Data Protection Statement for Staff

How we use your personal information

This statement explains how Wolfson College (“we” and “our”) handles and uses information we collect about our staff (“you” and “your”). For these purposes, “staff” is intended to include employees, workers and casual workers and contractors (e.g. undergraduate supervisors, ad-hoc or temporary maintenance, kitchen or catering staff etc.) In broad terms, we use your data to manage your employment with the College, including your role and the performance of it, how we support you as an employer, and how you are paid, as well as other statutory requirements.

The controller for your personal data is Wolfson College, Cambridge CB3 9BB. The Data Protection Officer for the College is the Office of Intercollegiate Services Ltd (OIS LTD.) [12B King’s Parade, Cambridge; 01223 768745;]. OIS Ltd. should be contacted if you have any concerns about how the College is managing your personal information, or if you require advice on how to exercise your rights as outlined in this statement. The person within the College otherwise responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data, is the Bursar.

Unless otherwise stated, the legal basis for processing your personal data is that it is necessary for the performance of the employment contract we hold with you, or for statutory purposes (e.g. processing your monthly salary, tax and pension contributions).

How your data is used by the College

Your data is used by us for a number of purposes, including:

A. supporting your employment and your performance in your role:

Personal data includes:
i) * personal details, including name, contact details (phone, email, postal, both work and personal) and photograph;
ii) your current and any previous role descriptions;
iii) your current and any previous contracts of employment and related correspondence;
iv) any occupational health assessments and medical information you have provided, and related work requirements;
v) * your training and development qualifications, requests and requirements.

B. ensuring that you have the right to work for the College: Personal data includes:
i) * your recruitment information (including your original application form and associated information submitted at that time);
ii) other data relating to your recruitment (including your offer of employment and related correspondence, references we took up on your appointment, and any pre-employment assessment of you);
iii) * evidence of your right to work in the UK (e.g. copies of your passport).

C. paying and rewarding you for your work:

Personal data includes:
i) * your bank details;
ii) * details of your preferred pension scheme;
iii) your current and previous salary and other earnings (e.g. maternity pay, overtime), and the amounts you have paid in statutory taxes
iv) correspondence between you and the College, and between members and staff of the College, relating to your pay, pension, benefits and other remuneration.

D. administering HR-related processes, including records of absences and regular appraisals of your performance and, where necessary, investigations or reviews into your conduct or performance:

Personal data includes:
i) * records of your induction programme and its completion;
ii) * records of your annual reviews with your line manager;
iii) records, where they exist, of any investigation or review into your conduct or performance;
iv) records of absences from work (including but not limited to annual leave entitlement, sickness leave, parental leave and compassionate leave)
v) correspondence between you and the College, and between members and staff of the College, regarding any matters relating to your employment and any related issues (including but not limited to changes to duties, responsibilities and benefits, your retirement, resignation or exit from the College and personal and professional references provided by the College to you or a third party at your request).

E. maintaining an emergency contact point for you: Personal data includes details of your preferred emergency contact, including their name, relationship to you and their contact details.*

F. monitoring equality and diversity within the College: Personal data includes information relating to your age, nationality, gender, religion or beliefs, sexual orientation and ethnicity.*

G. disclosing personal information about you to external organisations, as permitted or required by law.

If you have concerns or queries about any of these purposes, or how we communicate with you, please contact us.

Data marked with an * relate to information provided by you, or created in discussion and agreement with you. Other data and information is generated by the College or, where self-evident, provided by a third party.

We also operate CCTV on our site, which will capture footage. Our CCTV policy is currently being finalised and will be published online shortly. In the meantime, any queries should be directed to the Bursar.

The XPlan Door Security System controls door access, and will by its nature record around College, though this is not its primary purpose. Like all data we store, this information is kept confidentially. 

We also operate wifi across our sites, which can be accessed by members of the College and guests. We retain device information (such as physical MAC address and IP address) and details of the IP address the device connected to. The data is retained for 2 years.

Please contact the IT Department if you have questions about the Xplan system or the wifi system.

For certain posts, we may use the Disclosure and Barring Services (DBS) and Disclosure Scotland to help assess your suitability for certain positions of trust. If this is the case, we will make this clear to you in separate correspondence. Certificate and status check information is only used for this specific purpose, and we comply fully with the DBS code of Practice regarding the correct use, handling, storage, retention and destruction of certificates and certificate information. We recognise that it is a criminal offence to pass this information on to anyone who is not entitled to receive it.

Who we share your data with

We would normally publish (on our website and elsewhere) your name, your email, your College contact phone number, and in some cases basic biographical information relating to your post and (if you have provided one) your photograph.

We share your personal information where necessary and appropriate across the collegiate University. The University and its partners (including all of the Colleges) have a data sharing protocol to govern the sharing of personal information of the College’s staff. This is necessary because they are distinct legal entities. The parties may share any of the above categories of personal information, and the agreement can be viewed in full.

We share relevant personal data with your pension scheme, insurance scheme and health scheme, and with relevant government agencies (e.g. HMRC). Information is not shared with other third parties without your written consent, other than your name, role and employment contact details which are made publicly available. Generally, personal data are not shared outside of the European Economic Area.

We hold all information for the duration of your employment and for no more than twelve months after the end of your employment. After that time, we retain a small subset of personal data for up to seven years after your relationship with the College ends:

I* personal details, including name and your preferred personal contact details (if we still have these);
II your previous salaries and other earnings, pensions and the amounts you have paid in statutory taxes;
III records of your performance appraisals with your line manager;
III records, where they exist, of any investigation or review into your conduct or performance;
IV your reasons for leaving and any related correspondence;
V any references we have written subsequent to your employment with us.

Those marked with an * relate to information provided by you, or created in discussion and agreement with you.

We reserve the right to retain the personal data longer than the periods stated above, where it becomes apparent that there is a need to do so – for example, in the event of a major health or personal injury incident, records may need to be kept for up to forty years.

We then store in a permanent archive:
i) your full name and title;
ii) your job title(s) and the corresponding dates of employment.

Your rights

You have the right: to ask us for access to, rectification or erasure of your data; to restrict processing (pending correction or deletion); and to ask for the transfer of your data electronically to a third party (data portability). Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

Failure to provide the information reasonably requested of you may result in disciplinary action taken by the College, which could ultimately lead to your dismissal from employment.

You retain the right at all times to lodge a complaint about our management of your personal data with the Information Commissioner’s Office.

Updated: December 2019