Staff Privacy Notice

We are committed to protecting the privacy and security of your personal information.

Under data protection law, we are a “data controller”. This means that we hold personal information about you, and are responsible for deciding how we store and use that personal information.

As a data controller, we are legally required to provide certain information to individuals whose personal information we collect, obtain, store and use. That information is contained in this document (our “privacy notice”).

It is important that you read this document (together with any other privacy notices we may provide to you on specific occasions), so that you are aware of how and why we are using your personal information and the rights you have in relation to your personal information.

This Privacy Policy applies to all employees, volunteers, workers, secondees, work experience/placement students, affiliates, consultants, honorary appointment holders, interns and applicants to University positions.

We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.

As an employee, a volunteer, worker, secondee, work experience/placement student, affiliate, consultant, honorary appointment holder, intern or applicant to a University position, the University we will ask you to provide us with certain personal information relating to you at the outset of you commencing work for us and during the course of your employment/engagement.

Data protection law protects personal information which is essentially any information from which an individual can be identified. There is a type of personal information which receives additional protection because of its sensitive or private nature, this is sometimes referred to as ‘special category personal information’ such as personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

This information is collected either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies, pension administrator, medical professionals, other employees, the Home Office, the Disclosure and Barring Service, intranet and internet facilities, relevant professional bodies.

The information we will collect during your employment/engagement with us will include:

• your name, address and contact details
• your date of birth
• your gender
• your photo
• your family details
• your education and qualifications
• your skills, experience and membership of professional bodies
• your National Insurance number and tax code
• your emergency contact details and next of kin
• your bank details, payroll details and tax status information
• your salary, annual leave, pension and benefits details
• evidence of your ability to work in the UK, your nationality and immigration status
• your driving license
• information provided about you from your previous employer(s) and other referees
• your employment history
• information collected during the recruitment process that we retain during your employment
• your working terms and conditions (e.g. pay, hours of work, holidays, benefits)
• details of any other offices or appointments or business interests you hold
• any accidents connected with work
• any training you have undertaken
• any disciplinary, grievance or other issues relating to your employment or in relation to which you are able to provide information
• your attendance record and leave taken (e.g. holiday, sickness absence, family leave)
• your performance reviews
• any other personal information you share with us, including lifestyle and social circumstances
• any reasonable adjustment(s) made to your role or your work under the Equality Act 2010
• CCTV footage and any other information obtained through electronic means
• Information about your use of our IT, communication and other systems
• Details of your use of business related social media such as LinkedIn, Twitter, Facebook and Instagram
• Details of any media reports or pieces relating to yourself and/or the University

We use the personal information we hold about you for a number of different purposes, which we list below. Under data protection law we need to have a valid legal basis for using your personal information, we also set out below the legal bases which we will be relying upon.

3.1          We use the personal information we hold about you for the following reasons:

• to comply with and demonstrate compliance with our legal obligations, such as checking you are legally entitled to work in the UK, deducting PAYE and National Insurance contributions, complying with equality legislation and other employment laws
• to prevent fraud
• to comply with corporate responsibility obligations
• to comply with and demonstrate compliance with any regulatory requirements

In these cases, the legal basis that we will be relying upon to process your personal information will be because it is necessary for us to do so to comply with our legal obligations.

3.2          We will also use the personal information we hold about you for the following reasons:

• to comply with and enforce our contract with you and inform you of any changes
• to pay you and provide you with any benefits you are entitled to including pension
• to deal with any disciplinary and grievance issues which may arise relating to you or in respect of which you may be able to provide relevant information
• to record your absences from work and your leave
• to review and manage your performance and development
• to promote our services including academic excellence
• for general employment or contract administration purposes
• to monitor compliance with any of our policies and procedures
• to conduct performance reviews, manage performance and determining performance requirements
• to make decisions about salary reviews and compensation
• to assessing qualifications for a particular job or task, including decisions about promotions
• to gather evidence for possible grievance, conduct or capability hearings
• to make decisions about your continued employment or engagement
• to make arrangements for the termination of our working/honorary relationship
• to ensure appropriate security measures are in place
• to facilitate activities of the University including online teaching and online assessment activities that are carried out by third-party service providers.  Any transfer will be subject to an appropriate, formal agreement between the University and the third party service provider

