Data protection for staff
Structure and governance
As a member of staff, the University of Portsmouth will collect your personal data to record your time as an employee and ensure that you are paid.
What data do we process?
We collect the following personal data from you before you start working with us:
- Your name
- Contact details
- Emergency contact details
- Date of birth
- Country of nationality and birth
- Academic qualifications
- Previous employment details
- Details of any disability
- Details of any criminal convictions
- Contact details for referees
- Special category data such as country of birth, nationality and details of physical and mental health for equal opportunities monitoring
Disclosure of your personal data to third parties
We will only disclose your personal data:
- Where you give written consent for the disclosure
- When the University is under a legal requirement to provide information (e.g. Higher Education Statistics Agency or HESA)
- If required by the police or other agencies investigating a criminal offence
It is not possible to list every purpose for which your data will be used, but this will only ever be in relation to University business.
For further information, please read the Data Protection Statement for Staff below.
How long will we keep your personal data?
Your staff record will be retained for six years after the termination of your employment. After this, only those details necessary to identify you and to show that you worked at the University will be kept.
Your responsibilities as a data subject
We need you to tell us if any of your details change so that we can keep your records up to date.
Don't give your staff username or computer passwords to anyone else. This will limit the possibility of confidential systems being accessed by anyone who is not authorised to do so.
If you are involved in any research work at the University or are in a position where you might come into contact with other people's personal data, please remember to treat that information in confidence. All data must be handled in line with basic data protection principles and you must not to access any data that you do not need to complete your work.
Data Protection statement for staff
What is this document about?
This Statement explains to members of University staff how their personal data, including special category data, collected from them by the University, may be used, including some examples of how such data is processed.
Who is this for?
The statement is of primary interest to all staff (both past and present) whose data is processed by the University, and may be of general interest to the wider public.
How does the University check this is followed?
- Staff are made aware of the Statement in their employment contracts and induction paperwork
- Queries about the use of personal data from staff suggest that this Statement is known about and read
- Periodic information governance audits also check that the information in the statement is known about and understood
Who can you contact if you have any queries about this document?
All enquirers may contact the University’s Data Protection Officer, Samantha Hill, on 023 9284 3642 or Samantha.firstname.lastname@example.org.
The University of Portsmouth processes data about you to administer your employment whilst at the University as a member of staff, and after you have left in order to provide references and to confirm your employment at the University, for example in relation to pension enquiries. If you have any questions about how the University processes your data, then the following contact information may be useful.
The University’s correspondence address is:
The University of Portsmouth
Winston Churchill Avenue
Main switchboard: 023 9284 8484
The University’s Data Protection Officer is:
Samantha Hill – Information Disclosure Manager
Direct telephone number: 023 9284 3642
The University of Portsmouth processes your personal data, and your special category data, for a variety of purposes, involving all aspects of the administration of your employment (including once you leave the University), for statistical purposes and for the purposes of equal opportunities monitoring.
In order for the University to be able to process your data properly, it is your responsibility to inform us as soon as possible if data we hold about you is incorrect or requires updating. As a member of staff you are able to see a range of data about yourself on the Employee Self Service (ESS) part of the Human Resources (HR) system, including personal information, data relating to protected characteristics, emergency contact details, current job details, absences, bank details, pay history, HESA details and career development
details. You can change / update many of these items yourself and you are encouraged to do so on a regular basis. Where it is not possible for you to update your own details, staff in HR will be able to do it for you.
We collect the contact details of a person nominated by you as a contact for you if needed. You must notify that person that we are holding this data, which will only be used in an emergency. You must remember to update this information as and when necessary.
The University’s legal basis for processing the majority of your personal data is that the processing is necessary for the performance of the employment contract you enter into with the University.
The University is also under a legal obligation to process some data concerning you and to provide that data to third parties, for example, Her Majesty’s Revenue and Customs or the Health and Safety Executive.
The University may use your work contact details to keep you informed of initiatives such as opportunities for study or partake in research and for volunteering purposes. Some contact details will also be passed to the recognised trade unions in order for them to contact you. We believe that this processing is necessarily within the University’s legitimate interests.
If we process any special category data about you (such as, ethnicity, trade union membership, or health data), when requesting the data we will either:
- ask for your specific consent to process this data
- use the legal bases that the processing is necessary in the field of employment or for the purpose of the assessment of the working capacity of an employee
- consider whether it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
- process the data to enable us to promote and maintain equality of opportunity or treatment between different groups of people
We require the data we ask you to provide at the start of your employment and failure to provide this data may cause you not to be, or not to continue to be, employed by the University of Portsmouth.
We retain your full employment record after the end of your employment, so that we can provide references or pension details when asked to do so. (After six years we will only retain sufficient data to confirm that you were employed by the University and for how long.)
If you have been employed in a post where you may / have been in contact with various hazardous substances, we may keep your record for longer than six years for health reasons. Further details of the situations where we might keep your data for longer than six years can be found at section 6 of the University’s Record Retention Schedule.
