Contents

Your Data Protection

Key definitions

What is personal data?

Lawful basis for processing personal data

Privacy Notices

Retention periods

Your rights

Subject Access Requests and Data Breaches

Key Contacts

Your Data Protection

The General Data Protection Regulation (GDPR) came into effect from 25 May 2018.? As an EU Regulation, the new law took effect automatically and when the UK leaves the EU, the GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill. The UK Government has also published the UK?Data Protection Act 2018, which will supplement GDPR standards in the UK. This means that, even post-Brexit, the University will need to comply with the GDPR.

The GDPR¡¯s data protection principles are similar to those under the old UK?Data Protection Act 1998.? The University must be able to demonstrate that any personal data we handle is:

• processed lawfully, fairly and transparently;
• collected for specified, explicit and legitimate purposes;
• adequate, relevant and limited to what is necessary;
• accurate and kept up to date where necessary;
  kept for no longer than is necessary where data subjects are identifiable; and
• processed securely and protected against accidental loss, destruction or damage

How do we protect your personal data?

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ HR staff have a legal duty to keep Data about you confidential. There are strict codes of conduct in place to keep your Data safe. HR staff abide by the General Data Protection Regulations 2018, the UK Data Protection Act 2018?and the University¡¯s Data Protection Policy .

We endeavour to ensure that suitable organisational and technical measures are in place to prevent the unlawful or unauthorised processing of your Data and against the accidental loss of or damage to your Data. This includes:

• storing Data on appropriately secure systems;
• training all our staff in their data protection responsibilities;
• working with reputable companies for data processing services who are data protection compliant and who enter into appropriate data sharing agreements; and
• ensuring that appropriate protection is in place when we work with trusted organisations based outside the European Economic Area (EEA)

Key definitions

Term	Definition
Data subject	An individual who is the subject of personal data and, for the purposes of HR related data processing will usually be an employee, a casual worker or unpaid Visitor. Does not count an individual who has died or who cannot be identified or distinguished from others as a data subject.
Data Controller	A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. The University of Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ is the Data Controller and our registration number with the Information Commissioner¡¯s Office is Z6801020.
Data Processor	Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This predominantly refers to third parties outside of the University (e.g. pensions providers or benefits providers such as Computershare or Cyclescheme)
Data Protection Officer (DPO)	Will monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority. The DPO is independent, an expert in data protection, adequately resourced, and report to the highest management level.
Data	Data means information which ¨C(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
Subject Access Request	An individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Neither are they entitled to information simply because they may be interested in it. It is important to establish whether the information requested falls within the definition of personal data. In most cases, it will be obvious whether the information being requested is personal data, but the ICO has produced separate guidance to help decide in cases where it is unclear: Determining what is personal data (pdf). Please also see the key definitions . Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information. Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data; see Exemptions .
Data Breach	A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

What is personal data?

Personal data means data which relate to a living individual who can be identified ¨C

• from those data, or
• from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
• and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Personal data is any information relating to a person who can be identified, directly or indirectly, either by an ¡®identifier¡¯ such as their name, or an identification number, or by location or online data, or through factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special categories of personal data and criminal records data

Special rules apply if the University is processing "special categories" of data (this is broadly the same as sensitive personal data under the Data Protection Act 1998). The special categories of data are data that relates to an employee's;

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• health;
• sex life or sexual orientation; and
• biometric data

If the University processes special categories of data, we have to show that one of the specific legal grounds for processing such data applies. The grounds for processing special categories of data under the GDPR that are most likely to be relevant in the employment context are that:

• processing is necessary for carrying out our obligations and exercising rights in the field of employment law, as authorised by national law;
• processing is necessary for the establishment, exercise or defence of legal claims; and
• the employee has given explicit consent to processing for specified purposes.

Personal data relating to criminal convictions and offences is not included in the "special categories" of data, but is subject to similar additional protection.

Criminal records checks are permissible when recruiting for a role which involves working with children or vulnerable adults.

