Academic Handbook Data Protection
Privacy Notice for Employees, Job Applicants and Others Working at the University
Last modified on September 5th, 2024 at 3:45 pm
Introduction
- This Privacy Notice applies to current employees, former employees, job applicants, workers, contractors, honorary position holders, board members, volunteers and visiting lecturers.
- The notice explains how the University will process your personal data. It does not form part of any contract of employment nor any other contract to provide services.
- The University may update its Privacy Notices at any time; please check back here regularly to review any changes.
Categories of Data Held by the University
- The University holds a range of personal data about you, some of which you provide to us directly and some of which is received from third parties.
- The following are some examples of types of personal data the University holds:
- Personal details including name, title, date of birth, gender, marital status and dependents
- Contact details including address, telephone number and personal email address
- Next of kin and emergency contact information
- National Insurance Number
- Bank account details, payroll details and tax status information
- Salary, annual leave, pension and benefits information
- Location of employment or workplace
- Recruitment information (including copies of qualifications, right to work documentation, driving license, references and other information included in a CV or cover letter or as part of the application process
- Employment records (including job titles, work history, working hours, training records and professional memberships)
- Immigration information (for example passport details and language proficiency)
- Performance information
- Disciplinary and grievance information, including information related to the investigation, adjudication, and determination or outcome of any alleged violation of law or policy
- Information obtained through electronic means such as swipe card records
- Information about your use of the University’s IT systems, including email or internet usage
- ID card image, photographs, and videography
- The University captures photographs and videos during its events to promote activities and share information about programmes. These images may be used in printed materials, online content, and other promotional materials.
- You have the right to request that we do not use your image or video footage in our materials. If you wish to opt-out, please inform us as soon as possible. You can contact us in advance of the event, or speak to our photographer/videographer on site.
- The University may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your age, race or ethnicity, disability, religious beliefs, sexual orientation, gender, political opinions, marriage and civil partnership and pregnancy and maternity
- Information about you and your family members’ and dependents’ health, including any medical conditions, general health, and sickness records
- Information about criminal convictions, offences and barred list status
Purposes and Means of Processing Personal Data
- The University processes your personal data to help effectively administer the employment relationship between you and the University.
- The University only processes data for specified purposes and if it is justified in accordance with data protection law. The table below explains the various reasons why the University processes your personal data and its justification for doing so.
- Some processing of personal data is justified on the basis of legitimate interests, and some processing is carried out on the basis of contractual necessity. In general, this applies to personal data you provide to the University when you first start working for it and throughout your employment with the University; it is held to manage the employment relationship and to monitor performance.
- Without this information, the University would not be able to employ you and follow the law, assess your application, offer you work with the University or implement reasonable adjustments when required. Some personal data is also required to fulfil the University’s legal obligations (for example, immigration or HMRC).
- There may be other processing in addition to the below. This is undertaken in accordance with the University’s policies of which the University will inform you when such data is obtained or as soon as possible afterwards.
Table 1 Examples of Reasons Why the University Processes Personal Data
Purpose | Legal Basis and Justification |
To decide on your recruitment or appointment | Necessary before entering into an employment contract and to comply with Employment Law |
To determine the terms on which you work for the University | Necessary for the performance of employment contract and to comply with Employment Law |
To allocate and manage work responsibilities | Necessary for the performance of employment contract and to comply with Employment Law |
To pay your salary, tax, pension contributions, and to process any relevant benefits | Necessary for the performance of employment contract and to comply with Employment Law |
To manage performance and conduct | Necessary for the performance of employment contract and to comply with Employment Law |
To manage training and development needs or opportunities | Necessary for the performance of employment contract |
To monitor equality, diversity and inclusion | Necessary for the University’s legal obligation to promote an inclusive work environment, to comply with Employment Law and other legal obligations |
To implement and ensure compliance with the University’s policies | Necessary for the performance of employment contract, and to comply with University policy, Employment Law and ICO Code of Practice |
To assess and manage fitness and capability to work and manage sickness absence | Necessary for the performance of employment contract and to comply with Employment Law |
To manage reviews and the promotions process | Necessary for the performance of employment contract and to comply with Employment Law |
