UCL Staff Privacy Notice. 07th August 2018, version 2
UCL ("we", "our", "us") are committed to protecting and respecting your privacy.
- What is personal data?
'Personal data' means any information which identifies you as an individual. It may include your name but it may also be other information such as your date of birth, nationality and gender which when combined identify you.
- This statement and UCL's data protection obligations
In accordance with the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018 (the “DPA”), together, the “Data Protection Laws”, we are a Data Controller as we determine the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This means that we are legally responsible for the personal data we collect and hold about you. It also means that we must comply with the data protection principles (see below). One of our responsibilities is to tell you about the different ways in which we use your personal data – what information we collect (and our legal basis for doing so), why we collect it, where we collect it from and whether (and with whom) we will share it. We also need to tell you about your rights in relation to the information. This notice provides further details about all of these issues.
In order to comply with our contractual, statutory, and management obligations and responsibilities, we need to process personal data relating to our employees, including ‘sensitive’ or special categories’ of personal data, as defined in the Data Protection Laws which includes information relating to health, racial or ethnic origin, and criminal convictions.
All personal data will be processed in accordance with the Data Protection Laws and the UCL Data Protection policy
The term ‘processing’ refers to all actions related to the handling of personal data and therefore includes collection, the holding and use of such data, as well as access and disclosure, through to final destruction. Staff should be aware that in certain circumstances, the Data Protection Laws permit us to process an employee’s personal data, and, in certain circumstances, sensitive personal data, without their explicit consent.
- Using your information in accordance with Data Protection Laws
Data Protection Laws require that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a 'legal basis' for the processing.
The legal bases on which your personal data are collected, the types of personal data, and the purposes for which they are processed is given below.
Application for employment
We need to process your personal data that you supplied to UCL as part of your application for a position at UCL. This is to ensure that your application can be considered by the relevant department. In your application we will collect the following information:
- Personal data gathered
In your application we will collect the following information
Your personal Email
Details of your Secondary and/or Tertiary education
Statement in support of your application
Details within your submitted Curriculum Vitae (CV)
Details of your right to work in the UK
Information about your present and employment history for the previous five (5) years including:
Name of Employer(s)
Address Line 1
Address Line 2
In addition, we may contact your referees as provided in your application to confirm the employment information that you provided.
- Special categories personal data
As part of the application you will be asked to provide details about the following equalities data. You have the right to not provide this information in which case UCL will note to statutory bodies that you elected not to provide this information:
Disability type and severity
Your Sex and Sexual Orientation
Your chosen Gender
Your Religious beliefs
- Criminal records information
In some circumstances we may process your information to undertake a Disclosure and Barring Service (DBS) check, as required by law.
During your employment
As a member of staff at UCL we may collect additional data from you, from time to time, as part of your employment (e.g. Occupational Health data). We will process this data, as well as the data provided in your application in order to perform our obligations arising from your contract of employment with us. The additional personal data we process to meet these responsibilities includes:
- Additional data – personal information
The additional personal data (including some special category personal data) we process to meet our responsibilities as an employer includes the following:
Previous sickness information including the reasons for the absence
Bank account details
Remuneration and benefits
Trade Union Membership
- Statutory responsibilities
We may process your personal data in order to meet responsibilities imposed on us by legislation. The personal data processed to meet statutory responsibilities includes, but is not limited to, data relating to:
statutory sick pay;
statutory maternity pay;
work permits, and
equal opportunities monitoring.
- Our basis for processing
The basis for processing this data is in line with Article 6(1)(b) of the GDPR Contract
as well as Article 6(1)(f) of the GDPR on a legitimate interest
- Purpose of processing
We will use your personal data in connection with your employment relationship with us, including for the following purposes:
To enable us to provide education and support services to our staff.
Managing our accounts and records and providing commercial activities to our clients.
For the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime – The CCTV policy can be found here
To provide healthcare services for patients of NHS partner hospitals.
To provide you access to relevant systems to undertake your role.
To fulfil our obligations for the contract of employment.
Processing recruitment applications.
Talent, performance and succession planning.
Paying and reviewing salary and other remuneration and benefits.
Providing and administering benefits (including pension, voluntary healthcare schemes, salary sacrifice schemes and others).
Undertaking performance appraisals and reviews.
Policy and Legal Governance requirements and compliance.
Internal audit and data collection.
Legal compliance, requirements and obligations.
Maintaining sickness and other absence records.
