Information for Colleagues

This document provides information about the use of personal information while you are a colleague, worker, consultant, honorary or emeritus member, associate academic, academic visitor, lay committee member or guest member at Newcastle University. As a colleague (or equivalent) you also have certain legal and contractual responsibilities to protect the personal information of other people (e.g. other colleagues, students, research participants) by handling it appropriately. Relevant policies and guidance are available on the Information Governance website (see the Associated Documents section (Point 1)), and online training is available for colleagues via your University login (see the Associated Documents section (Point 2)).

The University collects, uses (processes) and keeps personal information (data) about you for normal employment purposes. Personal information means any information which relates to or identifies you as an individual. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the University and manage our relationship with you effectively, lawfully and appropriately during the recruitment process, whilst you are working for or with us, at the time when your employment or engagement ends, and after you have left. We are committed to being transparent about how and why we collect and use your information, and to meeting our data protection obligations.

• your name, address and contact details, including email addresses and telephone numbers;
• the terms and conditions of your employment;
• details of your qualifications, skills, experience and employment history, including start and end dates with previous employers and with the University, and your reasons for leaving previous roles;
• clinical details where appropriate, including clinical status, registration, speciality;
• information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
• details of your bank account and national insurance number;
• information about your marital status, next of kin, dependants and emergency contacts;
• information about your nationality and entitlement to work in the UK;
• information about your criminal record, where appropriate;
• details of your schedule (days of work and working hours), attendance at work and any flexible working requests and arrangements;
• details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
• details of any disciplinary, probation, capability, sickness management or grievance investigations and procedures in which you have been involved, including any warnings or cautions issued to you and related correspondence;
• assessments of your performance, including PDRs, performance reviews and ratings, training you have requested or participated in, coaching and mentoring agreements and notes, performance improvement plans and related correspondence;
• information about medical or health conditions, including whether or not you have a disability for which the University needs to make reasonable adjustments;
• details of vehicle for car parking purposes, and your driving licence and insurance if you are expected to drive for work purposes;
• images of you that are captured by our CCTV systems;
• photographs of you for the production of your smartcard or personal profile;
• information on your use of the academic and non-academic facilities and services we offer;
• personal data from the public domain such as publications;
• details of trade union membership for example if you have taken part in industrial action or if your subscription is deducted via the University payroll; and
• equal opportunities monitoring information, including information about your ethnic origin, nationality, gender, gender identity, relationship status, age, sexual orientation, disability, and religion or belief.

The University collects this information in a variety of ways. For example, data is collected directly from you through job application and personal data forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from steps taken by you to enter into a contract such as a pension or salary sacrifice scheme; from updating by you of the Mydetails app; from direct correspondence with you; or through interviews, meetings or other assessments conducted by your manager or other employees of the University for example during our promotion and pay review processes.

In some cases, the University collects personal information about you from third parties, such as references supplied by former employers, information from educational qualification checks, information from employment agencies or consultants who assist in the recruitment process, information from coaches and training providers, information from credit reference agencies and information from criminal records checks permitted by law.

Personal information is stored in a range of different places, including in your personnel file, in the University's management and training systems and in other University IT systems such as the University's email system and the smartcard system.

It is also likely that you will be referred to in many University documents and records that are produced by you or your colleagues in the course of carrying out your duties for the University, and during your employment your work contact details will normally be available online to enable colleagues and external parties to contact you for work related reasons. Many academic units and services also expect colleagues to maintain a publicly available personal profile or webpage.

The University needs to process your information to enter into a contract with you and to meet our obligations under the employment contract. For example, we need to process data such as your personal address and bank details to provide you with an employment contract, to pay you in accordance with your employment contract and to administer any benefit, expenses, pension and insurance entitlements.

In order to ensure that the terms of the employment contract are met, we use your data to:

• run recruitment and promotion processes;
• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of your contractual and statutory rights;
• to support your training, safety, welfare and religious requirements;
• operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
• operate and keep a record of employee performance management processes
• operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that you are receiving the pay or other benefits to which you are entitled;
• obtain occupational health advice, to ensure that we support and advise you and your manager on fitness for work and wellbeing, make reasonable adjustments if you have a disability, meet our obligations under health and safety law, and ensure that you are receiving the pay or other benefits to which you are entitled;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the University complies with duties in relation to leave entitlement, and to ensure that you are receiving the pay or other benefits to which you are entitled; to deliver facilities (e.g. IT, libraries), services and colleague benefits to you, and where appropriate monitor your use of those facilities in accordance with University policies (e.g. on acceptable use of IT);
• to communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars.

In some cases, the University needs to process data to ensure that we are complying our legal obligations. For example, we need to process your data to:

• check your entitlement to work in the UK;
• deduct tax and national insurance contributions;
•  auto-enrol you into a pension scheme;
• comply with health and safety laws such as reporting accidents or conducting health surveillance;
• to fulfil and monitor our responsibilities under equality legislation;
• compile statistics for statistical monitoring and reporting purposes;
• ensure you take and are paid appropriately for certain periods of leave to which you are entitled;
• carry out criminal records or health checks for certain positions to ensure that you are permitted to undertake the role in question.

