XClose

Legal Services

Home
Menu

UCL Staff Privacy Notice

Version 2.7, published November 2021

About this privacy notice

University College London ("UCL", "we", "our", "us") are committed to protecting and respecting your privacy.

This privacy notice sets out how UCL processes your personal data in your capacity as a UCL staff member. For the purposes of this notice, UCL staff members include: prospective, current or past employees; contractors; consultants; workers; officers; volunteers; interns; agency workers; apprentices; honorary staff; affiliated academic staff members; and visiting staff members.

This notice applies to the personal data we collect from you and personal data which is passed to us by third parties. Please read the following carefully to understand how we process your personal data.

In addition to the information in this privacy notice, you may be given further information about the uses of your personal data in your capacity as a UCL staff member.

Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. We may also include information on updates to this notice in The Week@UCL and/or UCL Exchanges.

What is 'personal data'?

‘Personal data’ means any information which identifies you as an individual. It may include your name but it may also be other information such as your date of birth, nationality and gender which when combined identify you. This information may be collected in a variety of ways, including electronically, in paper form, by telephone or in person.

UCL's data protection obligations

Under current data protection laws we are classed as a controller, which means we are legally responsible for the personal data we collect and hold about you. One of our responsibilities as a controller is to tell you about the different ways in which we use your personal data – what information we collect, our legal basis for doing so, why we collect it, where we collect it from and whether and with whom we will share it. We also need to tell you about your rights in relation to your personal data.

Personal data we collect about you

Types of personal data collected

UCL staff members (prospective)

We may collect and process the following information about you as part of considering you for a UCL staff member role:

First Name(s) 
Last Name 
Title
Other Name(s) 
Preferred Forename 
Your Address 
Postcode 
Telephone (Home) 
Telephone (Work) 
Telephone (Mobile)
Your personal email address
Details of your Secondary and/or Tertiary education 
Professional qualifications
Statement in support of your application
Details within your submitted Curriculum Vitae (CV)
Details of your right to work in the UK and your immigration status (where applicable) 
Data relating to your criminal convictions and offences, where appropriate
Information about your current employment and your employment history for the previous five (5) years including:

  • Name of Employer(s) 
  • Address Line 1
  • Address Line 2 
  • Town
  • County 
  • Postcode
  • Job Title 
  • Date From 
  • Date To 
  • Salary
  • Notice Required

In addition, we may contact your referees as provided in your application to confirm the employment information that you provide.

As part of the application process you will also be asked to provide the following additional information: 

Disability type and severity
Your Ethnicity
Your Sex and Sexual Orientation 
Your chosen Gender
Your Religious beliefs

You have the right to not provide this additional information to us in which case UCL will note to statutory bodies that you elected not to provide this information.


UCL staff members (actual)

In addition to the personal data we collect about you as part of considering you for a UCL staff member role (which will, where appropriate, continue to be processed by us whilst you are a UCL staff member), we will process further personal data about you in order to meet our responsibilities as an employer and to manage our relationship with you as a UCL staff member. This data may include the following information:

Sickness information including the reasons for the absence 
Bank account details
Passport details 
Visa details 
Sick pay
Leave entitlement (including holidays, parental leave, maternity leave, paternity leave, adoption leave) 
Parental pay (including statutory maternity pay)
Pensions data 
Remuneration and benefits 
Emergency contacts
Trade Union Membership 
Occupational Health data (including data collected as part of our management of the Covid-19 outbreak)
Information in relation to any complaints that you make 
Data relating to performance and reviews
Data relating to any disciplinary or grievance proceedings in which you are involved 
Data relating to your criminal convictions and offences, where appropriate
Other information relating specifically to your status as a UCL staff member

In accordance with our CCTV Policy we may also capture your image on CCTV whilst you are on UCL premises.

Special category personal data

Some of the personal data we collect about you is classed as being within 'special categories of personal data' under current data protection laws, for example information relating to your ethnicity or any disability. Access to, and the sharing of, this information is controlled very carefully. You will be given more details about our use of any special category personal data when we collect it from you.

Personal data relating to criminal convictions and offences

In certain circumstances, we may process data relating to your criminal convictions and offences. Access to, and the sharing of, this information is also controlled very carefully. Where we process criminal records data, we will inform you separately and provide you with further information.