Providing references and information to future employers and, if necessary, governmental bodies.
Processing information regarding equality of opportunity and treatment of data subjects in line with the monitoring of equal opportunities and access.
The information we process may be held on UCL Corporate systems some of which may be owned and operated by third parties. Where we engage with such third parties, we insist upon strict contractual requirements to be adhered to by them to protect the personal data.
- Special categories personal data
The Data Protection Laws define ‘sensitive personal data’ or 'special categories of personal data' as information about racial or ethnic origin; political opinions; religious beliefs or other similar beliefs; trade union membership; physical or mental health; sexual life. In certain limited circumstances, the Data Protection Laws permit us to process such data without requiring the explicit consent of the employee.
(a) we will process sensitive personal data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and consent.
(b) Other than in exceptional circumstances, UCL will process sensitive personal data about an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding UCL’s equal opportunities policies and related provisions.
(c) Information about an employee’s criminal convictions will be held as necessary and only in accordance with Data Protection Legislation.
The lawful basis for processing this special category personal data will be:
The GDPR Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.’
- Sharing personal data with other organisations
We sometimes need to share the personal information we process with you and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Laws.
We may use third party providers to deliver our services, such as externally hosted software or cloud providers, and those providers may involve transfers of personal data outside of the EU. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards, such as the EU model clauses or equivalent measures.
Where necessary or required we will share your information with:
- family,associates and representatives of the person whose personal data we are processing;
- current, past or prospective employers;
- healthcare, social and welfare organisations;
- suppliers and service providers;
- financial organisations;
- police forces, security organisations;
- courts and tribunals;
- prison and probation services;
- legal representatives;
- local and central government;
- consultants and professional advisers;
- trade union and staff associations;
- survey and research organisations;
- press and the media, and
Furthermore, in order to fulfil its statutory responsibilities, UCL is required to provide some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
The University will display an employee’s UCL email address and telephone number in the online staff and student directory, which is accessible to internet users, including those in countries outside the European Economic Area (EEA). Employees should be aware that many countries outside the EEA do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect their personal data to the same standard as within the EEA. Requests to become ex-directory should be first addressed to the employee’s Head of Department. The process for making such a request is available from this page.
- Automated processing
UCL does not use automated processing and decision making without manual intervention.
We will handle your personal data in accordance with the principles set out below:
Personal Data shall be:
Lawfulness, fairness and transparency
be processed lawfully, fairly and in a transparent manner in relation to the data subject.
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
accurate and, where necessary, kept up to date.
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
be able to demonstrate compliance with the above principles
- Keeping personal data up-to-date
The Data Protection Laws require us to take reasonable steps to ensure that any personal data we process is accurate and up-to-date. Employees are responsible for informing us of any changes to the personal data that they have supplied during the course of their employment. Basic personal details can be updated in MyView.
- Retention of your data
UCL will retain your data according to the records retention schedule which is available here
The criteria used to determine retention periods is based on the JISC guidance available here
- Your rights
You have the following rights in relation to your personal data:
Right 1: A right to access personal data held by us about you (please see section entitled "How can I access my personal information" below).
Right 2: A right to require us to rectify any inaccurate personal data held by us about you.
Right 3: A right to require us to erase personal data held by us about you. This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below).
Right 4: A right to restrict our processing of personal data held by us about you. This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.
Right 5: A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.
Right 6: A right to object to our processing of personal data held by us about you.
Right 7: A right to withdraw your consent, where we are relying on it to use your personal data.
Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.
- Requesting information
As noted above, you have the right to access information held about you. Your right of access can be exercised at any time by contacting us.
Any changes we make to this privacy notice in the future will be [posted on this page] and, where appropriate, notified to you by e-mail, The Week@UCL, as well as UCL Exchanges.
- Who regulates the use of my personal information
The University maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with the Data Protection Legislation. The University's registration number is Z6364106 and sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal information. Please visit the Information Commissioners Office website for details.
- Who do I contact with questions?
The data controller for the purposes of the GDPR is University College London. If you have any questions or concerns about how your personal data is used, please consult the University's data protection webpages, and if you have a complaint please contact us.
UCL's Data Protection Policy can also be found on this website. If you need further assistance, please contact the University Data Protection Officer.
If we are unable to adequately address any concerns you may have about the way in which we use your data, you have the right to lodge a formal complaint with the UK Information Commissioner's Office. Full details may be accessed on the complaints section of the ICO's website