This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects special category data and criminal offence data in relation to staff. It applies to all contracted members of staff irrespective of role, working location or working pattern.

We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.

You can access our Data Protection Policy here.

1. What personal information do we collect about you?

When you engage with the University in relation to your role, we may collect and retain relevant special category data or criminal offence data about you. This information is used for the purposes set out in Section 3 of this Privacy Notice.

We may process the following categories of special category data about you:

• Racial or ethnic origin
• Political opinion
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for uniquely identifying a natural person
• Data concerning heath
• Data concerning a natural persons sex life or sexual orientation
• Information about spent or unspent criminal convictions and offences

If you choose not to submit any sensitive personal information when requested, we may not be able to continue in the employment process.

For example, if you are applying for a regulated position and will be required to undertake background checks as part of the application process. If you refuse, we will not be able to proceed with the application.

2. How do we collect your information?

The University may collect special category or criminal convictions data about you through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect sensitive information:

• Directly from you – when you fill in forms, submit applications, contact us, use our services or attend events
• Through automated technologies – when undertaking right to work or DBS checks.
• From third parties – from third parties such as government agencies.

3. How do we use your personal data?

The University may process special category or criminal convictions data about you for the following purposes:

• Monitor equal opportunities
• Make statutory returns
• Assess an applicant or member of staffs fitness to undertake placements
• Support staff with a declared disability or medical condition
• Assess the right to work in the UK
• Meet the requirement to have due regard to the need to prevent people from being drawn into terrorism
• Processing where the applicant applies for, or staff member engages in, regulated activity or Excepted Professions, Offices, Employments and Occupations under the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975
• Where the person is subject to disciplinary action

4. The lawful basis we use to process your data

Data protection law sets out reasons for collecting and processing special category data. In this section, we outline the legal bases the University uses.

We will be processing your data under:

• Article 9(2)(a) Explicit consent
• Article 9(2)(b) Employment, social security and social protection (if authorised by law)
• Article 9(2)(c) Vital interests
• Article 9(2)(g) Reasons of substantial public interest (with a basis in law)
• Article 9(2)(j) Archiving, research and statistics (with a basis in law)

Where we process Criminal Offence Data, we will rely on:

• Article 10 Authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects

We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data. If you are a member of staff, you may access the document here.

5. Who do we share your personal data with

We may share your sensitive personal data with trusted third-party service providers who act as data processors on our behalf. These partners are Cordell, Cardinus, Midland iTrent and support with the delivery and operation of occupational health assessments, health and safety reporting and the general storage of staff records. All third parties are required to handle your data securely and in accordance with data protection legislation.

We may also disclose your sensitive personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR or other relevant employment regulations. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required.

Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.

6. How long do we keep your personal data

We retain special category data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR or other relevant employment regulations.

In relation to University staff, we retain special category data for 7 years after the staff member leaves, in line with our HR retention schedule. In relation to information relating to DBS disclosure and criminal convictions, we retain personal data for six months after checking, in line with our DBS requirements. When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.

7. How do we protect and store your personal information

We are committed to safeguarding the special category data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with the administration, management and support of staff at the University.

Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.

8. The data controller and further information

Canterbury Christ Church University is the Data Controller for this personal data.

Please click the link below to access further information regarding:

• The Data Controller
• The name and contact details of the University Data Protection Officer
• Where to make a complaint
• Your Rights as a Data Subject
• How to contact the Regulator

Version control

Title: Use of Special Category Data of Staff Privacy Notice

Process Owner: Head of Data Protection

Department responsible: Governance & Legal Services

Date approved: 8^th April 2026

Date of review: 8^th April 2028

Date last amended: 8^th April 2026