Information that we receive from third parties

We work closely with third parties (including, for example, your employment agency or employer (where relevant), recruitment agencies, headhunters, business partners and compliance services e.g. UKVI, Disclosure and Barring Service) and may receive information about you from them (including, in certain cases, special category personal data or criminal convictions data). In particular, we may receive any of the following information from third parties: CVs, details of your right to work in the UK and your immigration status (where applicable), DBS certificate number and other information in connection with your activities as a UCL staff member.

Purposes for which we process your personal data and the legal bases for processing

Overall, we will use your personal data to manage your relationship with us as a UCL staff member. The main purposes for which we process your personal data as a UCL staff member are set out in the table below.

Data protection laws require us to meet certain conditions before we are allowed to use your personal data in the manner described in this notice, including having a "legal basis" for the processing. Where we process special category personal data or criminal convictions data, we are required to establish an additional legal basis for processing that data.

We take our responsibilities under data protection laws extremely seriously, including meeting these conditions. The main legal bases on which your personal data are processed for a particular purpose are also explained in the table below.

PurposeLegal Basis

To consider you for a UCL staff member role

We will use your personal information to:

  • Process your application for a position at UCL;
  • Assess your suitability for a particular role or task and to decide whether to engage you;
  • Communicate with you about your application and the application process; and
  • Check you are legally entitled to work in the UK

In some cases, the information processed will include special category personal data such as information on your ethnicity and disabilities.

The information processed may also include criminal convictions data. This is because certain positions will require a DBS check to be carried out as part of the assessment of suitability. You will be notified prior to the processing if this is a requirement of the role for which you have applied.

For all personal data

Compliance with a legal obligation

In this context we will often process personal data in order to comply with our legal obligations, e.g. equalities legislation and immigration law.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

Performance of contract

The processing of your personal data may be necessary in relation to the contract we will enter into with you as a UCL staff member.

For special category personal data

Equality of opportunity or treatment

We process special category personal data in order to monitor equality of opportunity/treatment.

For criminal convictions data

Employment law obligations

We will only process criminal convictions information where this is necessary so that we can meet our obligations in the field of employment law.

To manage our relationship with you as a UCL staff member

We will use your personal information to:

  • Fulfil our obligations under our contract with you;
  • Carry out our obligations in relation to pay and salary review and other remuneration and benefits;
  • Provide and administer benefits (including pension, voluntary healthcare schemes, salary sacrifice schemes and others);
  • Support your training, health, safety and welfare requirements, including by making appropriate referrals to the Occupational Health Service and counselling services (where appropriate), and to make any necessary arrangements or adjustments to the workplace in the case of disability;
  • Undertake performance appraisals and reviews;
  • Undertake talent, performance and succession planning activities;
  • Carry out any necessary investigations in respect of, disciplinary matters or grievances in relation to you or another person;
  • Provide you with access to relevant systems to undertake your role and manage your use of facilities;
  • Communicate with you, e.g. in the form of e- newsletters and email bulletins, in order to keep you informed about important developments at UCL and events relevant to your role at UCL;
  • Maintain sickness and other absence records;
  • Monitor compliance by you with UCL's policies and your other contractual and legal obligations. Please see UCL's Policy on Monitoring Computer and Network Use for further guidance on the monitoring that we may carry out;
  • Monitor your use of our networks to protect the security and integrity of UCL's IT network and information and electronic communications systems. Please see UCL's Policy on Monitoring Computer and Network Use for further guidance on the monitoring that we may carry out; and
  • Provide references and information to future employers.

We may process special category personal data e.g. data relating to health in order to make reasonable adjustments for disabilities and to provide relevant support to staff members with ill health.

For all personal data

Performance of contract

The processing of your personal data may be necessary in relation to the contract we have entered into with you as a UCL staff member.

Compliance with a legal obligation

In this context we will often process personal data in order to comply with our legal obligations, e.g. in respect of tax, sick pay or parental leave.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

Vital interests

Your personal data may be processed by UCL and transferred to the emergency services where this is required to protect your vital interests.

Legitimate interests

There are circumstances in which we may rely on the legitimate interests of a third party when processing your personal data. In particular, if we provide a reference to a future employer on your behalf, we will generally rely on the legitimate interests of that employer.

For special category personal data

Employment law obligations

We may process certain special category personal data where this is necessary so that we can meet our obligations in the field of employment law.