In each of these cases the legal basis that we will be relying upon to process your personal information will be because it is necessary for the performance of the contract between us or because it is necessary for compliance with a legal obligation

3.3          We will also use the personal information we hold about you for the following reasons:

• To support the NHS Wales Test, Trace Protect service in the event that the contact tracing process is initiated where it is in the public interest to ensure the safety of all of our staff, students and visitors on campus.
• To assess the quality of UK research in line with the Research Excellence Framework (REF). 
• To investigate allegations of research misconduct in line with University procedures. 
• To respond to requests for information from outside organisations, such as HEFCW, HEFCE, HESA, ATHENA Swan and the Welsh Language Commissioner. 
• To keep a an accurate account of meetings in University minutes

In this case the legal basis that we will be relying upon to process your personal information will be because it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or because it is necessary for compliance with a legal obligation

3.4          We will also use the personal information we hold about you for the following reasons:

• For the purpose of recording lectures, meetings, student assessment and examinations Recording of Meetings and Lectures Privacy Notice - Swansea University
• to enable business management and planning, including accounting and auditing
• to assess education, training and development requirements and to promote courses in line with staff development and statutory requirements including the promotion of Welsh language courses to staff.
• to respond to reference requests
• to monitor your use of our information and communication systems
• to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
• for identification purposes and to ensure, as far as is reasonably practicable, the security and safety of all students, staff, visitors and contractors, whilst within or situated on University premises
• to ensure accuracy with the use of personal data on core systems used within the University e.g. Colleague Attendance and RIS
• in case of an emergency or where the University has real concerns over the wellbeing of a member of staff as a result of absence without agreed prior leave and to provide support to employees
• to promote academic/research staff, their research and, by association the University for the Staff Profile System
• to conduct data analytics studies to review and better understand employee retention and attrition rates.
• to enable third party training modules
• to set up an account with iCOM who manage Our Uni Rewards on behalf of the University to ensure that every member of staff is aware of the range of benefits on offer as an employee.
• to provide Safezone with your email address to enable communications to you with regards to registering with the University’s campus safety app.
• To assist in the recording of crime, discipline issues,  health and safety issues, incidents, requirements for security  and the protection of buildings and assets (of Swansea University, of other occupants of the buildings and of their respective staff and visitors). This processing is in the legitimate interests of Swansea University and other occupants in managing their businesses and ensuring the health and safety of their staff, students and visitors.
• to collaborate with organisations of which the University is a member, including by way of example, the Universities’ and Colleges’ Employers Association (UCEA) or with which the University collaborates for the purpose of conducting salary surveys and benchmarking, such as such as Xpert HR
• To enable the University’s Travel Management provider to arrange and book all University business travel requirements.
• To invite you to take part in and inform you about internal and external research activities which we think will be of interest to you.
• To conduct and facilitate ethical approved internal research initiatives using staff data in an anonymised form or aggregated with the data of others (where you will not be identifiable).

In these cases the legal basis that we will be relying upon to process your personal information will be because it is in our legitimate interests. Our specific legitimate interests are:

• to be a fair and reasonable employer in relation to your employment/engagement and our employment/engagement of others and be able to demonstrate good employment practice and/or
• to comply with and demonstrate compliance with our obligations as an employer and/or our policies and procedures relating to employees, volunteers, workers , secondees, work experience/placement students, affiliates, consultants, honorary appointment holders, interns or applicants to a University position and/or
• to ensure public safety including the security and safety of all students and staff, visitors and contractors and the prevention and detection of crime, apprehension and prosecution of offenders and/or
• to enable us to manage the University effectively and efficiently

3.5          Where staff have opted into the SWell Engagement Programme, personal data provided by staff members will be used to monitor environmental impacts, cost efficiencies and sustainability.

• In this case the legal basis that we will be relying upon to process your personal information will be consent.

We will need to keep certain special category personal information in relation to you which might be relevant to your employment, such as your:

• racial or ethnic origins
• political opinions
• religious or philosophical beliefs
• membership of a trade union
• physical or mental health (including details of any disability)
• sexual orientation
• details of any known disability
• commission or alleged commission of any offence, including the results of Disclosure and Barring Service (‘DBS’) checks

We use the special category personal information we hold about you for a number of different purposes, which we list below. Data protection law prohibits us from processing any special category personal information unless we can satisfy at least one of the conditions laid down by data protection law. We also set out below the specific conditions we rely upon when processing special category data.

