Staff Privacy Notice

This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to individuals who are, or seek to be engaged in an appointed role at the University or any affiliated subsidiaries. This Privacy Notice applies to all contracted members of staff irrespective of role, working location or working pattern.

We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.

You can access our Data Protection Policy here.

1. What personal information do we collect about you?

When you engage with the University in relation to an employment relationship or affiliation with us, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.

We may process the following categories of personal data about you:

your name, address and contact details, including email address, telephone number and date of birth;

the terms and conditions of your employment;

details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the University;

information about your remuneration, including entitlement to benefits such as pensions;

details of your bank account and national insurance number;

information about your marital status, next of kin and emergency contacts;

information about your nationality and entitlement to work in the UK;

information about your criminal record;

details of your working pattern, hours and attendance at work;

details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;

details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;

information about medical or health conditions, including whether or not you have a disability for which the University needs to make reasonable adjustments;

details of accidents, incidents and near misses, related to University activities, that you have either reported or been involved in;

equal opportunities monitoring information, including information about your gender, ethnic origin, sexual orientation, health and religion or belief.

research projects conducted whilst employed with the University along with records of research conducted prior.

Disclosures of personal relationships with students or other members of staff.

2) How do we collect your information

The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:

Directly from you – for example:

application forms or CVs

your passport or other identity documents such as your driving licence

forms completed by you at the start of or during employment

correspondence with you
through interviews, meetings or other assessments
Through automated technologies – this occurs when you input information about yourself onto University systems such as:

the HR system (StaffSpace)

the staff learning system (StaffLearn),

the University Accident, Incident and Near Miss reporting system,

the Research Repository (Elsevier Pure); or
any other systems used in the administration of employee records.

We may also gather data about your usage of IT systems or the University website.

From third parties – in some cases the University may collect personal data about you from third parties, such as references supplied by former employers and information from criminal records checks permitted by law.

3) How do we use your personal data

The University may process your personal data for the following purposes:

To enter into a contract with you and to meet its obligations under the contract.

To ensure that the University is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to enable employees to take periods of leave to which they are entitled and to comply with health and safety legislation such as:

risk assessment and management strategies;

training;

health surveillance;

compliance assessments;

incident management; and

personal emergency evacuation plans

to assess risk and conflicts of interest.

To deduct tax, National Insurance, Student Loans and court order payments as required.

To run recruitment and promotion processes;

To maintain accurate and up-to-date employment and associate records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;

To provide facilities such as IT services, Library Services and car parking provision;

To operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;

To operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;

To operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;

To obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;

To operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that The University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;

To ensure effective general HR and business administration;

To provide references on request for current or former employees;

To respond to and defend against legal claims;

To maintain and promote equality in the workplace;

To manage health and safety in compliance with relevant legislation;

To provide emergency notifications, for example confirming campus closure due to inclement weather.

To carry out employment law obligations in relation to staff with disabilities.

To comply with statutory and regulatory requirements, including those under the Data Protection Act 2018 and UK GDPR and relevant employment legislation.

4) The lawful basis we use to process your data

Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.

We will be processing your data under:

Article 6(1)(a) Consent "the data subject has given consent to the processing of his or her personal data for one or more specific purposes"

We will need to process your personal data under this lawful basis for the following reasons:

Offering and providing additional support services such as career advice, counselling services, financial advice and access to sporting activities. The University will seek specific consent where sensitive personal data needs to be obtained to provide a service.

Administration of external and internal staff surveys.

Additional information you choose to input onto Staff Space and Elsevier Pure.

You may withdraw your consent at any time. You need not give a reason. To withdraw your consent, contact the relevant service.

Article 6(1)(b) Contract "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
Article 6(1)(e) Public Task "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"
Article 6(1) (f) Legitimate Interests "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"

We will need to process your personal data under this lawful basis for the following reasons:

The use of CCTV within University grounds to provide a safe University environment and to facilitate the prevention and detection of crime.

The University works with system vendors, external software houses and external consultancy firms to diagnose system issues and enhance system provision. Wherever possible, we will do this work using anonymised data however, some types of work require using actual data.

We may need to process your data in order to ensure we are complying with our statutory obligations and legal requirements.

Article 6(1)(c) Legal obligation "processing is necessary for compliance with a legal obligation to which the controller is subject"

We will need to process your personal data under this lawful basis for the following reasons:

Monitoring to ensure we meet our statutory obligations, including those related to diversity, equal opportunities and health and safety.

Compliance with law enforcement and regulatory bodies such as passing on details of those involved in fraud or criminal activity.

The administration of complaints, disciplinaries or employment tribunals.

Recording and reporting accidents, incidents and near misses where there is a legal obligation.

to comply with our conditions of registration.

We may need to process your personal data to protect your vital interests or those of another individual.

Article 6(1)(d) Vital Interests "processing is necessary in order to protect the vital interests of the data subject or of another natural person"

It will take place only where we cannot process your data under another lawful basis.

Where we process Special Category Data, we will do so under the following legal basis:

Article 9(2)(a) Explicit consent

Article 9(2)(b) Employment, social security and social protection (if authorised by law)

Article 9(2)(g) Reasons of substantial public interest (with a basis in law)

Article 9(2)(j) Archiving, research and statistics (with a basis in law)

Where we process Criminal Offence Data, we will rely on:

Article 10 Authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects

We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data. If you are a member of staff, you may access the document here.

5) Who do we share your personal data with

We may also share your personal data internally, including the People Directorate, payroll, your line manager, associate status sponsor, managers or nominated administrators in the business area in which you work, incident investigators, lead fire wardens and IT staff if access to the data is necessary for performance of their roles.

If you belong to a Staff Network you have agreed, by joining that network, for them to have access to the information you have provided to them. The Network chairs will be responsible for ensuring your data is held securely and in accordance with the legislation.

We may share your personal data with trusted third-party service providers who act as data processors on our behalf to support with your employment with us, such as:

Previous employers to obtain employment references

The Disclosure and Barring Service to obtain necessary criminal record checks

Other third parties in connection with payroll, pensions and the provision of benefits

Spectrum Life for occupational health services.

Halo, to enable staff to log support tickets

The University provides anonymised information to external agencies including but not limited to, HESA and UCEA.

If you consent to your personal data being shared in a social media post, we will also share your personal data with Hootsuite, our social media management platform. Hootsuite utilises an AI function which supports in the creation of social media posts. By choosing to have your personal data posted on University social media, you are consenting to the use of your data in this way.

All third parties are required to handle your data securely and in accordance with data protection legislation.

We may also disclose your personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR and relevant employment legislation. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required.

Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.

6) How long do we keep your personal data

We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR and relevant employment legislation.

To find out how long the University keep your personal data for, in relation to employment purposes, please see the University’s People Directorate retention schedule. You can do this by contacting hr@canterbury.ac.uk.

When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.

7) How do we protect and store your personal information

We are committed to safeguarding the personal data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with the management of staff.

Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.