Skip to main content
Governance
Aerial View of Geography Campus 2018

Privacy Notice - Employees

Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in several ways, one of which is the publication of privacy notices. This privacy notice provides a general description of the broad range of processing activity; in addition, there are tailored privacy notices covering some specific processing activity.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance pages or contact:

Email: info.access@durham.ac.uk 

Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact:

Andrew Ladd, email: info.access@durham.ac.uk 

Why and how we use your data

You have the right to be provided with information about how and why we process your personal data. We will only process data where we have a lawful reason to do so. The University processes your data prior to, during and for a period after a period of employment under the basis of a contract with you.

Lawful Basis Purpose of Processing

Contract
  • Recruitment information including copies of right to work documentation, references, CV/resume, covering letter(s) and any other documents submitted as part of the application process, health declaration questionnaire and information completed by the employee prior to commencing employment.
  • Information about your current and previous remuneration with the University, including entitlement to benefits such as pensions, salary sacrifice arrangements or insurance cover.
  • Details of your start date, schedule (days of work and working hours), hours worked and attendance at work.
  • Information about your location and place of work.
  • Employment records including job titles, work history, training records and professional memberships.
  • To facilitate the arranging of travel and accommodation, provision of travel cover via University systems for travel on University business and the handling of any claims.
  • Details of periods of leave taken by you, including holiday, sickness absence, maternity leave, paternity leave, family leave and sabbaticals, and the reasons for the leave to manage sickness absence and records.
  • Details of any HR processes such as disciplinary, grievance or sickness absence procedures in which you have been involved, including any warnings issued to you and related correspondence.
  • Each employee is required to provide a digital image of themselves to CIS for reproduction on their University campus card, which will be used for the purpose of identification.
  • Assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence.
  • Information obtained through electronic means including, where applicable, swipe card access, computer logon information and software usage.
  • Details of your bank account, national insurance number and tax status.
  • Information about your marital status and dependents.
  • Information about medical or health conditions, including whether you have a disability for which the University may make reasonable adjustments.
  • Data sharing with external organisations (placements, study)
Public Task
  • Academic promotion processes
  • Provide facilities (IT, Library services)
  • Education, training and development
  • Staff directory, calendar, publications
  • Making statutory/external returns (e.g. HESA)
  • Use of employee data (not including special category data) for academic research on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals.
  • Data sharing with external organisations (placements, study)
Legal Obligation
  • Information about your health, including any medical condition, health and sickness record, including whether you have a disability for which the University may make reasonable adjustments.
  • Information about your nationality and entitlement to work in the UK.
  • Information about criminal convictions and offences and disclosure and barring.
  • Business management and planning (accounting, auditing)
  • Monitoring equal opportunities
  • Trade union membership
  • Monitoring IT systems is necessary to maintain the security and integrity of our systems and ensuring compliance with policies
  • To engage with the University's recognised trade unions about matters pertaining to University groups of staff or individual employees.
  • Obtain occupational health advice, to ensure that the University complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law.
  • To respond to and defend against legal claims
Legitimate Interests
  • Information about emergency contacts.
  • Preventing and detecting crime (e.g. CCTV)
  • Monitoring IT systems is necessary to maintain the security and integrity of our systems and ensuring compliance with policies
  • Maintaining contact with former employees
Consent
  • Where you have the choice to determine how your personal data will be used, we will ask you for consent. Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time.
  • In addition, we may provide you with a privacy notice in relation to specific uses of your data where this is appropriate. A privacy notice is a verbal or written statement that explains how we use personal data.
Vital Interests
  • Where the University believes it is necessary to protect the life of you or another person, we will use the vital interests lawful basis to process your personal data.  This may be to contact third parties, such as medical professionals or emergency contact, concerning the health of an employee when it believes it is reasonable and/or in the best interests of the employee to do so. The University will attempt to gain the prior consent from the employee to do so but where consent cannot or will not be given it might act without consent.

Special category data

Some of the information we collect is special category data (sometimes also known as sensitive personal data). We process personal data that relates to your health (such as your medical information for example to help support you), and any criminal convictions and offences (for reasons of safeguarding). If we use special category data, we will usually do so on the legal basis that it is in the wider public interest (for example in relation to research), to establish, take or defend any legal action or, in some cases, that we have your permission (consent).

How we collect your data

The University collects this information in a variety of ways. For example, data is collected through applications, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of and/or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments or as part of any health declarations.

The University collects personal data about you from third parties, such as references supplied by former employers (following consent), information from employment background check providers, and (if applicable) information related to criminal record checks and disclosure and barring. 

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

The University may also seek an academic reference from third parties as part of the academic promotion process and will forward a copy of your standard proforma progression CV to referees.

The collection of health information related to outbreaks of infectious disease (such as Covid-19 or any subsequent such health issues) will also be necessary.

Data handling

Data will be stored in a range of different places, including in your electronic and hard copy personnel file, electronically (and sometimes in hard copy) in your department, within the Recruitment/HR management systems, within the University’s document systems and in other IT systems (including the University's email system and SharePoint).

HR data will be stored in a range of different places, predominantly in HR but some employment data will be stored in your department (for example recent Annual Staff Reviews) or other material departments of the University (for example any Occupational Health records will be stored in Occupational Health).

HR data is stored securely and will only be accessed by colleagues with a legitimate interest in accessing your data.

Retention

The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Right of access

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of that data.

You can find out more about this right on the Subject Access Requests webpage. 

Right to rectification

If you believe that personal data we hold about you is inaccurate or incomplete, you have the right to request that it is corrected or completed.

Once we have considered your request, we will contact you to let you know the outcome.

Right to erasure

You can ask us to erase your personal data in certain circumstances, including where:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent (where consent is the lawful basis) and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data has been unlawfully processed
  • We are required to erase the data to comply with a legal obligation

Once we have considered your request, we will inform you of our decision.

Right to restrict processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it, but you need it to establish, exercise or defend a legal claim
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Right to data portability

Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format.

You also have the right, where technically feasible, to request that we transfer this data directly to another organisation.

This right only applies to personal data that you have provided to us.

Right to object

You have the right to object to the processing of your personal data where:

  • the processing is based on legitimate interests or public task
  • the processing is for direct marketing purposes

Once you have objected, we will assess whether we have compelling legitimate grounds to continue processing your data.

Rights in relation to automated decision-making

You have the right not to be subject to a decision based solely on automated processing (including profiling) where that decision produces legal effects or similarly significant effects on you, unless an exception applies.

Where such processing takes place, you have the right to:

  • obtain human intervention
  • express your point of view
  • contest the decision

Making a complaint

If you are dissatisfied with the way we process your personal data, we ask that you contact us at info.access@durham.ac.uk so that we can try and put things right. If you remain unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). 

The ICO can be contacted at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: +44 (0)303 123 1113

Website: Information Commissioner’s Office

(Updated June 2026)