How we use your personal information
Murray Edwards College is committed to respecting the privacy of its staff and to ensuring that the personal data that we hold for you is processed in a fair and transparent way in accordance with the Data Protection Act 1998 and the General Data Protection Regulation.
This statement explains how Murray Edwards College ("we" and "our") handles and uses information we collect about our staff ("you" and "your"). For these purposes, "staff" is intended to include employees, workers and casual workers and contractors (e.g. undergraduate supervisors, ad-hoc or temporary catering staff etc.)
The controller for your personal information is Murray Edwards College, University of Cambridge, Huntingdon Road, Cambridge, CB3 0DF. The person responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal information, is the Bursar (Rob Hopwood) – email@example.com.
How your data is used by Murray Edwards College
In broad terms, we use your data to manage your employment with the College, including providing you with your remuneration and statutory benefits, managing your role and the performance of it, and supporting you as an employer, as well as fulfilling our statutory obligations relating to your employment.
For most of the personal data we request from you, the legal basis for processing it, unless otherwise stated, is the fulfillment of the contract we hold with you, either a contract of service or a contract for services. We collect this data from you by means of the new joiner form which we ask you to complete at the start of your employment, plus subsequent correspondence with you, such as updates to your personal details or other form to collect relevant details from you when you are engaged to perform services for the college.
In connection with your employment, some of the data we collect and process is so that we can fulfill our statutory legal obligations. This data is collected at the start of your employment and updated during your employment, and include:
- your personal identity and contact details (full name, date of birth, gender, postal address, NI number) to inform HMRC of your employment with us;
- evidence of your right to work in the UK (passport, birth certificate, visa) to comply with immigration law.
The kinds of purposes for which we may use your personal data in order to fulfill the employment contract (or contract for services) or in some cases to comply with legal obligations as employer, fall into the following categories:
*Data marked above and below with an * relate to information most probably provided by you, or created in discussion and agreement with you. Other data and information is generated by the College or, where self-evident, provided by a third party.
- Ensuring that you have the right to work for the College:
- your recruitment documents* and information (including your application documents);
- other data relating to your recruitment (including your offer of employment and related correspondence, references, and any pre-employment assessment of you);
- your nationality and evidence of your right to work in the UK* (e.g. copies of your passport);
- the outcome of a Disclosure and Barring Service (DBS) check on you (where relevant to your role).
- Paying you and providing you with employment benefits:
- personal details* (full name, postal address, NI number, date of birth, gender)
- your bank details*;
- your current and previous salary (and other earnings e.g. maternity pay, allowances), and your tax information;
- your pension scheme and policy details*;
- your personal details such as may be needed to register you for employment benefits* (e.g. gym);
- sickness certificates, to ensure you are paid appropriately for company or statutory sick pay* (basing our processing of such data on condition (b) of Article 9(2) of the GDPR as this may be classed as special category data);
- your car registration for parking in the College car park* (where applicable);
- correspondence between you and the College, and between authorised staff of the College for legitimate processing purposes, relating to your pay and other remuneration, pension and benefits.
- Supporting your employment and/or your performance in your role:
- personal details* (name, contact details (phone, email, both work and personal);
- your current role description and any previous job descriptions;
- your current (and any previous) contracts of employment and related correspondence;
- any occupational health assessments and medical information you provide relating to your ability to carry out your role and any related work requirements you might need*; (we base our processing of such data on condition (h) of Article 9(2) of the GDPR as this may be classed as special category data,);
- any relevant dietary or religious requirements that might dictate your meal or other requirements as part of the College community (we base our processing of such data on condition (a) of Article 9(2) of the GDPR as this may be classed as special category data,);
- your training and development requirements, requests and qualifications*
- any legal undertaking you may be asked to participate in as part of your role.
- online identifiers such as IP address to facilitate remote working.
- Administering HR-related processes, including records of absences and regular appraisals of your performance and, where necessary, investigations or reviews into your conduct or performance:
- a photo of you* for the provision of your College security card and for the staff photo board and in some cases the College website;
- details of your preferred emergency contact* (name, relationship to you and contact details) so that we can contact them in the event that something happens to you or we can’t reach you;
- records of your induction programme and its completion;
- records of your performance appraisals with your line manager;
- records, where applicable, of any investigation or review into your conduct or performance;
- records of Health & Safety matters or incidents so that the College can comply with its obligations under Health & Safety law and can maintain a safe and healthy working environment;
- records of roles you might undertake on behalf of the College e.g. in the capacity of First Aider;
- records of absences from work (including but not limited to annual leave entitlement, sickness leave, parental leave and compassionate leave)
- correspondence between you and the College, and between members and staff of the College, regarding any matters relating to your employment and related issues (including but not limited to changes to duties, responsibilities, benefits, your retirement, resignation or exit from College, personal and professional references provided by College to you or a third party at your request).