To provide management information and inform HR processes | Necessary for the performance of employment contract, to comply with Employment Law and the University’s legitimate interests to ensure HR systems operate securely and efficiently, and to inform management decisions |
To communicate with you and evaluate your experience as an applicant or employee | Necessary for the performance of the employment contract and to comply with Employment Law and our other legal obligations and our legitimate interest in consulting with staff and raising awareness of initiatives and opportunities |
To provide you with employment-related benefits | Necessary for the performance of the employment contract |
To liaise with your pension provider | Necessary for the performance of the employment contract and to comply with Employment Law |
To sponsor international staff to work in the UK | Necessary for the performance of the employment contract and to comply with Employment Law, Immigration Law and the University’s other legal obligations |
To check right-to-work status and support visa applications | Necessary for performance of employment contract. To comply with Employment Law Immigration Law and the University’s other legal obligations |
To gather evidence for any potential grievance or disciplinary hearings, and to make determinations about those grievances | Necessary for performance of employment contract. To comply with Employment Law, and the legitimate business interests of the University |
To make decisions about your employment or arrangements for the termination of the working relationship | Necessary for performance of employment contract. To comply with Employment Law |
To provide references on request | Necessary for the performance of employment contract or where consent has been given |
To assess suitability and eligibility to undertake work at the University (including pre- employment checks) | Necessary for the University to engage with your on the process of establishing a contract (contractual necessity) and in the University’s legitimate interest |
- When the basis of processing your personal data is a contractual necessity and you do not provide the University with the personal data needed, the University may not be able to process your application or provide you with the employment for which you have been appointed.
Table 2 Examples of How the University Uses Personal Data
Purpose | Legal Basis and Justification |
The University uses information relating to your health to make decisions regarding reasonable adjustments | Processing of health-related data is necessary so that the University can meet its obligations in the field of Employment Law |
The University uses information about your race or ethnicity, religious beliefs, sexual orientation and political opinions to conduct equal opportunities monitoring | Necessary for the University’s legal obligation to deliver a work environment that is inclusive and to comply with Employment Law and other legal obligations |
The University uses information about your criminal convictions, reprimands and cautions where the law allows it to do so, and if it is appropriate given the nature of the role, to assess your suitability to carry out the work for which you are engaged | Processing is necessary for the public interest and so that the University can meet its obligations in Employment Law |
Potential Third-Party Sources of Data Held by the University
- Sometimes the University receives your data from third parties. The following table lists what information the University may receive from them.
Table 3 Potential Third-Party Sources of Data Held by the University
Source | Data the University May Receive From Them |
Home Office (UKVI) | Your immigration status |
Occupational Health Service, GPs/Medical Practitioners | Medical, accessibility related and similar information (the University only obtains this information from third parties if you give it consent to do so) |
Relevant professional body (for example, HEA, FRS, etc.) | Your professional registration status |
University DBS provider | Your criminal record and barred list status |
External Training Providers | Training and development information |
External Assessment Providers | Psychometric testing and assessment outcomes |
Other employment agencies | Personal and contact details, your application and CV |
Former employers | Your previous employment record |
Students (past and present) | Complaints or performance related information |
Potential Recipients of Data Held by the University
- Sometimes the University may need to share your data. The following table gives examples of this kind of data sharing.
Table 4 Potential Recipients of Data Held by the University
Recipient | What Data the University May Share With Them |
Northeastern University | Contact details, employment details, benefit details, immigration details, work plan, performance, salary, conduct, training, development (when required for the performance of employment contract) and health information (for the purpose of fulfilling the University’s duty of care and/or when necessary for the implementation of reasonable adjustments or other support), and disciplinary information (including details related to the investigation, adjudication, and determination or findings of a potential violation of law or policy) |
Line managers | Contact details, employment details, attendance, work plan, performance, salary, conduct, training, development (when required for the performance of employment contract) and health information (for the purpose of fulfilling the University’s duty of care and/or when necessary for the implementation of reasonable adjustments or other support) |
Professional staff | Contact details, employment details, attendance, work plan, performance, salary, conduct, training, development (when required for the performance of employment contract) and health information (for the purpose of fulfilling the University’s duty of care and/or when necessary for the implementation of reasonable adjustments or other support) |
Investigation officers, hearing panel chairs and members, external solicitors, employment tribunals and ACAS | Personal information relating to conduct, performance and employment |
