Legal Services


UCL Staff Privacy Notice

UCL Staff Privacy Notice. 7th December 2018, version 2.4

UCL ("we", "our", "us") are committed to protecting and respecting your privacy.

This privacy policy sets out the basis on which any personal data we collect from you, or that you or any third parties provide, will be processed by us.  We may withdraw or modify this notice at any time and we may supplement or amend this notice by additional policies and guidelines from time to time.  We will notify you if this notice is amended.

What is personal data?

'Personal data' means any information which identifies you as an individual. It may include your name but it may also be other information such as your date of birth, nationality and gender which when combined identify you.

This statement and UCL's data protection obligations

In accordance with the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018 (the “DPA”), together, the “Data Protection Laws”, we are a Data Controller as we determine the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This means that we are legally responsible for the personal data we collect and hold about you. It also means that we must comply with the data protection principles (see below). One of our responsibilities is to tell you about the different ways in which we use your personal data – what information we collect (and our legal basis for doing so), why we collect it, where we collect it from and whether (and with whom) we will share it. We also need to tell you about your rights in relation to the information. This notice provides further details about all of these issues.

In order to comply with our contractual, statutory, and management obligations and responsibilities, we need to process personal data relating to our employees, including ‘sensitive’ or special categories’ of personal data, as defined in the Data Protection Laws which includes information relating to health, racial or ethnic origin, and criminal convictions.

All personal data will be processed in accordance with the Data Protection Laws and the UCL Data Protection policy 

The term ‘processing’ refers to all actions related to the handling of personal data and therefore includes collection, the holding and use of such data, as well as access and disclosure, through to final destruction. Staff should be aware that in certain circumstances, the Data Protection Laws permit us to process an employee’s personal data, and, in certain circumstances, sensitive personal data, without their explicit consent.

Using your information in accordance with Data Protection Laws

Data Protection Laws require that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a 'legal basis' for the processing.

The legal bases on which your personal data are collected, the types of personal data, and the purposes for which they are processed is given below.

Application for employment

We need to process your personal data that you supplied to UCL as part of your application for a position at UCL. This is to ensure that your application can be considered by the relevant department. In your application we will collect the following information:

Personal data gathered

In your application we will collect the following information

First Name(s)
Last Name
Other Name(s)
Preferred Forename
Your Address
Telephone (Home)
Telephone (Work)
Telephone (Mobile)
Your personal Email
Details of your Secondary and/or Tertiary education
Professional qualifications
Statement in support of your application
Details within your submitted Curriculum Vitae (CV)
Details of your right to work in the UK

Information about your present and employment history for the previous five (5) years including:
Name of Employer(s)
Address Line 1
Address Line 2
Job Title
Date From
Date To
Notice Required

In addition, we may contact your referees as provided in your application to confirm the employment information that you provided. 

Special categories personal data

As part of the application you will be asked to provide equality and diversity information, this may include data concerning:

Any disability
Your ethnicity
Your sexual orientation
Your religious beliefs

You have the right to not provide this information, in which case UCL will note to statutory bodies that you elected not to provide this information.

Criminal records information

In some circumstances we may process your information to undertake a Disclosure and Barring Service (DBS) check, as required by law.

During your employment

The Data Protection Laws define ‘sensitive personal data’ or 'special categories of personal data' as information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, data concerning sex life or sexual orientation. We will process this data, as well as the data provided in your application in order to perform our obligations arising from your contract of employment with us. The additional personal data we process to meet these responsibilities includes:

Additional data – personal information

The additional personal data (including some special category personal data) we process to meet our responsibilities as an employer includes the following:

Previous sickness information including the reasons for the absence
Bank account details
Passport details
Visa details
Sick pay
Leave entitlement
Parental pay
Pensions data
Remuneration and benefits
Emergency contacts
Trade Union Membership

Statutory responsibilities

We may process your personal data in order to meet responsibilities imposed on us by legislation. The personal data processed to meet statutory responsibilities includes, but is not limited to, data relating to:
national insurance;
statutory sick pay;
statutory maternity pay;
family leave;
work permits, and
equal opportunities monitoring.

Our lawful basis for processing

The lawful bases for processing personal data will be:

Article 6(1)(b) Contract 
Article 6(1)(e) Public Task
Article 6(1)(f) Legitimate interest

Purpose of processing

We will use your personal data in connection with your employment relationship with us, including for the following purposes:

To enable us to provide education and support services to our staff.
Undertaking research.
To facilitate staff training, such as e-learning.
Managing our accounts and records and providing commercial activities to our clients.
For the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime – The CCTV policy can be found here
To provide healthcare services for patients of NHS partner hospitals.
To provide you access to relevant systems to undertake your role.
To fulfil our obligations for the contract of employment.
Processing recruitment applications.
Talent, performance and succession planning.
Paying and reviewing salary and other remuneration and benefits.
Providing and administering benefits (including pension, voluntary healthcare schemes, salary sacrifice schemes and others).
Undertaking performance appraisals and reviews.
Policy and Legal  Governance requirements and compliance.
Internal audit and data collection.
Legal compliance, requirements and obligations.
Maintaining sickness and other absence records.
Providing references and information to future employers and, if necessary, governmental bodies.
Processing information regarding equality of opportunity and treatment of data subjects in line with the monitoring of equal opportunities and access.
Any of the core purposes and ancillary activities linked to furthering UCL's core purposes that are described in our ‘Statement of Tasks in the Public Interests’
The information we process may be held on UCL Corporate systems some of which may be owned and operated by third parties.  Where we engage with such third parties, we insist upon strict contractual requirements to be adhered to by them to protect the personal data. 

