Staff privacy notice

This page provides information about how the University of Birmingham processes personal data relating its employees, staff, workers and contractors. It supplements the page on our website ‘Data Protection – How the University Uses Your Data’.

This notice applies to current and former employees, workers and contractors.  Staff in a wider sense are also covered by this notice, including honorary and emeritus staff as well as staff who are seconded into the University and others who work for the University in the capacity of a volunteer or intern. The word “staff” on this page covers all these.

It is important that the personal information we hold about you is accurate and current. Please keep your personal information updated during your working relationship with us.

How does this privacy notice relate to other privacy notices?

Applicants for jobs at the University are informed how their data will be used in relation to the application process and how, if they are successful, that data forms the basis of the staff record.

The information set out here applies to the processing of your personal data by the University.  If another organisation is to be a ‘data controller’ of your personal data (for example, if you register for a benefit provided by another organisation), they will explain this when you apply or when you provide the data as well as how they will use your personal data.

What personal data will be processed?

The University processes a range of information about you. This includes, as appropriate: 

  • Your name and contact details and other personal details such as your date of birth, information about your marital status, next of kin, dependants and emergency contacts;
  • Your application and information provided as part of the application process, for example, references;
  • Your University employee number;
  • Immigration and right to work status information (for example, visa details, passport details);
  • Details relating to your current employment or engagement  at the University including role title, line manager, campus, organisation, College, School, budget centre, role category and group, working hours, staff type, contract type, grade, the terms and conditions of your employment or engagement;
  • Details of your schedule (days of work and working hours) and attendance and hours at work including time sheets for hourly paid staff;
  • Details relating to any previous employment at the University;
  • Details of your qualifications, skills, registrations, experience with previous employers (including references) and with the University;
  • Information about your remuneration, including salary point, salary, pay history, pay slips and P60 information, annual review history and proposed and actual adjustments to pay;
  • Tax status, including where relevant results of HMRC employment status check and tax code;
  • Details of any interest in and connection with any intermediary through which your services are supplied;
  • Entitlement to benefits including pensions;
  • Information relating to optional benefits and associated deductions to salary including salary sacrifice;
  • Correspondence and other information relating to access to staff support facilities and wellbeing services;
  • Details of your bank account;
  • Probation objectives and plans and outcomes;
  • Data relating to you which is generated as part of the day-to-day activities you carry out as part of your University role, for example, meetings you attend, advice you give, correspondence (including emails you send and receive), your attendance on campus in some university buildings (e.g. where there is swipe in/out access, or sign in/out) etc
  • Details of periods of leave taken by you, including holiday, sickness absence (and see below), family leave, medical appointments, sabbaticals and other types of leave and, and the reasons for the leave;
  • Performance development review records including objectives, appraisal and development plans, any assessments of your performance, performance improvement plans and related correspondence;
  • Training and development data including training plans, attendance and related dates, accreditations and certificates;
  • Performance related awards and justifications;
  • Promotions and internal appointments including applications, CV, academic and professional references, moderation reports, panel decision and outcomes;
  • Length of service information and associated recognition (gifts);
  • Health and safety related incidents and reports related to you;
  • Workforce planning and organisational structure data related to individuals, including you, and their roles;
  • Business cases relating to any personal market pay reviews and associated pay;
  • Consultation information and related correspondence relating to any redundancy processes and restructures to which you may have been subject;
  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • Details relating to any declarations made by you about outside work interests or conflicts of interest;
  • Details relating to any gifts and hospitality you may have received of your role;
  • Car registration and insurance details and car parking data (if relevant);
  • Correspondence relating to your resignations and other leaver processes;
  • Your use of a University credit card use (where applicable);
  • General information and responses relating to employee, worker or contractor and management queries and cases;
  • Where applicable, details recorded by any University devices you use with GPS tracking facilities, such as iTrack;
  • Data captured by the University’s CCTV systems;
  • Clinical staff only - Clinical contract details, registration body number, status and information, honorary organisation, speciality and information shared between the honorary organisation and the University for the purpose of managing the contract of employment in accordance with the principle of joint working to integrate separate responsibilities.

Some of the data about you that we need to process is classed as ‘special category’ or sensitive personal data.  These are:

  • Information about your race or ethnicity, religious beliefs, philosophical beliefs, sexual orientation and political opinions;
  • Trade union membership and associated salary deductions
  • Information about your health, namely:
    • Information regarding your health and medical conditions disclosed by you in the recruitment process or during your employment/engagement;
    • Information regarding disabilities and associated reasonable adjustments;
    • Vaccinations and other medical-related information, relevant to your post;
    • Information regarding pregnancy and maternity;
    • Details of any absences on sick leave;
    • Where you leave employment and the reason for leaving is related to your health; 
    • Information about a medical condition needed for pensions purposes and the records relating to that decision and 
    • If necessary, where there has been an outbreak of a pandemic, such as Covid-19, confirmation of a positive or negative Covid-19 test result. 