Only those members of staff within the University who need to have access to the data you provide when you begin your employment, and those who update information via the Staff Self-Service portal, to administer your employment, will have access to your data. Therefore, staff within HR and the Finance Department will have access to your data, as may some administrative staff within your Faculty / department / school, your Head of School or department as your line manager, and the Executive Dean of your Faculty. It may also be necessary for senior members of the University staff to have access to this data if a staff disciplinary case requires investigation or for due diligence purposes. If you disclose any special category data at any time during your employment, that data may be shared with specific departments, such as the University’s Occupational Health service, but this will only be done with your prior knowledge / consent.
It is not possible to list all of the bodies with whom we might have to share your personal data, but the following are examples of when the University will release data about you to third parties either where you ask us to, where we have a legitimate reason to use that data in connection with your employment here at the University or where the University is under a legal requirement to provide data:
- Data may be released to third parties such as HMRC, in relation to matters associated with your employment. We are required to pass data about you (in coded and anonymised form) to the Higher Education Statistics Agency (HESA) which then creates your HESA Staff Record. Some of this anonymised data will be passed to other statutory bodies involved with the funding of education, but it cannot be used in any way that could affect you personally. For further details of how your HESA Staff Record may be used by HESA please go to https://www.hesa.ac.uk/about/regulation/dataprotection/notices .
- Details of any reportable accidents are referred to the Health and Safety Executive (HSE). Data provided to the HSE will include the personal data of any individual involved in the accident.
- If you are referred to the University’s Occupational Health department, your data will be disclosed to staff working with that department, some of whom may be external professionals
- Your data will be used to produce anonymised statistic to show workforce trends
- Your data will be passed to Pension Funds administrators – Local Government Pensions Scheme or Teachers Pensions as appropriate, the NHS Pensions Agency and the NEST pension scheme
- We will release data to the police and other enforcement agencies in emergencies and where it is required by these agencies for the detection or prevention of crime
- Data may be released to the third party organisations that host University data. For example,:
- the University’s staff card supplier, for use in the production of your staff card.
- the University of Northumbria in order to provide out of hours IS/Library help
- Google Apps for Education
- the University’s Staff Travel Management and Expenses Service provider, in order to book travel arrangements and to contact you to provide travel updates
- the University shares contact details about you with the University’s Students’ Union (UPSU) in order to allow staff to be able to receive a Totem card
All instances of data sharing / hosting are covered by contractual arrangements or an operational agreement with the party concerned.
- Data relating to staff joining and leaving the University will be passed to the branch secretary or representative of the trade unions recognised by the University in order that membership records can be maintained
- Data may be released to specific third parties in order to carry out research relevant to the staff population but this will only be done where necessary, and when covered by a data processor agreement.
- If your post requires a Disclosure and Barring Service (DBS) check, the personal data you provide to the University on the DBS application form will be submitted to the University’s DBS checking supplier (Due Diligence Checking), which will review the data and submit the application to the DBS. The results of the DBS check are reported back to the University, but the details are sent directly to you as the applicant.
The University has set up a staff discount portal with a third party, Sodexo (also known as P&MM). The University will not provide Sodexo with any personal data about you except to confirm – on request – that you are a member of University staff, if you decide to take advantage of the scheme.
We will not, however, release data to any third person without there being a legitimate reason to do so, except where you ask us to. This means that we will not release data to banks, friends, and relatives among other parties without your prior agreement. If you wish us to provide data in these circumstances, you should provide us with written consent to release the data
Although the University does store some data in the cloud via Google Apps for Education, the servers for the data are EU based.
Data supplied to the Staff Travel Management and Expenses Service may be stored on servers based outside of the EU but this processing is covered by standard contractual clauses.
The data supplied to UPSU for the Totem card is stored securely on UPSU servers hosted by Amazon Web Servers, which utilise a global network of servers. For further details of this arrangement, please contact UPSU on email@example.com.
You are entitled to request a copy of the data you provide to us in an electronic format so that you may pass that data to another body (the right to data portability), as well as to request a copy of the data we hold about you (a Subject Access Request).
You are also entitled to raise an objection to the processing where the processing of data we hold about you is likely to cause you damage or distress, and to request either the rectification of any incorrect data, the restriction of any further processing of your data or the erasure of your data (right to be forgotten).
You have the right to withdraw your consent for processing your personal data where we have originally asked for your consent. However, where we collect your personal data under another legal basis, it may not be possible for us to remove all of your personal data from our records if you request this.
If you require any further information on, or wish to object to, any of the uses to which we put your data, you should contact Samantha Hill, the University’s Data Protection Officer on 023 9284 3642 or Samantha.firstname.lastname@example.org .
Finally, you have the right to complain about the processing of your data to the UK regulator, the Information Commissioner’s Office. For more information about this body and how to make a complaint, please see the ICO website.