Information relating to employment
- The University is updating its data protection policies and practices due to the new General Data Protection Regulation (GDPR) which takes effect from 25th May 2018 and Data Protection Act (DPA) 2018.
- As your employer, Liverpool John Moores University (LJMU) needs to hold and process information about you for normal employment purposes. The information we hold and process will be used for management and administrative purposes only, to enable us to run the University and manage our employment relationship with you effectively and lawfully whilst you are working for us and after you leave.
What information does the University collect?
3. The types of information we will collect, store and use about you include:
- your name, address and contact details, including your telephone number, and email address;
- details of your qualifications, skills, experience and employment history;
- evidence of your nationality and eligibility to work in the UK;
- information about your criminal record;
- information about your terms and conditions of employment as detailed in your appointment letter and contract of employment;
- correspondence with or about you, for example letters to you about any changes to your terms and conditions, or with your permission, a letter to your mortgage company confirming your salary;
- information needed for payroll, benefits and expenses purposes such as your bank details, national insurance number and tax status;
- emergency contact details;
- records of holidays, sickness and other absence;
- records of working hours, such as timesheets or flexitime records, overtime records, flexible working requests, post approval requests and allocated workload for academic staff;
- equality monitoring information such as information about your nationality, legal sex, gender identity, ethnic origin, sexual orientation, disability, carer responsibility, marital status, religion or belief;
- information about your health such as reasons for absence, return to work interviews, Occupational Health reports and medical information or records of any meetings held as part of the sickness absence policy;
- records relating to your career history such as job applications, CVs, references, probationary reviews, training records, professional development, PDPR and applications for positions or promotion, exit questionnaires;
- records relating to external work or consultancy activities undertaken and declared under the University’s Exclusivity of Service procedure;
- records relating to any disciplinary, grievance or capability processes involving you (whether or not you were the subject of those proceedings).
4. Most of the information we hold about you will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.
5. Data will be stored in a range of different places, including your personal file, the University HR information system and in other IT systems, such as the University’s email system.
Why does the University process personal data?
6. The University needs to process data to enter into an employment contract with you and to comply with our contractual obligations, for example, processing your salary payments. It also need to process your data in order to comply with legal obligations, for example, reporting salary and tax data to HMRC or payment of maternity pay.
7. The University also needs to process personal data to pursue its legitimate business interests and for the performance of your employment contract. Processing personal data allows the University to:
- operate recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details, including who to contact in an emergency;
- operate and keep a record of disciplinary and grievance processes to manage any conduct issues in the workplace;
- operate and keep a record of performance processes, to plan for career development and workforce management;
- operate and keep a record of absence procedures, to ensure effective management and to ensure employees received the benefits to which they are entitled;
- obtain Occupational Health advice, to ensure that the University complies with its duties in relation to individuals with disabilities and health and safety law;
- operate and keep a record of other types of leave, to ensure effective management and to ensure that the University meets its statutory and contractual obligations;
- provide references on request for current and former employees;
- maintain and promote equality in the workplace.
8. If we process special categories of personal information, such as those relating to your ethnicity, religious beliefs, sexual orientation, or gender identity, we will obtain your explicit consent unless this is not required by law or the information is required to protect your health in an emergency. If we asked for your consent to process a special category of personal data then we would explain the reasons for the request. You do not have to consent and you have the right to withdraw your consent at any time.
9. The University processes emergency contact details under the basis of legitimate interest to ensure that we can protect and support staff members in an emergency situation. However, as you are providing the name and contact details of your emergency contact to us you should inform them that you have passed on their information to us. Emergency contact details are held securely and will not be used for any other purpose than that stated above.
10. The University may monitor computer/telephone/mobile phone usage, as detailed in its Policy on the IT Service Conditions of Use
11. No employment decisions are based on automated decision-making.
Who has access to data?
12. Your information may be shared internally, including with members of HR, Payroll, IT, Finance, Research and Innovation Services (RIS), your line manager, sickness administrators and senior managers when the data is necessary for performing their roles or for University business, one example of this may in the production of grant and project proposals that may include financial information.
13. Where the University contracts with external companies to ensure the effective maintenance of information systems, the external companies do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.
14. Depending on your role, you may be referred to on the University intranet, website or other University documents produced by you and your colleagues in the course of carrying out your duties, for example, programme/module handbooks or departmental webpages.
15. We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual obligations, for instance we may need to pass on certain information about you to the relevant pension scheme. The University also shares data with third parties that process data on its behalf, for example the provision of occupational health services. The University shares personal data with HESA to comply with its reporting obligations.
16. We do not send your personal data outside the European Economic Area. If this changes in the future, you will be notified of this and the safeguards in place to protect the security of your data.
How does the University protect data?
17. The University takes the security of your data very seriously, and has internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessible except by its employees in the performance of their duties. For more information, please see the University’s Data Protection Policy.
18. Where the University asks third parties to process data on its behalf, for example Occupational Health or pension providers, they do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.
For how long does the University keep data?
19. Your personal data will be stored throughout your employment at the University, and for a period of six years after you have left the University’s employment. Some types of data, such as pensions records, will need to be retained for up to 75 years after you have left. Further information on the University’s approach to record retention can be found in the University’s Records Retention Schedule.
What if you do not provide personal data?
20. Certain information, such as contact details, your eligibility to work in the UK and bank details are required to allow the University to enter into an employment relationship with you.
21. You have certain obligations under your employment contract to provide the University with data. For example, you must report absences from work and you may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide that data may mean that you are unable to exercise your statutory rights.
22. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit) or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our staff).
23. As a data subject, under the GDPR and DPA, you have various rights in relation to your personal data. You can:
- access your own data by making a subject access request;
- ask the University to correct any inaccuracies in the data;
- request that we erase your personal data where we are not entitled by law to process it or it is no longer needed for the purpose it was collected;
- request the transfer of your personal information to another party;
- request that processing of your data is restricted;
- challenge our legitimate interests and request that we stop this processing.
25. If you wish to make a subject access request or assert any of the rights detailed above, please contact the Institutional Data Protection Officer using the contact details below.
26. You have the right to be notified in the event of a data security breach concerning your personal data.
27.You have the right to make a complaint to the Information Commissioner if you believe we have not complied with the requirements of the GDPR or DPA with regard to your personal data. You can do this by contacting the Information Commissioners’ Office directly. Further details on your rights and contact details are available at www.ico.org.uk.
The Data Controller and Data Protection Officer
28. Liverpool John Moores University is the controller and processor of data for the purposes of GDPR and DPA.
29. The University’s interim Data Protection Officer is Maria Burquest, Director of Legal and Governance Services, who can be contacted at Secretariat@ljmu.ac.uk or by telephone on 0151 231 3116.
30. Should you wish to contact anyone regarding your personal data or your rights please contact the University’s Data Protection Officer, Maria Burquest, who can be contacted at Secretariat@ljmu.ac.uk or by telephone on 0151 231 3116.
Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.