Criminal convictions:The University may hold and process data about criminal offences and convictions if it is appropriate given the nature of your role. Where appropriate, the University may have collected information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you or a third party, such as the Police in the course of you working for us. We will use information about criminal convictions and offences in the following ways:

  • To comply with employment and other laws;
  • Consider suitability for employment or continued employment; or
  • Consideration of safeguarding issues.

We will only use information relating to criminal convictions where the law allows us to do so and in line with our Data Protection Policy. Personal data relating to criminal convictions will be retained confidentially and securely and access to that data will be strictly controlled.

The University collects your personal information in a variety of ways. For example, data is collected through application forms, CVs or resumes; on-boarding forms, from your passport or other identity documents such as your driving licence, from forms completed by you at the start of or during employment or engagement (such as benefit nomination forms), from correspondence with you, or through interviews, meetings or other assessments.

In some cases, the University collects personal data about you from third parties, such as references supplied by former employers or academics or health monitoring services (for example, for radiation exposure).

Your personal data is held both electronically and in paper format and is stored in a range of different places, including in your personnel file, in the University's HR management systems, spreadsheets, health and safety record systems, local College and departmental management filing systems and in other IT systems (including the University’s email system).

In addition to the core employment/engagement related processes referenced above, information relating to your employment/engagement and role at the University is shared between the core HR system and other key business systems that support the running and administration of the University. These systems include:

  • Finance systems;
  • Research management and accounting systems;
  • IT identity management;
  • Library systems;
  • Sport centre systems;
  • Workforce planning systems;
  • Timetabling systems and student administration systems;
  • Rostering systems;
  • Workplace access systems;
  • Workload allocation system;
  • University ID card system.

When using video conferencing applications such as Zoom or Microsoft Teams, your name, user name, email address, your computer’s IP address, MAC address and device name may be collected.

What is the purpose of the processing?

The University will process your data for the following purposes: 

  • To maintain accurate and up-to-date employment/engagement records and contact details (including details of who to contact in the event of an emergency - we will assume that you have obtained consent from those individuals before you supply their contact details to us) and records of contractual and statutory rights;
  • To pay employees, workers and contractors;
  • To administer pensions;
  • To ensure staff are receiving the pay or other benefits to which they are entitled
  • To run promotion processes;
  • To obtain Occupational Health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees’ health is not adversely affected by their work in the University, and that they are fit for the duties which are assigned to them;
  • To check, when necessary, that staff are eligible to work with children, patients and other vulnerable individuals;
  • To operate and keep a record of absence and absence management procedures for effective workforce management and to ensure that employees, workers and contractors are receiving the pay or other benefits to which they are entitled;
  • To operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
  • To operate and keep training and development plans to support workforce and personal development;
  • To operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  • To operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave) for effective workforce management and to ensure that the organisation complies with duties in relation to leave entitlement;
  • To manage and develop the University’s business, including ensuring effective HR and business administration;
  • To carry out senior staff remuneration surveys and conduct analysis on senior staff pay gaps;
  • To process reports to Governmental or regulatory bodies such as HESA or the Office for Students;
  • To provide information to accrediting organisations, such as Athena Swan;
  • To provide references on request for current and former employees;
  • To respond to and defend against legal claims;
  • To maintain and promote equality in the workplace;
  • To facilitate internal day to day communications relevant to your employment with the University;
  • To fulfil and monitor our legal responsibilities, for example, under equalities, immigration and health and safety legislation (including in relation to a pandemic) .

Some special categories of personal data about health or medical conditions, are processed so the University can carry out its obligations and exercise its rights, and so you can carry out your obligations and exercise your rights under employment law (such as those in relation to staff with disabilities and for health and safety purposes).  For example, the University will use information about your physical or mental health or disability status to:

  • ensure your health and safety in the workplace;
  • assess your fitness to work;
  • provide appropriate workplace adjustments;
  • monitor and manage sickness absence;
  • comply with our legal obligations (including managing the workforce in relation to a pandemic;
  • manage the employment contract; and
  • to administer benefits including statutory sick pay, statutory maternity pay and pensions.

Video conferencing applications

When using video conferencing applications, such as Zoom and Microsoft Teams, personal data such as your IP address and device name may collected by the companies who own these applications in order to schedule and create a record of meetings, improve and tailor your experience when using these applications. Where video conferencing applications are used to record meetings, personal data captured within the recording are stored within the cloud service owned by that company. Where recording is taking place, you will be notified at the beginning of or as you enter the recording session.