In other circumstances we process your data because it is in our legitimate interests as an employer to do so, for example to:

• maintain a safe and secure campus using CCTV and ID cards;
• operate and monitor our promotion and related processes;
• enable career development and succession planning;
• monitor, evaluate and support your research and commercialisation activity where relevant;
• ensure effective general People Services and business administration;
• apply to external funding agencies for project funding;
• provide references on request for current or former employees;
• respond to and defend against legal claims;
• operate governance, audit and quality assurance arrangements;
• compile statistics and returns for benchmarking purposes;
• monitor our processes for consistency and to maintain and promote equality diversity and inclusion in the workplace.

We will not process your data where these interests are overridden by your own interests. Some special categories of personal data, such as information about health or medical conditions, is processed to carry out our legal obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the University to operate check-off for union subscriptions and to make payroll deductions in the event of strike.

Where the University processes other special categories of personal data, such as information about ethnic origin, sexual orientation, or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the University uses for these purposes is anonymised and is collected with your express consent, which can be withdrawn at any time. You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

Your data will be shared internally, including with members of the People Services Directorate, payroll and management accounts, line management, managers and administrators in the business area in which you work, and IT and audit colleagues if access to the data is necessary for performance of their roles. If you have opted to be included in the ‘offer an interview scheme’ as part of Disability Confident, we will share this with the shortlisting and interview panel.  The University may share your data with third parties in order to: 

• comply with our legal obligations, such as sharing your information with the HMRC, reporting accidents to the Health and Safety Executive or providing returns to the Higher Education Statistics Agency (see HESA’s statement about the uses made by them of your personal information at on HESA website)
• obtain pre-employment references from other employers;
• obtain necessary criminal records checks from the Disclosure and Barring Service;
• retain your right to work information proving your statutory rights to work in the UK where Identity Document Validation technology (IDVT) is used. The University engages Yoti as our Identity Digital Service Provider (IDSP).  See Yoti’s statement about the uses made by them of your personal information here. 
• apply for a certificate of sponsorship from UK Visas and Immigration;
• provide information to or seek funding from external agencies for projects;
• comply with funder regulations in relation to Bullying and Harassment and Research Misconduct allegations. Please refer to the terms and conditions of the relevant funding awarded;
• provide information to relevant government departments, executive agencies or non-departmental public bodies and Higher Education bodies;
• provide information to any relevant professional or statutory bodies (e.g. General Medical Council);
• share information with any relevant simultaneous employers (e.g. NHS trusts)
• anonymously provide statistical returns for benchmarking purposes;
• provide information legally required in the context of a transfer of undertakings;
• at your request provide employee benefits to you such as pensions, healthcare, travel or salary sacrifice schemes;
• enable companies who provide specific services to or on behalf of the University;
• with your consent seek reports from your GP or consultant;
• provide a reference about you to external enquirers or organisations where you have requested or indicated that we should do so.

On occasion the above types of sharing may involve the transfer of your personal information to countries outside European Economic Area, for example if you are employed or on a placement at another organisation or at one of our campuses in Singapore or Malaysia. Such transfers are usually necessary to meet our contractual obligations with you, and are carried out with appropriate safeguards to ensure the confidentiality and security of your personal information. 

Other than as set out above, we will not normally publish or disclose any personal information about you to other external enquirers or organisations unless you have requested it or consented to it, or unless it is in your vital interests to do so (e.g. in an emergency situation).

The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Further information including the Information Security and Data Protection Policies can be found on the NUIT website.

Where the University engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data. 

The University will hold your personnel file for six years following the termination of your employment in accordance with HMRC requirements for pay data and in line with recommended practice. Following this, only basic records, anonymised data, and data required to be kept by legislation will be retained. A detailed breakdown of our data retention periods is available from People Services.

As a ‘data subject’, you have a number of rights. You can:

• access and obtain a copy of your data on request;
• require the University to change incorrect or incomplete data;
• require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
• object to the processing of your data where the University is relying on its legitimate interests as the legal ground for processing; and
• ask the University to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University's legitimate grounds for processing data.

If you would like to exercise any of these rights, please contact Maureen Wilkinson, Data Protection Officer.

If you believe that the University has not complied with your data protection rights, you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

You have some obligations under your employment contract to provide the University with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights. Certain information, such as contact details, your right to work in the UK and payment details, has to be provided to enable the University to enter a contract of employment with you. If you do not provide other information, this will hinder the University's ability to administer the rights and obligations arising as a result of the employment relationship efficiently. 

Where we are processing data based on your consent, you have the right to withdraw that consent at any time.

Employment decisions are not based solely on automated decision-making.

• Point 1: General Data Protection Legislation Guidance
• Point 2: GDPR Training for colleagues
• Point 3: HESA’s statement about the uses made by them of your personal information
• Point 4: Information Security and Data Protection Policies
• Point 5: Contact for Maureen Wilkinson, Head of Information Governance
• Point 6: Information Commissioner’s Office (ICO)