personal data may be disclosed to other organisations as required by law e.g. provision of salary and tax data to HM Revenue & Customs, for crime prevention, investigation or detection purposes or in order to protect your vital interests.
Where necessary we may also share your information with:
•    family, associates and representatives of the person whose personal data we are processing
•    current, past or prospective employers
•    healthcare, social and welfare organisations
•    suppliers and service providers
•    financial organisations
•    auditors
•    police forces, security organisations
•    courts and tribunals
•    prison and probation services
•    legal representatives
•    local and central government
•    consultants and professional advisers
•    trade union and staff associations
•    survey and research organisations
•    press and the media
•    landlords
•    funders and sponsors
Some information about staff is also sent in coded and anonymised form to the Higher Education Statistics Agency (HESA). HESA’s Privacy Policy is available here: HESA website.
UCL publishes information about research staff via the Institutional Research Information Service (IRIS) in order to provide information on research activity at UCL. Further information about IRIS may be found here. 
We use the services of various external service providers to help us run our university efficiently, particularly in relation to our IT systems. Some of these services (such as email hosting and data backups) involve the service provider holding and using your personal data.  In each case where we share your information with one of our service providers, the service provider is required to keep it safe and secure. They are also not permitted to use your information for their own purposes.

Transfers outside the European Economic Area

We display staff members' UCL email addresses in the UCL online staff and student directory (subject to any opt outs). This directory is publically accessible to Internet users, including those in countries outside the European Economic Area (EEA). Please note that many countries outside the EEA do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect personal data to the same standard as within the EEA. If you are uncomfortable with your details appearing in the directory then you should use the opt out facility from the directory. The process for becoming ex-directory is available here: http://www.ucl.ac.uk/isd/how-to/ucl-directory/ucl-directory-ex-directory.
Your data may be transferred outside the European Economic Area (EEA). For example, where we use third party providers to deliver our services, such as externally hosted software or cloud providers, those providers may transfer personal data outside of the EEA. As stated above, the online staff and student directory is also accessible outside the EEA.
There are also many other circumstances in which we may transfer your personal data outside the EEA, e.g. where we use a third party cloud services provider based outside the EEA to store personal data.
Where we transfer your personal information across national boundaries to a third party, such as one of our service providers, we will protect your personal information by ensuring that those transfers are made in compliance with all relevant data protection laws. Generally, this means where we transfer your personal information to a third party that is located in a country which does not have adequate privacy protection, we will put in place a contract with the third party that includes the standard international data transfer contractual terms approved by the European Commission. For further information on the measures in place, please contact us using the details set out in the 'Who do I contact with questions?' section below. 

Principles

When processing your personal data, UCL is required by relevant data protection laws to comply with the following principles. 

Principle

Personal Data shall be:

Lawfulness, fairness and transparency

processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

accurate and, where necessary, kept up to date.

Storage limitation

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In accordance with the separate 'Accountability' principle under relevant data protection laws, UCL must also be able to demonstrate compliance with each of the above principles. 

Retention periods

Your personal data will be retained in accordance with UCL’s central Data Retention Schedule. 

Your rights

Subject to certain conditions, you have the following rights in relation to your personal data: 
Right 1: A right to access personal data held by us about you (please see section entitled "How can I access my personal information" below).
Right 2: A right to require us to rectify any inaccurate personal data held by us about you.
Right 3: A right to require us to erase personal data held by us about you.  This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below). 
Right 4: A right to restrict our processing of personal data held by us about you.  This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.  
Right 5: A right to receive personal data which you have provided to us in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.
Right 6: A right to object to our processing of personal data held by us about you.
Right 7: A right to withdraw your consent where we are relying on it to use your personal data. Note that a withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop. 
In certain circumstances, we may need to restrict your rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). 

Keeping personal data up-to-date

Data protection law requires us to take reasonable steps to ensure that any personal data we process is accurate and up-to-date. Employees are responsible for informing us of any changes to the personal data that they have supplied during the course of their employment. Basic personal details can be updated in MyView.

How can I access my personal data?

As noted above, you have the right to access information held about you. Details are set out in our Data Protection Policy. Your right of access can be exercised at any time by contacting us at data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT. 

Automated processing

UCL does not use automated processing and decision making without manual intervention. 

Who regulates the use of my personal information?

UCL maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with the UK's data protection laws. Our registration number is Z6364106 and this registration sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal data. Please see the Information Commissioner's Office website for details.

Who do I contact with questions?

If you have any questions about your personal data and UCL that are not answered by this privacy notice then please consult UCL's data protection web pages here, where further guidance and relevant UCL policy documentation can be found. 

If you need further assistance, please contact UCL's Data Protection Officer: data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT. 

If we are unable to adequately address any concerns you may have about the way in which we use your data, you have the right to lodge a formal complaint with the data protection authority in your country or our main data protection regulator, the Information Commissioner's Office. Full details may be accessed on the complaints section of the Information Commissioner's Office website.