5.1          We use the special category personal information we hold about you for the following reasons:

• to monitor equality and diversity.

In this case the condition we rely upon for processing the information is to monitor equality and diversity which is necessary for reasons of substantial public interest, namely for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

5.2          We also use the special category personal information we hold about you for the following purposes:

• to comply with and demonstrate compliance with employment law and best practice and any other applicable laws
• to comply and demonstrate compliance with any regulatory requirements
• to deal with any conduct and grievance issues which may arise relating to you or others in respect of which you may be able to provide relevant information
• to record your absences from work and to ensure the safety, health and wellbeing of staff
• to provide you with any health benefits you may be entitled to
• to assess your fitness for work
• to administer your trade union membership
• to make any reasonable adjustments to your role
• to provide relevant anonymised data to outside organisations (e.g. ATHENA Swan, Stonewall etc) to demonstrate University compliance with employment law and best practice
• to enable the administration of pension schemes
• to enable to administration of employee benefit schemes

In these cases, the conditions we rely upon for processing the information are because it is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment law.

5.3          In cases where a claim has been brought against the University or there is a potential risk of a legal dispute or claim we may need to process your special category personal information where it is necessary for the establishment, exercise or defence of legal claims.

5.4          There may be circumstances where we need to process your special category personal information, particularly relating to your health, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent.

5.5        We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.

We will only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary for reasons of substantial public interest, namely, preventing or detecting unlawful acts, protecting the public against dishonesty, preventing fraud or suspicion of terrorism or money laundering.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

5.6      There may be circumstances where we need to process your personal and special category personal information, particularly relating to your health, to be able to manage the health and safety of our staff in the legitimate interests of the University and wider community and in the substantial public interest e.g. Covid 19 pandemic

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

The University will only contact you using your personal contact details e.g. personal telephone number and personal email address where it is absolutely necessary to do so for example in the case of a welfare concern, or where you have provided your personal contact details to another member of staff in the expectation that they will use that information to make contact with you in relation to a work related matter.   Personal contact details will not be shared with anyone else either intentionally or inadvertently (e.g. through use of a group distribution system). And that no confidential information will be sent to personal contact details unless they relate to the recipient and that the medium used is appropriate.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Some of the personal data we request will be because we have a legal or contractual requirement to obtain and use the information or it is necessary for us to obtain the information to be able to enter into a contract with you. An example of this would be under the Immigration, Asylum and Nationality Act 2006 we are required to satisfy ourselves that you have the right to work in the UK. Failure to provide certain information will prevent us from employing or engaging you or from performing the contract we have entered into with you.

We do not carry out any automated decision-making or profiling in relation to you.

Your personal data will be held by the HR department. Your personal data will be shared internally with other individuals and/or departments where this is reasonably necessary for the processing purposes set out in section 2 above. For example, it will be necessary to share some of your personal information with the Finance department in order to pay you and ISS to enable systems access and administration.

From time to time we will need to share your information with external people and organisations. We will only do so where we have a legitimate or legal basis for doing so and in compliance with our obligations under data protection laws.

Your information may be disclosed to:

• Wholly Owned Subsidiaries in connection with contractual obligations

• Her Majesty’s Revenue and Customs (HMRC) in connection with your pay and benefits

• Banks and other financial institutions in connection with your pay and benefits

• Pensions providers for providing and administering your pension

• Payroll provider to enable us to pay you

• Companies and businesses who provide or administer any benefits we offer

• Other Universities, project Collaborators and funders for the purposes of financial administration of a research contract

• Other people who help us they include information technology experts who design and host third party systems such as Marshall Training, Safezone, Our Uni Rewards and JUMP who host our Swell Engagement Programme.

• Our insurers and insurance brokers who provide us with comprehensive cover against the risks of running a business.

• Employment and recruitment agencies and outplacement organisations, for example, Meara Mann

• Professional bodies and regulators including regulatory bodies in order to independently review / investigate a complaint that has been brought to their attention e.g. Office of the Independent Adjudicator (OIA) and the Information Commissioner’s Officer (ICO).

• Our professional advisors including our accountants when they need it to give us their professional advice.

• Occupational Health and other medical professionals including social and welfare organisations to provide us with medical opinions in relation to any medical condition, illness or disability you may have or develop during the course of your employment/engagement

• The Police, local authorities, the courts and any other government authority if they ask us to do so (but only if us doing so is lawful).