Data held and used by the University are compliant with GDPR. Personal data stored by a service provider within the cloud may be stored outside of the European Economic Area. 

What is the legal basis of the processing?

We consider the processing of your personal data for these purposes to be necessary for:

  • the performance of our contractual obligations with you (for example, to provide you with a contract, to pay you in accordance with your  contract and to administer benefit and pension entitlements) and your contractual obligations to us, and to enable both you and the University to exercise rights under our contract;
  • to comply with our legal obligations (for example, to check your entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable you to take periods of leave to which you are entitled, equal opportunities monitoring) or regulatory obligations (for example, reporting to Government or governmental bodies);
  • the performance of tasks we carry out in the public interest (for example, teaching and research);

The legitimate interests of the University or external organisations (for example, to enable your access to external services).

We will only process your special category data with your explicit consent or if it is necessary:

  • For the purposes of you and/or the University carrying out its or your obligations/rights in the field of employment providing appropriate safeguards are in place to protect your  fundamental rights and the interests;
  • For the establishment, exercise or defence of legal claims;
  • Very occasionally, when it is needed to protect your or another person’s vital interests and you are not capable of giving your consent (for example, in an emergency);
  • When you have already made the information public;
  • For reasons of substantial public interest; or
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If we require your consent for any specific use of your personal data, we will collect it at the appropriate time, explaining why we are collecting the data and how we will use it, and you can withdraw this at any time. 

Who will your personal data be shared with?

Within the University, your data is shared with only those University staff who need access to deliver and support the purposes described above. 

Your personal data is shared with a range of external organisations as is necessary for the purposes set out above and as permitted or required by law,  including the following:

  • Previous employers, individual referees and external peers, to obtain references;
  • The Disclosure and Barring Service, to obtain necessary criminal records checks when required (see ‘Criminal Convictions’ above);
  •  The trustees or scheme managers of pension providers in connection with the administration of pension arrangements, to manage your participation in any pension arrangement operated by the University);
  • Organisations with which the University collaborates in order to deliver its teaching and conduct its research or support its students or staff, for example, the providers of any external or collaborative learning, training, research, placements or fieldwork, the Guild of Students, as  appropriate;
  • Universities and Colleges Employers Association;
  • The Higher Education Statistics Agency (HESA explains how it will use your personal data in its statement published at  This will include reporting special category data you have provided (for example,  relating to your ethnicity, sexuality, disability etc); 
  • Relevant Government Departments (for example,  Home Office, Foreign and Commonwealth Office);
  • Relevant executive agencies or non-departmental public bodies (for example,  UK Visas and Immigration, HM Revenue and Customs, the Health and Safety Executive, Public Health England);
  • Relevant Higher Education bodies (for example,  the Office for Students, UK Research and Innovation, Universities and Colleges Admissions Service, Office for Fair Access, Office of the Independent Adjudicator);
  • Organisations which accredit programmes or award quality marks;
  • Individuals, companies or organisations providing specific services to, or on behalf of, the University;
  • Any relevant professional or statutory regulatory bodies (for example,  General Medical Council);
  • Clinical staff only - we share data with NHS Trusts for staff who have honorary contracts in those organisations, or for other transactions between the University and/or the NHS Trust and/or you.  We also share data with the Medical Schools Council and the Dental Schools Concil to enable them to monitor trends in clinical academic staffing.

We ensure we have appropriate data sharing agreements in place before sharing your personal data with any other data controllers.

There may be occasions when the University will provide or ask for information from third parties with your consent, for example, relating to Occupational Health referrals, GP reports, specialist reports and other health-related interventions relating to your role.

Your personal data is shared as is necessary, on a considered and confidential basis, with several external organisations which assist the University with processing data, for example, with payroll, pension administration, benefits provision and administration and IT services.  These organisations act on our behalf in accordance with our instructions and do not process your data for any purpose over and above what we have asked them to do.  We make sure we have appropriate contracts in place with them.  Sometimes your personal data is processed by these organisations outside the European Economic Area (for example, because they use a cloud-based system with servers based outside the EEA), and if so, we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data. 

We do not share your data with external organisations for marketing their products or services. We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.

How long is your data kept?

The University currently holds staff data indefinitely.  However, we are in the process of transferring staff records to a new system (New Core) which will include data retention principles, with different periods of retention for different types of data.  As soon as this is live, which is due to happen in 2019, we will update this page and include a link to the data retention schedule.

Your rights in relation to your data

Details about your rights are set out on the website page ‘Data Protection – How the University Uses Your Data’.  This also explains how to ask any questions you may have about how your personal data is used, exercise any of your rights or complain about the way your data is being handled.

Are changes made to this webpage?

This webpage is effective from 14 May 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified by email or as appropriate.