Staff privacy notice
This applies to Jisc staff.
If you're a member, customer or the public then see our general privacy notice.
Introduction
We are Jisc, a not-for-profit company, with registered office at 4 Portwall Lane, Bristol, BS1 6NB.
Jisc is committed to protecting your privacy. We are the controller of the personal data processed for the purposes set out below and we are responsible for looking after it.
This notice relates to our use of the personal data of our employees and other members of our staff and personnel (such as contractors and other workers). This notice explains how we use, store and share the information we collect about you, how you can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy. This notice supplements any other fair processing notices that may be provided to you from time to time.
Contacting the data protection team
We have appointed a data protection officer who can be contacted at dataprotection@jisc.ac.uk. Please contact the data protection team at this email address if you have any questions, comments or concerns about this notice or how we handle your personal data, or if such information changes at any time.
What personal data will we collect about you?
Personal data means any information that relates to an identified or identifiable individual. We have grouped together the kinds of personal data that we may collect below. Additional information about the types of data we collect may be provided to you in other service specific privacy notices.
The personal data that we process includes:
- Identification information (eg title, name, the part of the business that you work for, your job title or position, marital status, tax payer identification such as national insurance information, passport number etc), education and professional qualifications
- Contact information (eg your postal address, email address and phone number(s) for both work and home, and emergency contacts)
- Financial information (eg payment-related information including bank account information, payroll records, salary information)
- Residency and work permit status, including visa documentation
- Business travel information, including visa documentation
- Technical information (eg IP address, browsing preferences, details of visits made to our online services such as the volume of traffic received, logs, online registration details and login credentials) and swipe card access logs
- Special categories of personal information such as health information, sickness absence, access requirements or special needs or religious beliefs information, dietary preferences or allergies
- Images, including CCTV footage taken at our premises, still and moving photography taken when attending our events, photos and videos published to or streamed via the intranet and our social media channels
- Diversity information (eg sex, gender, ethnicity etc, in diversity questionnaires)
- Career performance related information
- Character suitability information (eg references, criminal offences information, criminal records checks)
- Any other information relating to you which you may provide to us
Where do we collect this information from?
We collect this information directly from you (e.g. when you provide your CV, attend catch-ups and interviews or contact the HR team).
We will also collect the personal data about you from:
- Providers of background checks, referees and educational authorities
- Providers of psychometric testing
- The public domain (eg LinkedIn or other social media)
- Providers of occupational health services and other benefits providers, including pension benefits
- Credit reference agencies and fraud prevention agencies
- Notes and records kept throughout your work including absences, expenses claims, questionnaires, health and safety information including accident reports, performance reviews, and details of any grievances/ disciplinary action or complaints/whistleblowing reports
- Customers
- Events (including still and moving images)
- Our IT systems (including emails and chat systems such as Microsoft Teams)
- Third parties (who may be acting as a controller) including our insurers, government departments and regulators
How do we use your personal data?
The following table sets out why we process your personal data and also our lawful basis for processing your personal data. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.
| Purpose/Activity | Lawful basis for processing |
|---|---|
| Human resources administration (including evaluation of applications for employment, assessing suitability, eligibility and/or fitness to work, right to work) | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg employment and tax legislation). Processing of special category data or criminal convictions data for purposes necessary to perform or exercise obligations or rights imposed or conferred by law on Jisc in connection with employment (eg employment and health and safety legislation). |
| Learning and development | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg data protection, anti-money laundering and health and safety legislation). |
| Delivering employee services such as employee benefits, making necessary adjustments to your working environment, and ensuring a safe place of work (where there is an impact on the health and safety of our staff) | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg employment, pensions and tax legislation). Processing of special category data for purposes necessary to perform or exercise obligations or rights imposed or conferred by law on Jisc in connection with employment (eg employment and health and safety legislation). |
| Management purposes (including where necessary performance issues, disciplinary or grievance purposes and investigation into and resolution of complaints or whistleblowing reports, administering termination of employment, disaster recovery purposes) | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg employment legislation). It is necessary in our legitimate interests (eg to make strategic decisions about the resourcing of our business). Processing of special category data for purposes necessary to perform or exercise obligations or rights imposed or conferred by law on Jisc in connection with employment (eg employment legislation). |
| Payroll purposes | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. |
| Internal and external communications, including maintaining staff directories and website and to promoting our business. | It is necessary in our legitimate interests (eg to promote our business or to keep our buildings secure). |
| Arranging business travel or booking catering | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary in our legitimate interests (eg to enable employees to attend appropriate sector events). |
| Ensuring Jisc’s information, systems and offices are secure | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg data protection legislation). It is necessary in our or a third party’s legitimate interests (eg to ensure Jisc’s or our customer’s confidential information is kept securely). |
| Monitoring use of our information systems and recording communications such as Webex in accordance with managing, operating and developing our business | It is necessary for the performance of a contract with you, or to take steps at your requests prior to entering into a contract. It is necessary to comply with a legal obligation (eg data protection legislation or prevention of fraud). It is necessary in our legitimate interests (eg to ensure that our systems are being used in accordance with our policies and not in an unlawful or harmful way). |
| Providing and maintaining references | It is necessary in our or a third party’s legitimate interests (eg to provide your prospective employer with information about your performance to support a job application that you have made). |
| Conducting employee opinion surveys or other questionnaires, including diversity and inclusion questionnaires | It is necessary to comply with a legal obligation (eg employment legislation). It is necessary in our legitimate interests (eg to identify areas for improvement in the management of our staff and our business). Processing of special category data with your explicit consent. |
| To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority | It is necessary to comply with a legal obligation. Processing of special category data for purposes necessary to perform or exercise obligations or rights imposed or conferred by law on Jisc in connection with employment. |
| To provide evidence where this is required to exercise or defend legal claims | It is necessary in our legitimate interests (eg to defend ourselves against a legal claim that you or your organisation may make against us). |
| To investigate, detect and prevent fraud or crime and carry out related risk assessments | It is necessary to comply with a legal obligation. |
In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.