Special categories personal data

The Data Protection Laws define ‘sensitive personal data’ or 'special categories of personal data' as information about racial or ethnic origin; political opinions; religious beliefs or other similar beliefs; trade union membership; physical or mental health; sexual life. In certain limited circumstances, the Data Protection Laws permit us to process such data without requiring the explicit consent of the employee.

 (a)     we will process sensitive personal data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and consent.
(b)   Other than in exceptional circumstances, UCL will process sensitive personal data about an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding UCL’s equal opportunities policies and related provisions.
(c)   Information about an employee’s criminal convictions will be held as necessary and only in accordance with Data Protection Legislation.

The lawful basis for processing this special category personal data will be:
The GDPR Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.’

Sharing personal data

We sometimes need to share the personal information we process with you and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Laws.

We may use third party providers to deliver our services, such as externally hosted software or cloud providers, and those providers may involve transfers of personal data outside of the EU. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards, such as the EU model clauses or equivalent measures.

Where necessary or required we will share your information with:

  • family,associates and representatives of the person whose personal data we are processing;
  • current, past or prospective employers;
  • healthcare, social and welfare organisations;
  • suppliers and service providers;
  • financial organisations;
  • auditors;
  • police forces, security organisations;
  • courts and tribunals;
  • prison and probation services;
  • legal representatives;
  • local and central government;
  • consultants and professional advisers;
  • trade union and staff associations;
  • survey and research organisations;
  • press and the media, and
  • landlords

Furthermore, in order to fulfil its statutory responsibilities, UCL is required to provide some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
Some information about staff is sent in coded and anonymised form to the Higher Education Statistics Agency (HESA). HESA’s Privacy Policy is available here
The University will display an employee’s UCL email address and telephone number in the online staff and student directory, which is accessible to internet users, including those in countries outside the European Economic Area (EEA). Employees should be aware that many countries outside the EEA do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect their personal data to the same standard as within the EEA. Requests to become ex-directory should be first addressed to the employee’s Head of Department. The process for making such a request is available from this page.

Your personal data may be disclosed in order to meet requests under freedom of information or data protection legislation.

Automated processing

UCL does not use automated processing and decision making without manual intervention.


We will handle your personal data in accordance with the principles set out below:


Personal Data shall be:

Lawfulness, fairness and transparency

be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


accurate and, where necessary, kept up to date.

Storage limitation

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures


be able to demonstrate compliance with the above principles

Keeping personal data up-to-date

The Data Protection Laws require us to take reasonable steps to ensure that any personal data we process is accurate and up-to-date. Employees are responsible for informing us of any changes to the personal data that they have supplied during the course of their employment. Basic personal details can be updated in MyView.

Retention of your data

UCL will retain your data according to the records retention schedule 

The criteria used to determine retention periods is based on the JISC guidance available here 

Your rights

Under certain circumstances, you may have the following rights in relation to your personal data:

Right 1: A right to access personal data held by us about you (please see section entitled "How can I access my personal information" below).

Right 2: A right to require us to rectify any inaccurate personal data held by us about you.

Right 3: A right to require us to erase personal data held by us about you.  This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below).

Right 4: A right to restrict our processing of personal data held by us about you.  This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims. 

Right 5: A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.

Right 6: A right to object to our processing of personal data held by us about you.

Right 7: A right to withdraw your consent, where we are relying on it to use your personal data.

Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.

Requesting information

As noted above, you have  the right to access information held about you. Your right of access can be exercised at any time by contacting us.

Changes to our privacy policy

Any changes we make to this privacy notice in the future will be [posted on this page] and, where appropriate, notified to you by e-mail, The Week@UCL, as well as UCL Exchanges.  

Who regulates the use of my personal information

The University maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with the Data Protection Legislation. The University's registration number is Z6364106 and sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal information. Please visit the Information Commissioners Office website for details.

Who do I contact with questions?

The data controller for the purposes of the GDPR is University College London. If you have any questions or concerns about how your personal data is used, please consult the University's data protection webpages, and if you have a complaint please contact us.

UCL's Data Protection Policy can also be found on this website. If you need further assistance, please contact the University Data Protection Officer.

If we are unable to adequately address any concerns you may have about the way in which we use your data, you have the right to lodge a formal complaint with the UK Information Commissioner's Office.  Full details may be accessed on the complaints section of the ICO's website 

Please download the PDF version