Employee Privacy Notice

We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or other background check agencies, and information from criminal records checks permitted by law. We will also collect additional personal information in the course of job-related activities throughout the period of you working for us.

The University may collect a range of information types about you. This includes:

• your name, address and contact details, including email address and telephone number, date of birth and gender;
• the terms and conditions of your employment;
• details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
• information about your remuneration, including entitlement to benefits such as pensions or insurance

BCU needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements if applicable. In some cases, we may need to process data to ensure that we are complying with our legal obligations. For specified positions, it may be necessary to carry out criminal records checks to ensure that individuals are permitted to undertake a particular role. Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations. You have some obligations under your employment contract to provide BCU with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the terms of your employment contract, professional regulatory requirements or under the implied duty of good faith.

BCU may use artificial intelligence (AI) where it may bring benefits to the university and the university community of students, applicants, enquirers, alumni and staff . Please be assured that BCU will only use AI where it has been assessed as safe and appropriate. BCU makes every effort to ensure that it meets its’ legal obligations under data protection laws when using AI tools in order to protect your personal data.

Employee information may be shared internally to fulfill the purposes of the data processing (see 'How we use your personal data'), including but not limited to members of the HR team, Learning & Development, Health & Safety, Payroll, employee line managers, managers in the business area in which employees work, University Management and specific IT staff. In certain departments, personal phone numbers will be shared within the team in order to facilitate shift rotas or for other similar purposes.

BCU may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a sale of some or all of its business. In these circumstances, BCU will always ensure appropriate controls are in place to ensure your data is safe and is only used if necessary for the allowed purpose, following which it will be permanently deleted on completion of the task.

The University will also share your data, if necessary, with third parties that process data on its behalf or who it has a legal obligation to share with, for example:

• Agency staff

• Assessors

• Auditors

• Business Continuity / Risk and Resilience support services

• Consultants and contractors

• Council for Industry and HE / National Centre for Universities and Businesses (NCUB) – researchers only

• Disclosure and Barring Service and related organisations

• Funding organisations,such as ESFA

• Government department(s) covering universities, and the Office for Students (OfS)

• Health and Safety organisations, security organisations and the supplier of safety app(s)

• Insurance companies

• Ofsted

• Placement providers

• Police

• Public Health England, Public Health Birmingham and Birmingham City Council (usually this is anonymous statistics and personal data would only be shared if it was mandated and there was a lawful basis for it);

• Training providers

• Travel agents (to facilitate travel for work purposes)

• UKRI (for example as part of the REF)

• UKVI (in circumstances where any employee requires visa sponsorship)

• Organisations processing visa applications (for example for work based travel)

• for the provision of benefits including the employee benefit scheme and pensions;

• the provision of occupational health services and staff health and wellbeing services;

• for legal assistance;

• for the investigation of grievances, disciplinaries or similar. This may include sharing personal data with external consultants;

• for individual or team profile analysis;

• suppliers of IT systems, provisions and software, the website and intranet including the electronic workflows;

• in connection with its statutory reporting obligations such as to the Higher Education Statistics Agency (HESA) (Use the search term 'collection notices' for information about how HESA may use your personal data)

• other services including but not limited to library system suppliers

• in the course of its day-to-day business needs, for example when working in collaboration with other organisations to fulfil contracts, to enable placements, to facilitate research etc.

• for business and management monitoring, review, planning and forecasting

A specific example of sharing data with external organisations is that BCU shares personal data with a health cash plan provider (as an non-contractual employment benefit), for staff who are covered in the health cash plan provided by BCU. From June 2026 onwards this is for core staff. BCU relies on the lawful basis of legal obligation for this because the personal data is required to add individuals to the policy in accordance with Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) regulatory requirements and for the purpose of medical underwriting and claims handling. Examples of personal data shared for this purpose are name, date of birth, BCU email address, phone number, home address and gender designated at birth. Please direct any questions about this to BCUrewards@bcu.ac.uk.

BCU publishes information about researchers and research on its website, available to the general public. The Research Office can be contacted for more information about this.

We also share your personal data if we believe someone's life is in danger or we believe we are compelled to by law.

Additionally some departments have departmental staff contact lists of personal contact details in order to facilitate easier contact between staff for work-related purposes, e.g. for short-notice shift swaps etc. Staff are informed at local level if this is the case in their department. They should speak with their line manager if they do not want to provide this information or be part of the list. This may or may not be possible depending on the job role and purpose of personal data sharing.

Data is stored in a range of different places, including in your personal file, in the University's HR management systems and in other IT systems (including the organisation's email system).

Your data may be transferred to countries outside the European Economic Area (EEA). Data is transferred outside the EEA on the basis of one of the following:

• Where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. standard data protection clauses adopted by the European Commission);
• A European Commission decision provides that the country or territory to which the transfer is made ensures an adequate level of protection; or
• There exists another situation where the transfer is permitted under applicable law (e.g. where we have your explicit consent).

The University takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or wrongly disclosed, and is not accessed except by its employees in the performance of their duties. We are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the General Data Protection Regulations. For more information about how the University protects and manages your personal data, a copy of BCU’s Data Protection Policy and Appropriate Policy Document, as well as the Information Security Policy is available on the policies page of the BCU website. Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Your personal data is retained, and securely and permanently destroyed, in accordance with the BCU Retention Schedule. In summary, information relating to your employment contract is retained for six years after your employment contract ends. This includes your personnel file held by Human Resources. However, some medical information and/or health and safety records may be kept for longer periods if required by law.

Research related information is exempt from the data protection principle of purpose and storage limitation and will be processed in accordance with Article 5(b) and 5(e) of UK GDPR.

Employees have some obligations under their employment contract to provide the University with data. In particular, they are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. They may also have to provide the University with data in order to exercise their statutory rights, such as in relation to 8  statutory leave entitlements. Failing to provide the data may mean that employees are unable to exercise their statutory rights.

Certain information, such as contact details,  right to work in the UK and payment details, have to be provided to enable the University to enter a contract of employment with an individual employee. If employees do not provide other information, this will hinder the University's ability to administer the rights and obligations arising because of the employment relationship and ultimately could result in the termination of contract.