Processing medical records will also remain permissible where they are necessary for preventative or occupational medicine, assessing working capacity, or confirming medical diagnoses.

Lawful basis for processing personal data

There are six grounds for processing personal data under the GDPR. These are that:

• the data subject has consented to processing for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the data subject's request prior to entering into a contract;
• processing is necessary to comply with a legal obligation of the data controller;
• processing is necessary to protect the data subject's vital interests or those of another person;
• processing is necessary for the performance of a task carried out in the public interest; and
• processing is necessary for the purposes of the data controller's legitimate interests (or those of a third party), unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject

The most relevant of these in relation to HR and the employment context are performance of a contract, compliance with a legal obligation and the legitimate interests of the employer (the University).

Performance of a contract

The University has to process some employee data to perform our obligations to employees and workers under their contracts of employment. For example, to pay our employees, we have to process personal data such as names, working hours and bank account details.

This is also relevant for our processing data in relation to employees' contractual benefits, such as recording details of absences to ensure that employees receive their entitlements under the University¡¯s occupational sick pay scheme.

Compliance with legal obligations

Like any employer, the University has a range of legal obligations relating to our employees. If an employee goes on maternity leave, she has a right to return to work and may be entitled to statutory maternity pay (SMP). We will need to process information about her pay and about the dates on which she starts and finishes maternity leave to make sure we are paying her the SMP to which she is entitled and allowing her to return to work at the appropriate time.

This is also the case in relation to retaining records of disciplinary and grievance proceedings to enable us to comply with, for example, the obligation not to dismiss an employee unfairly. ?Similarly, the University will have to keep records of employees' worked hours to ensure compliance with the rules on maximum working hours and the national minimum wage.

The employer's legitimate interests

The University may rely on legitimate interests as the legal basis for processing data in some situations where it is necessary to process data but not in connection with the performance of a contract or compliance with a legal obligation.

The University might rely on its legitimate interests as the legal basis for processing where we retain personal data about unsuccessful job applicants for a period in case an applicant makes a complaint about the recruitment process. In this case, it is necessary for us to hold and process data for its legitimate interests in defending a potential legal claim.

The University's legitimate interests would also provide a legal basis for processing personal data in relation to appraisals which are necessary for the University¡¯s interests in maintaining performance standards.

Privacy Notices

Being transparent and providing accessible information to individuals about how employers will use their personal data is a key element of the EU General Data Protection Regulation (GDPR). ?The most common way to provide this information is in a privacy notice.

The University currently has four Privacy Notices relating to the processing of personal data for HR purposes.

Privacy Notice Recruitment - Applicant?stage

Privacy Notice Recruitment - Employee stage

Privacy Notice - UniWorkforce

Privacy Notice - Visitors

Privacy Notice - Royalties

Privacy Notice - ERE Promotion and Re-Banding

We are currently working on improving our range of privacy notices to reflect the diverse nature of HR practices that require the collection, processing and retention of personal data.

Retention periods

The General Data Protection Regulations require the University to retain personal data no longer than is necessary for the purpose it was obtained for.

This section should be read in conjunction with the University's Data Protection Policy and Finance Policy 4 ¨C Retention of Financial and Associated Legal Documents for all payroll and pensions retention purposes.? That document provides the University¡¯s Finance policy position.

The University will ensure that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.? We will;

• review the length of time we keep your personal data;
• consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it;
• securely delete information that is no longer needed for this purpose or these purposes; and
• update, archive or securely delete information if it goes out of date

The University's core HR document retention schedule sets out the University¡¯s planned retention schedule for HR, payroll and pensions related documents.

Guidance for Managers ¨C retention of local records

You must make sure that you have taken appropriate measures to ensure the security of the documents (and copies of the documents) your staff may have provided you with.? When not being used, you must ensure that they are safely secured.

