Privacy Notice for Employees

Information you need to know

Liverpool John Moores University (LJMU) deals with all personal information in a responsible manner that respects personal privacy. The University is registered as a Data Controller with the Information Commissioner’s Office (ICO) and is responsible under the principles of the General Data Protection Regulations (GDPR), for the use of personal data you submit to us.

Liverpool John Moores University is in most cases the Data Controller of its employee’s data.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk

LJMU takes your privacy very seriously.  This privacy notice explains how we use your personal information and your rights regarding that information. We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations.

As your employer, Liverpool John Moores University (LJMU) needs to hold and process information about you for normal employment purposes.  The information we hold and process will be used for management and administrative purposes only, to enable us to run the University and manage our employment relationship with you effectively and lawfully. This Privacy Notice applies when you are employed by us, are working for us, if you undertake a secondment hosted elsewhere and after you leave.

What information are we collecting?

The types of information we will collect, store and use about you include:

  • your name, address and contact details, including your telephone number, and email address;
  • details of your qualifications, skills, experience and employment history;
  • evidence of your nationality and eligibility to work in the UK;
  • information about your criminal record;
  • information about your terms and conditions of employment as detailed in your appointment letter and contract of employment;
  • correspondence with or about you, for example, letters to you about any changes to your terms and conditions, or with your permission, a letter to your mortgage company confirming your salary;
  • information needed for payroll, benefits and expenses purposes such as your bank details, national insurance number and tax status;
  • emergency contact details;
  • records of holidays, sickness and other absence;
  • records of working hours, such as timesheets or flexitime records, overtime records, flexible working requests, post-approval requests and allocated workload for academic staff;
  • equality monitoring information such as information about your nationality, legal sex, gender identity, ethnic origin, sexual orientation, disability, carer responsibility, marital status, religion or belief;
  • information about your health such as reasons for absence, return to work interviews, Occupational Health reports and medical information or records of any meetings held as part of the sickness absence policy;
  • records relating to your career history such as job applications, CVs, references, probationary reviews, training records, professional development, PDPR and applications for positions or promotion, exit questionnaires;
  • records relating to external work or consultancy activities undertaken and declared under the University’s Exclusivity of Service procedure;
  • records relating to any disciplinary, grievance or capability processes involving you (whether or not you were the subject of those proceedings).

Most of the information we hold about you will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.

Data will be stored in a range of different places, including your personal file, the University HR information system and in other IT systems, such as the University’s email system.

Why are we collecting your data and what is the legal basis for this?

The GDPR requires that we only use or process your personal data with specific legal basis, as set out in Article 6.

The University needs to process data to enter into an employment contract with you and to comply with our contractual obligations, (GDPR Article 6 (b)) for example, processing your salary payments. LJMU also need to process your data in order to comply with legal obligations (GDPR Article 6 (c)), for example, reporting salary and tax data to HMRC or payment of maternity pay.

The University needs to process employee’s personal data to pursue its legitimate business interests (GDPR Article 6(f)) in addition to ensuring the performance of your employment contract.  Processing personal data allows the University to:

  • operate recruitment and promotion processes;
  • maintain accurate and up-to-date employment records and contact details, including who to contact in an emergency;
  • operate and keep a record of disciplinary and grievance processes to manage any conduct issues in the workplace;
  • operate and keep a record of performance processes, to plan for career development and workforce management;
  • operate and keep a record of absence procedures, to ensure effective management and to ensure employees received the benefits to which they are entitled;
  • obtain Occupational Health advice, to ensure that the University complies with its duties in relation to individuals with disabilities and health and safety law;
  • operate and keep a record of other types of leave, to ensure effective management and to ensure that the University meets its statutory and contractual obligations;
  • provide references on request for current and former employees;
  • maintain and promote equality in the workplace. 

If we process special categories of personal data, such as those relating to your ethnicity, religious beliefs, trade union membership, sexual orientation, or gender identity, we will obtain your explicit consent unless this is not required by law or the information is required to protect your health in an emergency (GDPR Article 6 (d)). Article 9 of the GDPR sets out some of the other reasons we are able to use your special category personal data. If we asked for your consent to process a special category of personal data, then we would explain the reasons for the request.  You do not have to consent to such use, and you have the right to withdraw your consent at any time, by contacting the Data Protection Officer.

The University processes emergency contact details under the basis of legitimate interest to ensure that we can protect and support staff members in an emergency situation. However, as you are providing the name and contact details of your emergency contact to us you should inform them that you have passed on their information to us. Emergency contact details are held securely and will not be used for any other purpose than that stated above.

The University may monitor computer/telephone/mobile phone usage, as detailed in its Policy on the IT Service Conditions of Use

Who has access to this data?