• NHS Wales Test, Trace, Protect Service when required to support the contact tracing process.
• Third party service providers who support the University’s provision of online meetings, teaching and assessments. (E.g. Zoom, Testreach and Respondus)

• Other people who make a subject access request, where we are allowed to do so by law.

• Complainants, where this is necessary to respond to any complaints received

• Private investigators

• Debt collection and tracing agents

• Where we are legally obliged to do so, e.g. to comply with a court order

• Prospective employers in response to reference requests

• Educational establishments, examination bodies, course providers in relation to any training you undertake or have undertaken

• Marketing service providers who carry out marketing activities on our behalf

• Your family or representatives

• Funding Councils

• Research funding bodies

• Research Funding Organisations where it is necessary to share information concerning cases of bullying and harassment related to research staff directly involved in a research funded
• Safezone – The University utilises Critical Arc software to enhance its response to incidents and emergencies under our legal duty of care
• ISARR, the Swansea University Security Services reporting system.
• Members of the public in response to a Freedom of Information Request but only where it is in the public interest and does not infringe data protection legislation.
• Personal information may be shared with organisations (including other education providers) with whom we work collaboratively and with other agencies (including the Welsh Government) where there is a requirement on the University to report on outcomes, progression or for equality monitoring purposes.
• Your data will be shared with the University’s appointed Travel Management provider where they will act as a Data Controller of any data you as a traveller, or your travel booker, provide to them.

We do not routinely transfer any of your personal data outside the EU. Any transfers that do occur will be done in line with the UK GDPR.

To make sure we meet our legal data protection and privacy obligations, we only hold on to your information for as long as we actually need it for the purposes we acquired it in the first place.

In most cases, this means we will keep your information for as long as you are employed or engaged by us and for a period of 7 years thereafter. The reason for keeping your personal data for this length of time is to comply with HMRC requirements and because of the fact that some claims can be brought up to 6 years after your employment/engagement ends.] For WEFO funded positions, we are required to retain personal data in line with the relevant WEFO retention schedule. Personal data specifically collected for the purpose of the NHS Wales Test, Trace, Protect Service will be held for 21 days from the date of each separate visit made.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Please refer to our retention policy/schedule https://www.swansea.ac.uk/about-us/compliance/records-management/ for further details

Data protection legislation provides individuals with a number of different rights in relation to their data. These are listed below and apply in certain circumstances:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request data portability of your personal information. In certain circumstances, you may have the right to require that we provide you with an electronic copy of your personal information either for your own use or so that you can share it with another organisation. Where this right applies, you can ask us, where feasible, to transmit your personal data directly to the other party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact:

Digital Services 

7th Floor Faraday Tower

Swansea University

Singleton Park

Swansea

SA2 8PP

Email: dataprotection@swansea.ac.uk

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where your personal data is processed on the basis of your consent or explicit consent, you have the right to withdraw your consent to the processing at any time. You can do this by emailing the Data Protection Officer at dataprotection@swansea.ac.uk. Any withdrawal of consent will not affect the lawfulness of any processing of your personal data based on consent before the withdrawal is notified.

The University will not be able to enrol you as a member of staff if you refuse to provide the necessary information when based on contract or statutory requirement.

If any of your personal details change during your employment/engagement you should contact a member of the HR Department to notify them and provide them with the updated accurate information.

We review the ways we use your information regularly. In doing so, we may change what kind of information we collect, how we store it, who we share it with and how we act on it.

Consequently, we will need to change this privacy policy from time to time to keep it accurate and up-to-date.

We will keep this policy under regular review to ensure it is accurate and kept up to date. This policy was last updated on 13/8/2020.

Swansea University an institution established by Royal Charter of Singleton Park, Swansea, SA2 8PP

We are the data controller of the information you provide us with. The term “data controller” is a legal phrase used to describe the person or entity that controls the way information is used and processed.

The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly.

You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. We will always do our very best to solve any problems you may have.

You’re welcome to get in touch with us to discuss your information at any time.

We have appointed a [data protection officer (DPO)to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at :-

Digital Services

7th Floor Faraday Tower

Swansea University

Singleton Park

Swansea

SA2 8PP

Email: dataprotection@swansea.ac.uk