Third-party organisations who process personal data on the University’s behalf, such as training providers, assessment providers, benefits providers (e.g. Oakfields) and employment surveyors | Name, contact and employment details |
Third-party organisations to whom a potential TUPE transfer is being made | Employment contract terms and conditions and associated benefits (full employee liability information) |
Official bodies to which the University is obliged to report, or who may carry out an audit or inspection
(for example, UKVI, OFSTED, HESA and OfS, ONS or their agents) |
Information supplied as necessary to fulfil the University’s reporting obligations to these bodies. This may include relevant special category data |
Future employers | Personal information relating to conduct, performance and employment, where we are asked for a reference |
Professional development course tutors | Course attendance lists and contact details |
Government agencies such as UK Visa and Immigration Office and the Home Office | Contact details, passport details, salary and other employment basis details for example fixed term or permanent contract status |
University DBS providers | Name and contact details |
University pension providers (e.g. Scottish Widows) | Personal information including contact details and salary and pension contribution details |
HMRC | Contact, pay and benefit details |
Professional regulatory bodies with which you have professionally registered | Contact details, attendance and performance and conduct information |
Internal Audit | Any personal data necessary for continued operation of internal controls and/or for preventing, detecting and investigating suspected fraud or irregularities |
The police (only shared on request and when there is a legal basis for doing so) | Information will be supplied as necessary to fulfil the University’s obligations with respect to the prevention and detection of crime |
Our professional advisors | Information supplied as necessary for the purposes of obtaining legal and/or financial advice |
Potential Geographic Locations for Personal Data Transfer
- Your personal data may be transferred to Northeastern University in the US for the purposes of providing employment or other support services, or for administration of the University and its programmes.
- Personal data may also be transferred outside the UK to third parties providing services to us or by those third parties themselves with our permission. For example, Workday, Inc is an international provider of HR services that may provide services from servers in the United Kingdom or United States. The list of third-party providers is subject to change as the needs of the University change. A current list of these third parties is available from the DPO upon request.
- If any of our processing activities require your personal data to be transferred outside the United Kingdom, we will only make that transfer if:
- the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
- the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- you explicitly consent to the transfer.
- You can contact us for more information about the safeguards we use to ensure that your personal information is adequately protected in these circumstances (including how to obtain copies of this information).
Personal Data Retention
- The University will only keep your personal data for as long as necessary to fulfil the purposes for which it was collected. Details of retention periods for different aspects of your personal information are available in the University’s Data Protection Policy.
Statutory Rights of Data Subjects
- At any point while we are in possession of or processing your personal data, subject to certain conditions you have the following rights:
- Right of access: you have the right to request a copy of the information that we hold about you. It helps us to find your information if you provide us with the relevant details for the nature of your contact with us.
- Right of rectification: you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing: where certain conditions apply you can ask us to restrict the processing of your data.
- Right of portability: you have the right to have the data we hold about you transferred to another organisation.
- Right to object: you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling. You also have the right not to be subject to the legal effects of automated processing or profiling.
- Right to data portability: you have the right to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.
- Right of withdrawal of consent: where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’ t impact any of our processing up to that point.
The Data Protection Officer
- The University has appointed a Data Protection Officer.
- Their email address is: dpo@nulondon.ac.uk
- Their postal address is:
- Data Protection Officer
- Northeastern University London
- Devon House
- 58 St Katharine’s Way
- London
- E1W 1LP
Queries & Complaints
- For more information on your rights, if you wish to exercise any right, for any queries, you may have or if you wish to make a complaint, please the Data Protection Officer.
Complain to the Information Commissioner
- You have a right to complain to the Information Commissioner’s Office (ICO) about the way in which the University processes your personal data. You can make a complaint via the ICO’s website.
Version History
Title: Privacy Notice for Employees, Job Applicants and Others Working at the University
Approved by: Executive Committee Location: Academic Handbook/ Policies and Procedures/ Data Protection |
||||
Version Number | Date Approved | Date Published | Owner | Proposed Next Review Date |
24.2.0 | September 2024 | September 2024 | Data Protection Officer | September 2026 |
22.1.1 | April 2023 | April 2023 | Data Protection Officer | September 2023 |
Version numbering system revised March 2023 | ||||
1.0 | August 2021 | August 2021 | Data Protection Officer | September 2023 |
Referenced documents | Data Protection Policy | |||
External Reference Point(s) | UK Quality Code Theme: Admissions, Recruitment and Widening Access; Information Commissioner’s Office (ICO); ACAS; HMRC; UK Visa and Immigration Office; Home Office; Office for National Statistics (ONS); Office for Students; HESA; Information Commissioner’s Office. |