Employee Privacy Notice

This privacy notice explains how Birmingham City University (BCU) collects, uses and shares your personal data, and your rights in relation to the personal data we hold. Please note this notice is a shortened version, if you would like to view a full copy of the Employee Privacy Notice.

This notice concerns our processing of personal data of our employees, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. BCU is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

1. How we collect your information

We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or other background check agencies, and information from criminal records checks permitted by law. We will also collect additional personal information in the course of job-related activities throughout the period of you working for us.

2. What information does the University collect?

The University may collect a range of information types about you. This includes:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • the terms and conditions of your employment;
  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
  • information about your remuneration, including entitlement to benefits such as pensions or insurance
3. How we use your personal data

BCU needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements if applicable. In some cases, we may need to process data to ensure that we are complying with our legal obligations. For specified positions, it may be necessary to carry out criminal records checks to ensure that individuals are permitted to undertake a particular role. Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations. You have some obligations under your employment contract to provide BCU with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the terms of your employment contract, professional regulatory requirements or under the implied duty of good faith.

4. Who has access to the data?

Your information will be shared internally, including with members of the HR and payroll teams, your line manager, managers in the business area in which you work, and IT staff who will only have access to the data when necessary for the purposes set out in section 3 above, and in line with their job role. BCU may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers, and obtain necessary criminal records checks from the Disclosure and Barring Service. Data is stored in a range of different places, including in your personal file, in the University’s HR management systems and in other IT systems (including the organisation's email system). Your data may be transferred to countries outside the European Economic Area (EEA) to assist you with country-specific issues such as tax services which could only be dealt with from within that country. The University is also legally required to provide specified data to HESA for regulatory and analytical purposes. Please see the HESA privacy notices. Staff apprentices – We will share your data with training providers and end point assessors (as well as ESFA and potentially OFSTED).

BCU publishes information about researchers and research on its website, available to the general public. The Research Office can be contacted for more information about this.

5. How does the organisation protect data?

The University takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or wrongly disclosed, and is not accessed except by its employees in the performance of their duties. We are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the General Data Protection Regulations. For more information about how the University protects and manages your personal data, a copy of BCU’s Data Protection Policy and Appropriate Policy Document, as well as the Information Security Policy is available on the policies page of the BCU website. Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

6. How long will BCU keep my data?

Your personal data is retained, and securely and permanently destroyed, in accordance with the BCU Retention Schedule. In summary, information relating to your employment contract is retained for six years after your employment contract ends. This includes your personnel file held by Human Resources. However, some medical information and/or health and safety records may be kept for longer periods if required by law.

Research related information is exempt from the data protection principle of purpose and storage limitation and will be processed in accordance with Article 5(b) and 5(e) of UK GDPR.

7. What happens if an employee does not provide personal data?

Employees have some obligations under their employment contract to provide the University with data. In particular, they are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. They may also have to provide the University with data in order to exercise their statutory rights, such as in relation to 8  statutory leave entitlements. Failing to provide the data may mean that employees are unable to exercise their statutory rights.

Certain information, such as contact details,  right to work in the UK and payment details, have to be provided to enable the University to enter a contract of employment with an individual employee. If employees do not provide other information, this will hinder the University's ability to administer the rights and obligations arising because of the employment relationship and ultimately could result in the termination of contract.

8. Your rights

Under the Data Protection laws, you have a number of rights. You can:

  • obtain access to, and copies of, the personal data that we hold about you;
  • request that we cease processing your personal data if the processing is causing you damage or distress;
  • require us not to send you marketing
  • request us to correct the personal data we hold about you if it is incorrect;
  • request us to erase your personal data;
  • request us to restrict our data processing activities;
  • withdraw consent for our processing of your data (this does not affect the lawfulness of our processing based on consent before its withdrawal);
  • receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
  • object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your

Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.

9. How to exercise my data rights

If you would like to exercise any of your rights, please contact our Data Protection Officer using the following contact details:

By email to: informationmanagement@bcu.ac.uk

By post to: Data Protection Officer
Information Management Team
Birmingham City University
Floor 1, Joseph Priestley Building
6 Cardigan Street
Birmingham B4 7RJ

10. How to ask questions or raise concerns

If you have any questions, comments or concerns about how we use or handle your personal data, please contact the Data Protection Officer using the contact details in section 8 above.

If you are not content with how we handle your information, we would ask you to contact our Data Protection Officer to help you in the first instance. However, you do also have the right to complain directly to the Information Commissioner at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Information about the Information Commissioner is available at www.ico.org.uk.

11. Changes to this privacy notice

This privacy notice may be updated from time to time, so you may wish to check it each time you submit personal information to BCU. The date of the most recent versions will appear on this page (see version control). We encourage you to check our privacy notice from time to time to ensure you understand how your data will be used and to see any minor updates. If material changes are made to the privacy notice; for instance, how we would like to use your personal data, we will provide a more prominent notice (including, for certain services, email notification or correspondence of privacy notice changes).