Occupational health purposes

We may process special category personal data, in particular health information, in an occupational health context.

Counselling

We may process special category personal data, in particular health information, in order to provide you with counselling services.

Vital interests

Your special category personal data may be processed by UCL and transferred to the emergency services where this is required to protect your vital interests.

Legal claims

Your special category personal data may also be processed by UCL where this is necessary for the establishment, exercise or defence of legal claims.

Internal and statutory reporting, audit and other legal obligations, including compliance with health and safety law and monitoring equality of opportunity or treatment

We will use your personal information to:

  • Comply with our legal obligations, including our health and safety obligations and our obligations under freedom of information law;
  • Produce statistics and research for internal and statutory reporting purposes;
  • Manage our accounts and records; and
  • Monitor our compliance with our responsibilities under equalities legislation.

This may include the processing of special category personal data, e.g. information about disabilities or ethnicity, in addition to religious beliefs, sexual orientation and political opinions.

For all personal data

Compliance with a legal obligation

Much of our processing of your personal data in this context will be in order to comply with our legal obligations, e.g. health and safety legislation, freedom of information legislation and UK equal opportunities monitoring.

Performance of a task in the public interest

UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation. Please see our Statement of Tasks in the Public Interest for further information.

For special category personal data

Equality of opportunity or treatment

We process certain types of special category personal data in order to monitor equality of opportunity/treatment.

Employment law obligations

We may also process certain special category personal data where this is necessary so that we can meet our obligations in the field of employment law.

The provision of commercial services to third parties and the provision of healthcare services

We may, in certain circumstances, process your personal data in the following contexts:

  • Providing commercial services to third parties; or
  • Providing healthcare services for patients of NHS partner hospitals.

Legitimate interests

To grow our business and provide services to third parties

Identification and security, including information security

We will use images of you in order to issue you with a UCL staff ID card.

We will also process your personal data to managing our access control systems and for other security purposes, including in relation to information security and our IT systems and also via on-premises CCTV security cameras.

Legitimate interests

In these circumstances we will generally rely on UCL's legitimate interests in maintaining a secure environment for staff members and students when processing your personal data, and in protecting our IT systems.

Marketing/publicity purposes

We may take photographs or videos of you during your employment at UCL, including where you attend events such as graduation. These images will generally be used for UCL's marketing/publicity materials.

Your personal data may also be processed by UCL in a social media context, including where students are given permission to take over a particular UCL-operated social media account for a specific time period. For example, we may publish an interview with you or information about your work on our social media platforms or share photographs or other images of you. This will generally be for UCL's marketing/publicity purposes.

Legitimate interests

When using your personal data for marketing or publicity purposes, we will generally rely on our legitimate interests in promoting UCL, including our courses, our activities and our overall aims and objectives.

Please note that where the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and you do not provide us with the personal data required, UCL may not be able to process your application or enter into a contract of employment with you, as applicable.

We do not generally process your personal data based on your consent (as we can usually rely on another legal basis). If we do process your personal information based on your consent, we will inform you of this before we start the processing and you will have the right to withdraw your consent at any time. See the "Your Rights" section below.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Third parties with whom we may share your personal data

Your personal data may be disclosed to other organisations as required by law e.g. provision of salary and tax data to HM Revenue & Customs, for crime prevention, investigation or detection purposes or in order to protect your vital interests.

Where necessary we may also share your information with:

  • family, associates and representatives of the person whose personal data we are processing
  • current, past or prospective employers
  • healthcare, social and welfare organisations
  • suppliers and service providers
  • financial organisations
  • auditors
  • police forces, security organisations
  • courts and tribunals
  • prison and probation services
  • legal representatives
  • local and central government
  • consultants and professional advisers
  • trade union and staff associations
  • survey and research organisations
  • press and the media
  • landlords
  • funders and sponsors

Some information about staff is also sent in coded and anonymised form to the Higher Education Statistics Agency (HESA). HESA’s Privacy Policy is available here: HESA website.

UCL publishes information about research staff via the Institutional Research Information Service (IRIS) in order to provide information on research activity at UCL. Further information about IRIS.

We use the services of various external service providers to help us run our university efficiently, particularly in relation to our IT systems. Some of these services (such as email hosting and data backups) involve the service provider holding and using your personal data. In each case where we share your information with one of our service providers, the service provider is required to keep it safe and secure. They are also not permitted to use your information for their own purposes.

