Privacy notice for Staff

Privacy notice for the staff

This Privacy Notice explains who we are, what personal data we hold, how and why we use your personal data, our lawful bases for processing, who we share your personal data with, relevant retention periods and how you can exercise your privacy rights. Please do read this notice to understand our practices and if you have any questions contact us using the details provided.


Who we are

The Manchester Metropolitan University (‘the University’) is the Data Controller in respect of staff personal data. The University is registered as a Data Controller with the Information Commissioner’s Office (ICO). We manage personal data in accordance with the General Data Protection Regulation (GDPR) and the University’s Data Protection Policy. Throughout this Notice, “University”, “we”, “our” and “us” refers to the Manchester Metropolitan University and “you” and “your” refers to our staff.


The personal data we process

The University processes personal data about current and former members of staff, this includes temporary workers, and external members of staff, such as examiners and assessors. We only collect the personal data that we need. The personal data we process about staff includes:

 We may also process the following "special categories" of more sensitive personal information:


How did the University obtain your data?

We obtain the vast majority of information directly from you as part of the application and recruitment process. We may also obtain information from third parties, such as HM Revenue and Customs, pension scheme providers, employment agencies, the Disclosure and Barring Service, background check providers or referees. We continue to collect additional information about you during your employment or work with us.


The purposes of the processing and lawful basis

We process your data for a number of purposes arising from your employment or work, including appointment (e.g. terms and conditions and payment of salary); staff management (e.g. induction, performance appraisal, management of sickness or other absence, merit schemes); and discipline or grievance processes. These purposes are set out below under the lawful basis upon which we rely to process your personal data. 


Because we have a contract with you or to meet a relevant legal obligation under employment law:

We need to process your data in order to meet our obligations or exercise rights under the contract of employment or other contractual requirements relating to your engagement with the University.


Because we have a legitimate interest:

We process personal data where we believe there we have a legitimate interest which is within your reasonable expectations and involves minimal privacy impact to you for the following purposes:


Some special category data is processed to carry out our legal obligations and exercise specific rights in relation to employment.

We process information about ethnic origin, sexual orientation, religion or belief or trade union membership, offences and alleged offences, criminal offences, gender identification, health information to carry out our employment obligations when we:


Vital interests

On rare occasions, we may need to process and share information about you, including special category information, in the event of an emergency or other high risk because it is in the vital interest of you or another person that we do so, and you are physically or legally unable to give us your consent.


The recipients or categories of recipients of the personal data

We may also disclose your personal data to other organisations in the below circumstances;


Whenever we enter into a data processing arrangement with a third party this is conducted under the terms of a contract, which defines the purpose and limits the use personal data, and introduces information security and confidentiality requirements. 


Data retention

The University does not retain personal data for longer than we need it. We retain personal data in accordance with the retention periods prescribed in the University’s Retention and Disposal Schedule. Many of the retention periods are based upon JISC standards and will be consistent with other higher education institutions. This is a publically available document and is published on the University’s website. In particular, the following retention periods apply to the personal data of University staff:

Sub function


Retention period

Workforce Recruitment


Records gathered during the recruitment process.


This includes initial application, supporting documentation, and information obtained from third parties, i.e. references and DBS checks if applicable.


As part of employee contract records, except information which is not relevant to the ongoing employment relationship.


Unsuccessful applications - Completion of recruitment process + 18 months.


Successful applications, including any subsequent applications - Termination of employment + 6 years.



References provided in confidence in support of an employee's application(s) for employment at another organisation.


Provision of reference + 1 year.

Employee Contract Management


Records documenting the employee's contract(s) of employment, terms and conditions and job descriptions of positions held with the University.

Termination of employment + 6 years.

Records documenting the termination of employment by voluntary resignation, redundancy, retirement (including on medical grounds) or dismissal.


Termination of employment + 6 years

Absence and sickness management


Records relating to the administration of contractual and statutory holiday / leave entitlement (including parental leave or special leave).


Completion of entitlement + 6 years

Records documenting absence due to sickness.

Review 6 years after termination of employment. We retain asbestos absence records for termination of employment + 40 years


Workforce Development

Records documenting training and development needs, and the action taken to meet these needs.


Completion of actions + 5 years

Workforce Performance Management


Records documenting the management of poor performance.


Current year + 3 years

Records documenting disciplinary proceedings against the employee, where employment continues.


Closure of case + 6 years.

Payroll Management


Records documenting the employee’s pay, remuneration and rewards.


Current tax year + 6 years.

Records documenting entitlements to, and calculations of Statutory Maternity Pay and Access to Work payments.


Current Tax Year + 3 years

Records documenting payments and contributions to the pension schemes for its employees.


Termination of employment + 75 years

Health and safety

Records documenting major injuries to an employee arising from accidents in the workplace.


Termination of employment + 40 years


For further information, please see the Retention and Disposal Schedule Page and the Retention and Disposal Schedule Page (Internal only) on the intranet.


Your responsibilities

In order to help maintain our records staff must:

In addition, all staff must comply with the University’s Data Protection Policy in the delivery of their duties.


Your rights in respect of the processing

Data protection legislation provides data subjects with the following data subject rights:

To request to exercise any of these rights please write to: Please note that the above rights can be subject to limitations and exemptions meaning the University may be exempt from complying with your request. We will inform you if this is the case.


Further information

For simplicity we have specific privacy notices for particular areas of service. The following are likely to be relevant to you as a member of university staff:

For further information about data protection and the data subject rights please see: and the Information Governance Intranet Pages.


Contacting us

This privacy noticed is owned by Human Resources. For questions or concerns about this notice or our use of your personal information, please contact in the first instance.

Our Data Protection Officer can also be contacted using, by calling 0161 247 3331 or in writing to: Data Protection Officer, Legal Services, All Saints Building, Manchester Metropolitan University, Manchester, M15 6BH.


Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the supervisory authority in respect of the processing of your personal data. We would encourage you to expend our internal complaints procedure through our initial contact and the University Data Protection Officer, prior to contacting the ICO. If you wish to contact the ICO the following contact information can be used: or telephone: 0303 123 1113. For any further contact information please see:

Updates to this privacy notice

We may update this privacy notice from time to time in response to changing legal, technical or business developments. When we update our privacy notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.

Privacy Notices