- Ensuring that you are suitable for certain positions of trust.
- For certain posts, we may use the Disclosure and Barring Services (DBS) / Disclosure Scotland to help assess your suitability for a position of trust. If this is the case, we will make this clear to you. Certificate and status check information is only used for this specific purpose, and we comply fully with the DBS code of Practice regarding the correct use, handling, storage, retention and destruction of certificates and certificate information, recognising that it is a criminal offence to pass this information on to anyone who is not entitled to receive it.
- Disclosing personal information about you to external organisations, as permitted or required by law
- e.g. submissions to the Office of National Statistics
- e.g. the police, should you be involved in criminal activity or a criminal investigation
In a small number of cases, we exercise our legitimate organisational interest in collecting and/or processing data. This might include records of your use or take-up of any benefit schemes provided by us to enable us to monitor to review the effectiveness of these benefits and ensure that benefit schemes represent good value for money (both to you and us) and that you do not overuse your entitlements.
On rare occasions we might monitor social networking sites to ensure compliance with an agreed plan with employees, such as a homeworking agreement but we would only do so if we had informed you in advance that we might do this. In almost all other regards we would not monitor social media sites for any personal data relating to you, but, if aspects of these are brought to our attention and give rise to concerns about your conduct, we may need to consider them. Our social media guidelines are available in the staff handbook. We also operate CCTV on our College site which will capture footage. Our CCTV Code of Practice is available here.
Please let us know of any concerns or queries you may have relating to any of these purposes, or to how we communicate with you.
Who we share your data with
We share relevant personal data with our sub-contracting agents and with relevant government regulatory bodies (e.g. HMRC or the Office of National Statistics).
We also share your relevant personal details with benefits providers e.g. your pension provider.
We also share personal identification details (your name and date of birth) with the University of Cambridge and/or its component institutions, for example in order to register you with its Information Systems department for an IT account, or to give you access both to the College library and to the University of Cambridge Library.
We may also liaise with the University’s Training department and likewise with any third party trainers, including on occasions your name and role details, to provide you with training related to your role.
We also share employment related details on a non-identifiable basis with professional advisors, and with inter-collegiate bodies to assess and monitor fair grading, remuneration and employment approach.
Employment related data may be shared, again on an anonymous non-identifiable basis and often in aggregated format, with external bodies for the purposes of monitoring equal opportunities.
Information is not shared with other third parties without your written consent, other than your name, role and employment contact details which are made publically available. Generally, personal data is not shared outside of the European Economic Area.
How we store your data
We hold all information for the duration of your employment and thereafter for up to 12 months in electronic and hard copy. Hard copy information is stored in locked cupboards or cabinets and in locked rooms. Data in electronic format is stored under password protection.
After an initial 12 months we hold personal data on electronic and hard copy archive generally for no more than 10 years after your relationship with the College ends. We reserve the right to retain the personal data longer than the periods stated above where it becomes apparent that there is a need to do so (for example, in the event of a major health or personal injury incident, records may need to be kept for up to 40 years).
Details we hold would be:
- personal details, including name and your preferred personal contact details* (if we still have these);
- your previous salaries and other earnings, pensions and the amounts you have paid in statutory taxes;
- records of your performance appraisals with your line manager;
- absence and attendance records
- records, where they exist, of any investigation or review into your conduct or performance;
- your reasons for leaving and any related correspondence;
- any references we have written subsequent to your employment with us;
- roles held within College (in certain instances members may be asked to approve the retention of their data for other reasons, for example archival records of College history).
You have the right: to ask us for access to, rectification or erasure of your data; to restrict processing (pending correction or deletion); and to ask for the transfer of your data electronically to a third party (data portability). Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them. Failure to provide the information reasonably requested of you may result in disciplinary action taken by the College, which could ultimately lead to your dismissal from employment. You retain the right at all times to lodge a complaint about our management of your personal data with the Information Commissioner’s Office at https://ico.org.uk/concerns/
Last updated: May 2018, HR