In order to support the UK’s effort to tackle Covid-19, contact information may also be shared with NHS Test and Trace where requested.

Transfers outside the United Kingdom

We display staff members' UCL email addresses in the UCL online staff and student directory (subject to any opt outs). This directory is publicly accessible to Internet users, including those in countries outside the UK. Please note that many countries outside the UK do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect personal data to the same standard as within the UK. If you are uncomfortable with your details appearing in the directory then you should use the opt out facility from the directory. The process for becoming ex-directory is available on the UCL Information Services Division website

Your data may be transferred outside the UK. For example, where we use third party providers to deliver our services, such as externally hosted software or cloud providers, those providers may transfer personal data outside of the UK. As stated above, the online staff and student directory is also accessible outside the UK.

There are also many other circumstances in which we may transfer your personal data outside the UK, e.g. where we use a third party cloud services provider based outside the UK to store personal data.

Where we transfer your personal information across national boundaries to a third party, such as one of our service providers, we will protect your personal information by ensuring that those transfers are made in compliance with all relevant data protection laws. Generally, this means where we transfer your personal information to a third party that is located in a country which does not have adequate privacy protection, we will put in place a contract with the third party that includes the standard international data transfer contractual terms approved by the ICO. For further information on the measures in place, please contact us using the details set out in the 'Who do I contact with questions?' section below.

Principles

When processing your personal data, UCL is required by relevant data protection laws to comply with the following principles.

PrinciplePersonal Data shall be:
Lawfulness, fairness and transparencyprocessed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitationcollected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisationadequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracyaccurate and, where necessary, kept up to date.
Storage limitationkept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentialityprocessed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In accordance with the separate 'Accountability' principle under relevant data protection laws, UCL must also be able to demonstrate compliance with each of the above principles.

How we will protect information about you

We do our utmost to protect your privacy. Data protection legislation obliges us to follow security procedures regarding the storage and disclosure of personal information in order to avoid unauthorised loss or access. As such we have implemented industry-standard security systems and procedures to protect information from unauthorised disclosure, misuse or destruction. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Retention periods

Your personal data will be retained in accordance with UCL’s central Data Retention Schedule.

Your rights

Subject to certain conditions, you have the following rights in relation to your personal data:

Right 1: A right to access personal data held by us about you (commonly known as a "data subject access request") (please see section entitled "How can I access my personal information" below).

Right 2: A right to require us to rectify any inaccurate personal data held by us about you, though we may need to verify the accuracy of the new data you provide to us.

Right 3: A right to require us to erase personal data held by us about you where there is no good reason for us continuing to process it. This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Right 4: A right to restrict our processing of personal data held by us about you. This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims or due to having overriding legitimate grounds to use it.

Right 5: A right to receive personal data which you have provided to us in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.

Right 6: A right to object to our processing of personal data held by us about you where we are relying on a legitimate interest (or those of a third party), and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Right 7: A right to withdraw your consent where we are relying on it to use your personal data. Note that a withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.

In certain circumstances, we may need to restrict your rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).

Keeping personal data up-to-date

Data protection law requires us to take reasonable steps to ensure that any personal data we process is accurate and up-to-date. Employees are responsible for informing us of any changes to the personal data that they have supplied during the course of their employment. Basic personal details can be updated in MyHR.

How can I access my personal information?

As noted above, you have the right to access information held about you. Details are set out in our Data Protection Policy. Your right of access can be exercised at any time by contacting us at data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT.

Automated processing

UCL does not use automated processing and decision making without manual intervention.

Who regulates the use of my personal information?

UCL maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with the UK's data protection laws. Our registration number is Z6364106 and this registration sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal data. Please see the Information Commissioner's Office website for details.

Who do I contact with questions?

If you have any questions about your personal data and UCL that are not answered by this privacy notice then please consult UCL's data protection web pages, where further guidance and relevant UCL policy documentation can be found.

If you need further assistance, please contact UCL's Data Protection Officer: data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT.

If we are unable to adequately address any concerns you may have about the way in which we use your data, you have the right to lodge a formal complaint with the data protection authority in your country or our main data protection regulator, the Information Commissioner's Office. Full details may be accessed on the complaints section of the Information Commissioner's Office website.