GDPR Data Protection
Your Data Protection
Key definitions
What is personal data?
Lawful basis for processing personal data
Privacy Notices
Retention periods
Your rights
Subject Access Requests and Data Breaches
Key Contacts
Your Data Protection
The General Data Protection Regulation (GDPR) came into effect from 25 May 2018. As an EU Regulation, the new law took effect automatically and when the UK leaves the EU, the GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill. The UK Government has also published the Data Protection Bill, which will supplement GDPR standards in the UK. This means that, even post-Brexit, the University will need to comply with the GDPR.
The GDPR’s data protection principles are similar to those under the Data Protection Act. The University must be able to demonstrate that any personal data we handle is:
- processed lawfully, fairly and transparently;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and kept up to date where necessary;
kept for no longer than is necessary where data subjects are identifiable; and - processed securely and protected against accidental loss, destruction or damage
How do we protect your personal data?
The University takes the security of your personal data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
Our HR staff have a legal duty to keep Data about you confidential. There are strict codes of conduct in place to keep your Data safe. HR staff abide by the General Data Protection Regulations 2018 and the University’s Data Protection Policy.
We endeavour to ensure that suitable organisational and technical measures are in place to prevent the unlawful or unauthorised processing of your Data and against the accidental loss of or damage to your Data. This includes:
- storing Data on an appropriately secure systems;
- training all our staff in their data protection responsibilities;
- working with reputable companies for data processing services who are data protection compliant and who enter into appropriate data sharing agreements; and
- ensuring that appropriate protection is in place when we work with trusted organisations based outside the European Economic Area (EEA)
Key definitions
Term | Definition |
---|---|
Data subject |
An individual who is the subject of personal data and, for the purposes of HR related data processing will usually be an employee, a casual worker or unpaid Visitor. Does not count an individual who has died or who cannot be identified or distinguished from others as a data subject. |
Data Controller |
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. The University of Southampton is the Data Controller and our registration number with the Information Commissioner’s Office is Z6801020. |
Data Processor |
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This predominantly refers to third parties outside of the University (e.g. pensions providers or benefits providers such as Computershare or Cyclescheme) |
Data Protection Officer (DPO) |
Will monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority. The DPO is independent, an expert in data protection, adequately resourced, and report to the highest management level. |
Data |
Data means information which –(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d). |
Subject Access Request |
An individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Neither are they entitled to information simply because they may be interested in it. It is important to establish whether the information requested falls within the definition of personal data. In most cases, it will be obvious whether the information being requested is personal data, but the ICO has produced separate guidance to help decide in cases where it is unclear: Determining what is personal data (pdf). Please also see the key definitions. Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information. Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data; see Exemptions. |
Data Breach |
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. |
What is personal data?
Personal data means data which relate to a living individual who can be identified –
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
- and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Personal data is any information relating to a person who can be identified, directly or indirectly, either by an ‘identifier’ such as their name, or an identification number, or by location or online data, or through factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Special categories of personal data and criminal records data
Special rules apply if the University is processing "special categories" of data (this is broadly the same as sensitive personal data under the Data Protection Act 1998). The special categories of data are data that relates to an employee's;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- health;
- sex life or sexual orientation; and
- biometric data
If the University processes special categories of data, we have to show that one of the specific legal grounds for processing such data applies. The grounds for processing special categories of data under the GDPR that are most likely to be relevant in the employment context are that:
- processing is necessary for carrying out our obligations and exercising rights in the field of employment law, as authorised by national law;
- processing is necessary for the establishment, exercise or defence of legal claims; and
- the employee has given explicit consent to processing for specified purposes.
Personal data relating to criminal convictions and offences is not included in the "special categories" of data, but is subject to similar additional protection.
Criminal records checks are permissible when recruiting for a role which involves working with children or vulnerable adults.
Processing medical records will also remain permissible where they are necessary for preventative or occupational medicine, assessing working capacity, or confirming medical diagnoses.
Lawful basis for processing personal data
There are six grounds for processing personal data under the GDPR. These are that:
- the data subject has consented to processing for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the data subject's request prior to entering into a contract;
- processing is necessary to comply with a legal obligation of the data controller;
- processing is necessary to protect the data subject's vital interests or those of another person;
- processing is necessary for the performance of a task carried out in the public interest; and
- processing is necessary for the purposes of the data controller's legitimate interests (or those of a third party), unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject
The most relevant of these in relation to HR and the employment context are performance of a contract, compliance with a legal obligation and the legitimate interests of the employer (the University).