Be mindful that the supporting documents you receive from individuals are likely to include significant amounts of their personal data (be it job applications, fit for work certificates or documents relating to their appraisal or performance reviews).

Records relating to recruitment

Document Type	Retention
Applications (all applicants)	Primary record held and retained in eRecruit.? No local retention required.? Securely and confidentially dispose after recruitment completed
Applications (successful candidate)
References
Interview notes remember that your notes may form part of the successful candidate's permanent employment record.? Make sure that your written comments are factual, fair and non-discriminatory.	Store securely* for 12 months and then securely and confidentially dispose
Evidence of right to work	Primary document must be returned to the candidate.? Copies must be forwarded to Recruitment.? Do not retain local copies
Proof of educational qualifications where required for the position
Professional registration (if applicable)
Health data - medical clearance (if applicable)
DBS and criminal records data (if applicable)
Sensitive personal data (i.e. gender, race, sexual orientation etc.)	Line managers should not see this data, but if supplied in error, ensure primary document is forwarded to Recruitment.? Do not retain local copies
Health data (i.e. occupational health report for reasonable adjustments if applicable)	Store securely* for duration of employment or until obsolete and then securely and confidentially dispose
Appointment offer details	Primary record held and retained in eRecruit.? No local retention required.? Securely and confidentially dispose after recruitment completed

* Store securely - lockable cupboards or drawers, or in password protected folders if stored electronically

Records relating to employees

You will need to make sure any locally held records are stored securely (either password protected or in lockable cabinets/draws etc. with restricted access)

Document	Retention period
Induction	You can securely store local HR/payroll data (including performance/appraisal, absence management data etc.) relating to current employees for the lifetime of their employment followed by up to 6 years (plus current) for HMRC/tax purposes (but recognise that in certain circumstances, data can be legitimately disposed sooner than that ¨C e.g. timesheets ¨C please refer to the above retention schedule for details) You must confidentially dispose of local employment records for former employees if they left more than 7 years ago.
Probation
Appraisal / performance review (PPDR)
Performance management (i.e. capability, disciplinary, grievances etc.)
Health data - fit notes	Primary document must be returned to the employee.? Copies must be forwarded to HR.? Do not retain local copies.
Health data - maternity, adoption, shared parental or paternity related paperwork
Health data - occupational health report for reasonable adjustments, if applicable	Store securely* for duration of employment or until obsolete and then securely and confidentially dispose.

Queries relating to these periods should be addressed to AskHR@soton.ac.uk in the first instance or in writing to:

The Data Protection Officer

Legal Services

University of Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, Highfield

Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, SO171BJ

Your rights

Data subjects will have the:

• right to be informed about the processing of their personal data;
• right to rectification if their personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within one month);
• right of access to their personal data and supplementary information, and the right to confirmation that their personal data is being processed;
• right to be forgotten by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it (again employers will have to respond without undue delay and within one month of the request);
• right to restrict processing of their personal data, for example, if they consider that processing is unlawful or the data is inaccurate;
• right to data portability of their personal data for their own purposes (they will be allowed to obtain and reuse their data); and
• right to object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes

How do you access your data?

You have control over your personal data and can exercise some of these rights through your logon to various HR systems and can change, update and delete some of your personal data as you wish.

Job applicants - can access and manage all their personal data via the e-Recruit portal.? Queries regarding this, including difficulty accessing self-service, should be directed to recruitment@southampton.ac.uk in the first instance.

Current employees - can access some of their personal data via MyHR, specifically;

• Current and previous appointment details and dates
• Pay slips and P60s (they can derive their salary information from these)
• Legal Gender
• Some details related to HESA
• Registered interests
• Absence information
• Current and past appraisals

In addition, current employees can amend the following personal data themselves via MyHR;

• Middle names, ¡®known as¡¯ names and previous surnames
• Contact details (home address, phone numbers, emails address)
• Emergency contact details
• Equal Opportunities; Marital Status, Ethnic Origin, Religion, Sexual orientation and Disability
• Nature of Previous Employment
• Current appraisals

Queries regarding this, including difficulty accessing self-service, should be directed to AskHR@soton.ac.uk in the first instance.