Please also see our appropriate policy document (pdf) for further information about how Jisc may process special category personal data and criminal convictions personal data about you.
Security
We have in place appropriate policies, procedures, and technical and organisational measures to protect your personal data from unauthorised or unlawful processing, and against accidental loss, destruction or damage. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
Please refer to the information security and data protection policies, standards and guidelines on the intranet for further details.
Sharing your personal data
We will only disclose your personal data to:
- Companies within our group
- A third party who has purchased or merged with our organisation, in which case personal data held by us about you will be transferred to that third party to carry on our business
- Third parties (who may be acting as controller) such as our insurers, legal and other professional advisors, regulators, administrators and government departments, credit reference agencies, and fraud prevention agencies
- Other third party suppliers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes
- Customers, potential customers or other organisations in our sector to facilitate our work, research, projects or the provision or promotion of our services
- HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations
International transfers of your personal data
We may transfer your personal data to countries outside the United Kingdom in order to provide our services. The laws in these countries may not offer the same level of protection for personal data as in the United Kingdom.
If we transfer personal data to countries outside of the United Kingdom, we will do so in a lawful way and may rely on:
- An adequacy decision from the Secretary of State, which says that the recipient country provides an adequate level of protection of personal data
- Appropriate safeguards to protect the personal data (for example, the approved standard contractual clauses or international data transfer agreement)
- A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests)
To obtain a copy of these safeguards or if you have any questions about how your personal data is used, please contact data.protection@jisc.ac.uk.
How long will we keep your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances you can ask us to delete your personal data. Please see below for more information about your right to erasure.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes.
Your responsibilities
You are responsible for helping Jisc keep your personal data up to date. You should let the HR team know if the information you have provided to us changes, eg if you move house or change the bank or building society account into which your salary is paid. If you do not provide us with personal data that we require it makes it more difficult for us to keep complete and accurate records about you.
Where you provide us with personal data about another person such as a member of your household, (eg dependents or beneficiaries) we expect you to help us meet our obligations to those individuals by telling them that you have provided us with their information and sharing this policy with them.
Your rights
You have certain rights in relation to your personal data. We have summarised these rights below:
| Right | Description |
|---|---|
| To be informed | A right to be informed about the personal data we hold about you. |
| Of access | A right to access the personal data we hold about you. |
| To rectification | A right to require us to rectify any inaccurate personal data we hold about you. |
| To erasure | A right to ask us to delete the personal data we hold about you. This right will only apply where (for example): • We no longer need to use the personal data to achieve the purpose we collected it for • Where you withdraw your consent if we are using your personal data based on your consent • Where you object to the way we process your data (see the right to object described below) |
| To restrict processing | In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example): • You dispute the accuracy of the personal data held by us • Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead • Where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims |
| To data portability | In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request. |
| To object | A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims. |
| In relation to automated decision-making and profiling | A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affect you. For the avoidance of doubt, Jisc does not undertake automated decision-making of this kind. |
| To withdraw | A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). |
| To complain | You have the right to make a complaint to our supervisory authority, which is the UK's Information Commissioner's Office. |
If you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above, please email us at: dataprotection@jisc.ac.uk
If you would like this notice in another format please contact us using the details above.
We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data.
Changes to this notice
Any changes to this notice in the future will be posted on this page. Please check back frequently to see any updates or changes to this notice.
Last updated: 20 July 2023