Performance of a contract
The University has to process some employee data to perform our obligations to employees and workers under their contracts of employment. For example, to pay our employees, we have to process personal data such as names, working hours and bank account details.
This is also relevant for our processing data in relation to employees' contractual benefits, such as recording details of absences to ensure that employees receive their entitlements under the University’s occupational sick pay scheme.
Compliance with legal obligations
Like any employer, the University has a range of legal obligations relating to our employees. If an employee goes on maternity leave, she has a right to return to work and may be entitled to statutory maternity pay (SMP). We will need to process information about her pay and about the dates on which she starts and finishes maternity leave to make sure we are paying her the SMP to which she is entitled and allowing her to return to work at the appropriate time.
This is also the case in relation to retaining records of disciplinary and grievance proceedings to enable us to comply with, for example, the obligation not to dismiss an employee unfairly. Similarly, the University will have to keep records of employees' worked hours to ensure compliance with the rules on maximum working hours and the national minimum wage.
The employer's legitimate interests
The University may rely on legitimate interests as the legal basis for processing data in some situations where it is necessary to process data but not in connection with the performance of a contract or compliance with a legal obligation.
The University might rely on its legitimate interests as the legal basis for processing where we retain personal data about unsuccessful job applicants for a period in case an applicant makes a complaint about the recruitment process. In this case, it is necessary for us to hold and process data for its legitimate interests in defending a potential legal claim.
The University's legitimate interests would also provide a legal basis for processing personal data in relation to appraisals which are necessary for the University’s interests in maintaining performance standards.
Privacy Notices
Being transparent and providing accessible information to individuals about how employers will use their personal data is a key element of the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.
The University currently has two Privacy Notices relating to the processing of personal data for HR purposes.
The first relates to new applicants for jobs with the University.
The second relates to successful candidates who have been offered a job with the University.
We are currently working on improving our range of privacy notices to reflect the diverse nature of HR practices that require the collection, processing and retention of personal data.
Retention periods
The University will ensure that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We will;
- review the length of time we keep your personal data;
- consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date
Your rights
Data subjects will have the:
- right to be informed about the processing of their personal data;
- right to rectification if their personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within one month);
- right of access to their personal data and supplementary information, and the right to confirmation that their personal data is being processed;
- right to be forgotten by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it (again employers will have to respond without undue delay and within one month of the request);
- right to restrict processing of their personal data, for example, if they consider that processing is unlawful or the data is inaccurate;
- right to data portability of their personal data for their own purposes (they will be allowed to obtain and reuse their data); and
- right to object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes
How do you access your data?
You have control over your personal data and can exercise some of these rights through your logon to the MyHR system and can change, update and delete some of your personal data as you wish.
In certain circumstances you can request your data for reuse for your own purposes across different services.
If you require any further assistance with this please contact: AskHR@soton.ac.uk
Subject Access Requests and Data Breaches
Subject Access Requests
You can use a Subject Access Request to see a copy of the information the University holds about you. You are entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
- given a copy of the information comprising the data; and given details of the source of the data (where this is available)
However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For more information, please see the Information Commissioner’s Office (ICO) exemptions.
The information will be provided without delay and within a month of receiving the request. Where requests are complex or numerous, the University is permitted to extend the deadline to three months.
In most circumstances, the information provided will be free of charge. However, the University is permitted to charge a ‘reasonable fee’ when a request is manifestly unfounded, excessive or repetitive. Any fee charged by the University will be based on the administrative cost of providing the information.
Any subject access or freedom of information requests should be addressed in writing to:
The Data Protection Officer
Legal Services
University of Southampton, Highfield
Southampton, SO171BJ
Email: gdpr@soton.ac.uk
Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data
The University must report a notifiable breach to the Information Commissioner’s Office without undue delay, but not later than 72 hours after becoming aware of it.
If, at any time, you suspect a data breach may have occurred please please email databreach@soton.ac.uk
Key Contacts
HR Data Lead
If at any stage you are concerned about how your personal data is being used by Human Resources or if you require any further assistance with please contact us via: AskHR@soton.ac.uk
Data Protection Officer
If you are unhappy with the way that we have handled your data you can contact the University’s Data Protection Officer at:
The Data Protection Officer
Legal Services
University of Southampton, Highfield
Southampton, SO171BJ
Email: gdpr@soton.ac.uk
The University also have additional policies and guidelines concerning particular activities. If you would like further information please see our Publication Scheme at:
Information Commissioner’s Office
Alternatively, you can contact the Information Commissioner’s Office. See their website at: https://ico.org.uk/.