Components

This Privacy Notice explains who we are, what personal data we hold, how and why we use your personal data, our lawful bases for processing, who we share your personal data with, relevant retention periods and how you can exercise your privacy rights. Please do read this notice to understand our practices and if you have any questions contact us using the details provided.

Who we are

The Manchester Metropolitan University (‘the University’) is the Data Controller in respect of staff personal data. The University is registered as a Data Controller with the Information Commissioner’s Office (ICO). We manage personal data in accordance with the General Data Protection Regulation (GDPR) and the University’s Data Protection Policy. Throughout this Notice, “University”, “we”, “our” and “us” refers to the Manchester Metropolitan University and “you” and “your” refers to our staff.

The personal data we process

The University processes personal data about current and former members of staff, this includes temporary workers, and external members of staff, such as examiners and assessors. We only collect the personal data that we need. The personal data we process about staff includes:

  • Personal information – such as your name, title, date of birth, sex and gender identity, address, telephone number, e-mail address, nationality, marital status, National Insurance number, membership identifiers of professional bodies.
  • Recruitment information – such as copies of right to work documentation, including passport or visa numbers, references and other information included in a CV or cover letter, qualifications and previous work experience and job title, and other information obtained as part of the application process.
  • Payroll information – such as salary, banking details, pension, tax and other remuneration information including: sick pay, maternity pay, bonus payments and benefits you receive. 
  • Information about your job and your contract – your role, title and department information, location of workplace, information about your start dates, hours of employment, contract type, work related photographs and information about your use of and access to our information and communications systems.
  • Information about your performance in your role - assessments of your performance and conduct, including appraisals, performance reviews and ratings, personal development and training records, performance improvement plans, promotions, details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.
  • Security and safety information – CCTV images and building access information; health and safety information, next of kin and emergency contact information.

 We may also process the following “special categories” of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs and sexual orientation;
  • Trade union membership;
  • Information about your health, including any disability and/or medical condition, health and sickness records;
  • Information about criminal convictions and offences, including proceedings or allegations.

How did the University obtain your data?

We obtain the vast majority of information directly from you as part of the application and recruitment process. We may also obtain information from third parties, such as HM Revenue and Customs, pension scheme providers, employment agencies, the Disclosure and Barring Service, background check providers or referees. We continue to collect additional information about you during your employment or work with us.

The purposes of the processing and lawful basis

We process your data for a number of purposes arising from your employment or work, including appointment (e.g. terms and conditions and payment of salary); staff management (e.g. induction, performance appraisal, management of sickness or other absence, merit schemes); and discipline or grievance processes. These purposes are set out below under the lawful basis upon which we rely to process your personal data. 

Because we have a contract with you or to meet a relevant legal obligation under employment law:

We need to process your data in order to meet our obligations or exercise rights under the contract of employment or other contractual requirements relating to your engagement with the University.

  • To enter into and provide you with a contract of employment.
  • To administer and pay your salary, tax, awards and / or other remuneration, such as bonus pay, sick pay and maternity pay.
  • To administer any statutory or voluntary deductions, such as pension, salary sacrifice scheme or trade union contribution.
  • To manage and monitor human resource related processes, including those relating to performance, conduct and promotion, (e.g. through the personal development review process).
  • To manage and administer your annual leave and absences such as sickness (the latter which may involve processing information about your health and medical information).
  • To administer and manage the University’s Disclosure Barring Service Policy.
  • To deliver training and development opportunities to you and to gather feedback on such opportunities.
  • To manage and determine disciplinary proceedings, and operate and keep a record of disciplinary, complaint and grievance issues to ensure acceptable conduct in the workplace.
  • To address any grievances raised during your employment.
  • To ensure you are legally eligible to work in the United Kingdom.
  • To discharge our Prevent duties under the Counter Terrorism and Security Act 2015.
  • Ensure that you are able to practice in a particular role.
  • Ensure that you are physically fit to work or practice in a particular role.
  • Identify and prevent any potential risks to your health or wellbeing that may arise from your work and ensure you are suitably trained.
  • To discharge our obligations under the Health and Safety Act 1998, e.g. health and safety equipment assessments.
  • Ensure we can get in touch with you if we need to regarding work or employment related matters
  • To compile statistics for regulatory and statutory reporting purposes (for example our annual returns to HESA or the Office for National Statistics).

