1. St George’s, University of London
1.1. St George’s, University of London is the data controller of the personal data that you provide us with. The University is committed to ensuring that your information is processed in line with the requirements of UK Data Protection Legislation.
2. What information we collect from you and why
2.1. We process personal information relating to those we employ to work as part of our workforce. It is a necessary requirement of your contract with the University that we maintain a personal record for you, and this contractual requirement constitutes the lawful basis for our using your personal information.
2.2. The type of data being processed falls into the following categories:
- Personal information such as names and addresses, employee number, national insurance number.
- Other contact information such as next of kin and emergency contact details.
- Contract information such as start and end dates, positions, salary and pension information.
- Academic qualifications, language test results where required, names of employment referees.
- Special categories of personal information including protected characteristics such as racial or ethnic origin, disability, gender, gender identification, sexual orientation, religious or philosophical beliefs or trade union membership and the processing of data related to criminal proceedings, if required.
- Grievance, disciplinary and capability proceedings, if required.
- Absence information such as absence periods and absence reasons.
3. How we obtain your information
3.1. Personal information provided by you to the Human Resources Department (HR) in the University is typically entered from recruitment and thereafter, over the course of your employment.
4. Where we store your information
4.1. All Personally Identifiable Information (PII) is held and maintained by HR, predominantly in electronic form. Personal and special categories of personal information are held in electronic and paper files, proprietary systems, and a repository database to feed all internal staff interfaces, for example, to support your pass to enter the building and to enable you to access and post research publications on library registration systems. For these interfaces with our internal systems, we keep your information securely stored on our servers where access is restricted to authorised staff only.
4.2. PII is seldom held in paper form but where it is, it is stored securely in locked cabinets on campus. St George’s, University of London also use managed software services for its electronic staff records. Midland HR Ltd (MHR) is the software provider which provides hosted data servers. Connection to the MHR servers is via industry security standard for authentication using 256 bit encryption to protect the data exchange between St George’s, University of London and MHR.
5. How we share information
5.1. Personal and special categories of information held on our staff personal record systems may be shared in a number of ways, for example:
- HR Records: a personal record is held to identify you and ensure the staff record we hold for you is an accurate, complete and an up to date record. Line managers may have access to personal data that is provided by you including your name, title, position and right to work.
- HR and Payroll Records: to assist the University to maintain its personal record for you and to exercise all payroll responsibilities on managing your employment, your name, title, gender, address, bank account details are provided to payroll for the purposes of making payments to your bank account, making deductions, and processing pensions.
- University Reporting: your personal record is used to provide statistics and management information that will enable the University to monitor the effectiveness of its policies and procedures, for example, for the purposes of pay gap reporting, and by other associated third-party suppliers procured by the University as data processers, to analyse and report on our human resource and payroll data.
- External Reporting: your personal record is used to provide and share your information when asked and required, for example, to supply anonymised information about our staff to external bodies such as the Universities and Colleges Employers Association (UCEA) and Higher Education Statistical Agency (HESA). Staff data about you is sent in an anonymised or pseudonymised form, so that you cannot be identified. Please visit the HESA site for more information about how they use your data. Data provided to UCEA is primarily used for benchmarking purposes, for example the Senior Staff Remuneration Survey. Further information on UCEA publications is available here.
- Third parties: your personal information is provided to third parties, for example, to confirm the dates and nature of your employment to a prospective employer and to outsourced providers that provide services on behalf of the University. Outsourced providers include the provider of the staff/pulse survey, University newsletter, our pensions provider and our Occupational Health provider. Please note that if you provide us with any personal data which is defined as a special category of personal data under UK Data Protection Legislation, then we will not disclose this to any third party for any reason without your consent. For a list of full third party suppliers, please contact firstname.lastname@example.org.
- Safeguarding: we may also send your personal information to third parties, where the law allows it, for example to seek safeguarding disclosures. We will not disclose your personal data to any third party unless we have your permission to do so.
6. Overseas Nationals
6.1. This statement only applies to staff with work visas. As required by UK government legislation we will report on your eligibility to work to UK Visas and Immigration as and when required.
7. How long we keep your information for
7.1. Your sensitive data will only be kept during your employment as a member of the University and thereafter, in accordance with statutory retention periods.
8. Accuracy of information
8.1. We will take all reasonable steps to create an accurate person record of any personal information submitted. However, we do not assume responsibility for the ongoing accuracy of your personal information. You can update your personal information by making amendments to your person record in MyWorkplace, or by emailing us at email@example.com.
9. When you leave
9.1. If you decide to leave employment with us, your personal data is, in most cases, kept for 6 years from the date you leave and with your consent, for longer, for processing requests such as from potential employers. If you were a member of a pension scheme, some information will be kept longer to allow payment of a pension. We will retain your personal data no longer than is necessary for the stated purposes. If you wish to delete your personal information please contact firstname.lastname@example.org.
10. What your rights are
10.1. You have a right to request access to your personal data, to object to the processing of your personal data, to rectify errors or omissions, erase out of date or irrelevant information, restrict and port (ie transfer) your personal data. To request a copy of the personal data we hold for you please contact the Data Protection Officer via email@example.com.
11. How to contact us
11.1. The University‘s Data Protection Officer can be contacted at:
Tel: 020 8725 0668
Address: Data Protection Officer, Information Services, St George’s University of London, Cranmer Terrace, LONDON SW17 0RE.
12. How to make a complaint
12.1. If you are unhappy with the way in which your personal data is being processed you may, in the first instance, lodge a complaint with the Data Protection Officer.
12.2. If you continue to have concerns thereafter you have the right to contact the Information Commissioner for a decision. The Information Commissioner can be contacted as below:
Helpline: 0303 123 1113