Your information may be shared internally, including with members of HR, Payroll, IT, Finance, Research and Innovation Services (RIS), your line manager, sickness administrators and senior managers when the data is necessary for performing their roles or for University business, one example of this may in the production of grant and project proposals that may include financial information.

Where the University contracts with external companies to ensure the effective maintenance of information systems, the external companies do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure

Depending on your role, you may be referred to on the University intranet, website or other University documents produced by you and your colleagues in the course of carrying out your duties, for example, programme/module handbooks, departmental webpages and staff profiles. Please contact the communications team if you have any concerns about content on the university websites which constitutes your personal data. You should discuss any staff profiles and pictures with the research team.

We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual obligations, for instance, we may need to pass on certain information about you to the relevant pension scheme. The University also shares data with third parties that process data on its behalf, for example, the provision of occupational health services.  The University shares personal data with HESA to comply with its reporting obligations and to provide statistical returns to HESA as part of benchmarking exercises.  Details on how HESA processes your personal data are set out in the HESA Staff Data Collection Notice.

Where an LJMU employee is undertaking a secondment hosted by another organisation, we will retain all of your employee records, however, we will need to share some of your data with the host organisation. This may include your identity and contact details, your right to work in the UK, your emergency contacts, details of health issues requiring adjustments to your work place and equality and diversity information.

European Structural and Investment Funded (ESIF) Projects

LJMU participates with outside partners in a number of projects each year that are financed in part through either the European Regional Development Fund or European Social Fund. This can mean that the salaries of our staff participating in the project will be funded in part by the Government, and we need to tell them what we are doing and allow them to audit and evaluate the project.

If your contract becomes financed by such Government funding we will write to you to tell you more details of the arrangement and how long it will continue for.

In addition to our usual use of your personal data, we may be asked to provide information, including your name and details of your salary to Government departments. We do this because it is a legal obligation of obtaining this funding. When this occurs, the Government, through the Ministry of Communities and Local Government, or the Department of Work and Pensions will become the data controller of this information. In turn, they may be required to share it with the European Commission, and other independent third parties for the purposes of audit and evaluation. 

How does the University protect your data?

The University takes the security of your data very seriously, and has internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessible except by its employees in the performance of their duties.  For more information, please see the University’s Data Protection Policy.

Where the University asks third parties to process data on its behalf, for example, Occupational Health or pension providers, they do so based on written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.

How long does the University keep your data?

Your personal data will be stored throughout your employment at the University, and for a period of six years after you have left the University’s employment.  Some types of data, such as pension records, will need to be retained for up to 75 years after you have left. Further information on the University’s approach to record retention can be found in the University’s Records Retention Schedule.

Your rights

As a data subject, under the GDPR and DPA, you have various rights in relation to your personal data. You can:

  • access your own data by making a subject access request;
  • ask the University to correct any inaccuracies in the data;
  • request that we erase your personal data where we are not entitled by law to process it or it is no longer needed for the purpose it was collected;
  • request the transfer of your personal information to another party;
  • request that processing of your data is restricted;
  • challenge our legitimate interests and request that we stop this processing.

In most situations, we will not rely on your consent as a lawful basis for processing your data.  If we do request your consent to process your data for a specific purpose, you have the right to withdraw that consent at any time.  This will not affect the lawfulness of processing before your consent was withdrawn.

If you wish to make a subject access request or assert any of the rights detailed above, please contact the Institutional Data Protection Officer using the contact details below.

If you would like to exercise any of these rights, please contact the Data Protection Officer: DPO@ljmu.ac.uk.

What if you do not provide data?

Certain information, such as contact details, your eligibility to work in the UK and bank details are required to allow the University to enter into an employment relationship with you.

You have certain obligations under your employment contract to provide the University with data. For example, you must report absences from work and you may also have to provide the University with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements.  Failing to provide that data may mean that you are unable to exercise your statutory rights.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit) or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our staff).

Transfers of data outside the EAA

Generally, we do not send your personal data outside the European Economic Area. Where we transfer the personal information we collect about you to countries outside the EU in order to perform our contract with you/or a contract with another organisation that requires your personal data i.e. a collaboration agreement with a University based outside of the EU. We ensure that your personal information does receive an adequate level of protection and we have put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection, for example, model contractual clauses, data sharing/data processing agreement and binding corporate rules (where applicable).

Automated decision making

No employment decisions are based on automated decision-making.

How to complain to the Information Commissioner’s Office?

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations.  The Information Commissioner can be contacted:

By post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.

By telephone:  0303 123 1113.

By email: contact can be made by accessing www.ico.org.uk

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.