Because we have a legitimate interest:

We process personal data where we believe there we have a legitimate interest which is within your reasonable expectations and involves minimal privacy impact to you for the following purposes:

  • To provide you with a university ID card, a university IT account, and give you personalised access to our buildings, IT applications, resources and network services.
  • To monitor your IT use to ensure adherence to the University’s Acceptable Usage Policy, and data protection and computer misuse legislation.
  • To provide you with access to training and development services and opportunities, and to gather feedback on such opportunities.
  • To identify workforce requirements and prepare effective workforce management plans.
  • To maintain our staff directory and staff profiles on the University’s website and intranet.
  • To enable effective communications with you about the University in relation to news and updates.
  • To invite you to take part in internal or external research opportunities which we think will be of interest to you.
  • To provide opportunities for counselling and wellbeing support. Further information can be seen within the University’s specific Counselling and Wellbeing Service Privacy Notice.
  • To contact those people you have named to be notified in the event of an emergency.
  • To operate and keep a record of employee performance and related processes to plan for career development, succession planning and workforce management purposes.
  • So internal and external research funders are able to audit our research projects and services.
  • To issue staff surveys, such as the staff satisfaction survey.
  • To ensure that we can keep university sites safe and secure.  This involves capturing images of you in our CCTV system.  Further information can be seen within the University’s CCTV Privacy Notice and CCTV Policy.

Some special category data is processed to carry out our legal obligations and exercise specific rights in relation to employment.

We process information about ethnic origin, sexual orientation, religion or belief or trade union membership, offences and alleged offences, criminal offences, gender identification, health information to carry out our employment obligations when we:

  • Make reasonable adjustments and provide support for staff who have a disability in accordance with the Equality Act 2010.
  • Monitor equality of opportunity or treatment, and our compliance with obligations under the Equality Act 2010. E.g. where you voluntarily provide information about ethnicity, religious beliefs and / or sexual orientation when applying for a vacancy with us or entering into an employment contract.
  • Conduct activity with the aim of monitor, maintaining and promoting racial and ethnic diversity at senior levels of the University.
  • Ensure that you are fit to work in a particular role.
  • Manage voluntary salary deductions to a trade union, where applicable.
  • Seek information about criminal convictions and offences in order to prevent unlawful acts, and to protect the public against dishonesty, malpractice and serious improper conduct.

Vital interests

On rare occasions, we may need to process and share information about you, including special category information, in the event of an emergency or other high risk because it is in the vital interest of you or another person that we do so, and you are physically or legally unable to give us your consent.

The recipients or categories of recipients of the personal data

We may also disclose your personal data to other organisations in the below circumstances;

  • To Government Departments and agencies such as the UK Border Agency, HM Revenue and Customs, the Disclosure and Barring Service and the Child Support Agency in order to discharge our legal obligations.
  • Where staff are working overseas we may be required to disclose personal data to overseas tax authorities.
  • To the Higher Education Statistics Agency (HESA) as required by statute. This forms your HES record which contains mainly coded information including ethnicity and disability status. Your name and contact details will not be made available to HESA. HESA publishes information about its use of such personal data at: http://www.hesa.ac.uk/collection-notices.
  • To our pension providers (such as the Local Government Pension Scheme) in order to administer our pension schemes.
  • To any external training providers for training opportunities you sign up to.
  • To the provider of our Occupational Health services.
  • To the provider of our online recruitment site for the purpose of hosting and managing that site.
  • To contractors who deliver certain staff surveys (such as ORC International).
  • To our suppliers and data processors who help us to deliver our IT systems and services. 
  • To our contracted IT services helpdesk to help resolve any IT issues you may encounter.
  • To our recognised trade unions for the purposes of registering starters and leavers to maintain membership records, to facilitate union recruitment activity and to promote positive industrial relations (e.g. via consultations and negotiations).
  • To issue references to other organisations at your request.
  • To auditors, research funders / sponsors, collaborators, agents and contractors in relation to staff involved in sponsored research projects. E.g. United Kingdom Research Councils, the EU Commission, and charities.
  • To the University’s insurers and external legal advisers.
  • To the University’s external tax and accountability advisors.
  • To the emergency services in emergencies and subject to certain conditions.
  • To the Office of the Independent Adjudicator where necessary to support their review of student complaints.
  • To external parties where you have given your consent for us to do so (e.g. requests for disclosures of salary information to mortgage providers).

Whenever we enter into a data processing arrangement with a third party this is conducted under the terms of a contract, which defines the purpose and limits the use personal data, and introduces information security and confidentiality requirements.

Data retention

The University does not retain personal data for longer than we need it. We retain personal data in accordance with the retention periods prescribed in the University’s Retention and Disposal Schedule. Many of the retention periods are based upon JISC standards and will be consistent with other higher education institutions. This is a publically available document and is published on the University’s website. In particular, the following retention periods apply to the personal data of University staff:

Sub function

Records

Retention period

Workforce Recruitment

Records gathered during the recruitment process.