Workers engaged via UniWorkforce - will need to direct their queries direct to the UniWorkforce team at Uniworkforce@soton.ac.uk as they do not have access to MyHR.

Managers ¨C can access and (in some cases) manage personal data for staff in their direct line management hierarchy via MyHR relating to;

• Appointment details and history (e.g. post title, hours, of work, position status, contract dates, location, level etc.)
• Email and mobile number (if provided by the employee)
• Registered interests
• Appraisal information

In certain circumstances you can request your data for reuse for your own purposes across different services.

We recognise that not all personal data actions can be made via self-service and that in some circumstances employees or their line managers may need to request access to personal data via HR colleagues.? HR staff take the security of your personal data seriously and will take appropriate and proportionate steps to maintain the protection of your data and your rights, including;

• Encouraging queries to be raised to HR via ServiceNow tickets which are protected behind your personal user ID and password
• Asking you a number of random security questions to verify your identity if the query has been raised by means other than ServiceNow (e.g. telephone or email)
• Confirming the purpose for the request to help ensure that the disclosure of the data is compliant with the lawful reasons for processing data under the General Data Protection Regulations

HR colleagues will not normally be able to disclose personal data to anyone other than you or (in some circumstances) a manager in your direct management chain (as recorded in the HR System) without your express written consent.

In cases of Police investigation or fraud investigation (by the Department for Work and Pensions), the University is required to provide all requested information, which may include an employee¡¯s personal data.? In such cases, consent from you is not required.

If you require any further assistance with this please contact: AskHR@soton.ac.uk

Subject Access Requests and Data Breaches

Subject Access Requests

You can use a Subject Access Request to see a copy of the information the University holds about you. You are entitled to be:

• told whether any personal data is being processed;
• given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
• given a copy of the information comprising the data; and given details of the source of the data (where this is available)

However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For more information, please see the Information Commissioner¡¯s Office (ICO) exemptions .

The information will be provided without delay and within a month of receiving the request.? Where requests are complex or numerous, the University is permitted to extend the deadline to three months.

In most circumstances, the information provided will be free of charge.? However, the University is permitted to charge a ¡®reasonable fee¡¯ when a request is manifestly unfounded, excessive or repetitive.? Any fee charged by the University will be based on the administrative cost of providing the information.

Any subject access or freedom of information requests should be?submitted via this Subject Access Request Form

Or in writing, addressed?to:

The Data Protection Officer

Legal Services

University of Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, Highfield

Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, SO171BJ

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Personal data breaches can include:

• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data

The University must report a notifiable breach to the Information Commissioner¡¯s Office without undue delay, but not later than 72 hours after becoming aware of it.

If, at any time, you suspect a data breach may have occurred please report it via this Data Breach incident report form

Key Contacts

HR Data Lead

If at any stage you are concerned about how your personal data is being used by Human Resources or if you require any further assistance with please contact us via: AskHR@soton.ac.uk

Data Protection Officer

If you are unhappy with the way that we have handled your data you can contact the University¡¯s Data Protection Officer via:

This ServiceNow web form

or in writing, addressed to:

The Data Protection Officer

Legal Services

University of Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, Highfield

Ìì·¢ÓéÀÖÆåÅÆ_Ìì·¢ÓéÀÖAPP-¹ÙÍø|ÏÂÔØ, SO171BJ

The University also have additional policies and guidelines concerning particular activities. If you would like further information please see our Publication Scheme at:

http://www.southampton.ac.uk/about/governance/regulations-policies-guidelines.page#publication_scheme

The University's Governance Data Protection, Freedom of Information and Data Breach webpage

Information Commissioner¡¯s Office

Alternatively, you can contact the Information Commissioner¡¯s Office. See their website at: https://ico.org.uk/ .