This includes initial application, supporting documentation, and information obtained from third parties, i.e. references and DBS checks if applicable.

As part of employee contract records, except information which is not relevant to the ongoing employment relationship.

Unsuccessful applications - Completion of recruitment process + 18 months.

Successful applications, including any subsequent applications - Termination of employment + 6 years.

References provided in confidence in support of an employee’s application(s) for employment at another organisation.

Provision of reference + 1 year.

Employee Contract Management

Records documenting the employee’s contract(s) of employment, terms and conditions and job descriptions of positions held with the University.

Termination of employment + 6 years.

Records documenting the termination of employment by voluntary resignation, redundancy, retirement (including on medical grounds) or dismissal.

Termination of employment + 6 years

Absence and sickness management

Records relating to the administration of contractual and statutory holiday / leave entitlement (including parental leave or special leave).

Completion of entitlement + 6 years

Records documenting absence due to sickness.

Review 6 years after termination of employment. We retain asbestos absence records for termination of employment + 40 years

Workforce Development

Records documenting training and development needs, and the action taken to meet these needs.

Completion of actions + 5 years

Workforce Performance Management

Records documenting the management of poor performance.

End of activity (i,e investigation or case) + 6 years

Records documenting disciplinary proceedings against the employee, where employment continues.

Closure of case + 6 years.

Payroll Management

Records documenting the employee’s pay, remuneration and rewards.

Current tax year + 6 years.

Records documenting entitlements to, and calculations of Statutory Maternity Pay and Access to Work payments.

Current Tax Year + 3 years

Records documenting payments and contributions to the pension schemes for its employees.

Termination of employment + 75 years

Health and safety

Records documenting major injuries to an employee arising from accidents in the workplace.

Termination of employment + 40 years

For further information, please see the Retention and Disposal Schedule Page and the Retention and Disposal Schedule Page on Man Met’s Intranet (Internal only).

Your responsibilities

In order to help maintain our records staff must:

  • Provide accurate information on taking up employment.
  • Inform the University promptly of any changes affecting its records (e.g.name, address, marital status etc) and keep personal information up to date on the MyHR system.

In addition, all staff must comply with the University’s Data Protection Policy in the delivery of their duties.

Your rights in respect of the processing

Data protection legislation provides data subjects with the following data subject rights:

  • The right to be informed – this privacy notice assists with fulfilling these obligations for our employees.  
  • The right of access - to personal information held about you exists in order to be aware of, and verify, the lawfulness of the processing by the University.
  • The right to rectification – to have inaccurate or incomplete personal data rectified.
  • The right to erasure – to have personal data erased if we have retained it for longer than necessary, processed your personal data unlawfully, or if we are relying upon consent or the legitimate interest lawful basis.
  • The right to restrict processing – to have personal data restricted or suppressed in certain ways - applies in certain circumstances.
  • The right to data portability – to have personal data made available with the intention of reuse for your own purposes.
  • The right to object – give employees the right to object to processing in certain circumstances.

To request to exercise any of these rights please write to: dataprotection@mmu.ac.uk. Please note that the above rights can be subject to limitations and exemptions meaning the University may be exempt from complying with your request. We will inform you if this is the case.

Further information

For simplicity we have specific privacy notices for particular areas of service. The following are likely to be relevant to you as a member of university staff:

  • Privacy Notice – Applicants (Staff).
  • Privacy Notice – Counselling and Wellbeing Service.
  • Privacy Notice – CCTV Systems

For further information about data protection and the data subject rights please see: https://www.mmu.ac.uk/data-protection and the Information Governance Intranet Pages.

Contacting us

This privacy noticed is owned by Human Resources. For questions or concerns about this notice or our use of your personal information, please contact hr@mmu.ac.uk in the first instance.

Our Data Protection Officer can also be contacted using dataprotection@mmu.ac.uk, by calling 0161 247 3331 or in writing to: Data Protection Officer, Legal Services, All Saints Building, Manchester Metropolitan University, Manchester, M15 6BH.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the supervisory authority in respect of the processing of your personal data. We would encourage you to expend our internal complaints procedure through our initial contact and the University Data Protection Officer, prior to contacting the ICO. If you wish to contact the ICO the following contact information can be used:  casework@ico.org.uk or telephone: 0303 123 1113. For any further contact information please see: https://ico.org.uk/global/contact-us/.

Updates to this privacy notice

We may update this privacy notice from time to time in response to changing legal, technical or business developments. When we update our privacy notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.