Privacy Notice for Employees, Workers and Contractors
CONTENTS
You can click through to the specific content areas set out below.
Why this notice is important
Introduction
How we obtain your personal data
The types of personal data we use and how we use them
Special Categories of Personal Data
Your Consent
Automated decision making
Sharing your personal data
Transfers of your personal data outside the EU
Data security
How long we keep your personal data
Your rights
Complaints and enquiries
How to contact us
Changes to this Privacy Notice and your personal data
WHY THIS PRIVACY NOTICE IS IMPORTANT
This Privacy Notice applies to all current and former employees, workers and contractors of Oxford University Innovation Limited (OUI).
Please read this Privacy Notice carefully. It sets out how we use your personal data, both during your working relationship with us, and after that relationship has ended.
It also sets out your rights as a data subject.
Please read this Privacy Notice together with any other privacy notice we may provide for specific circumstances when we process your personal data.
This Privacy Notice supplements those other notices; it does not replace them.
This Privacy Notice does not form part of any contract of employment or contract to provide services.
INTRODUCTION
Personal data is information about an identifiable individual. Anonymous or anonymised data about an individual is not personal data.
This Privacy Notice applies when we control the purposes for which your personal data is collected and used.
Data protection law obliges us, as a controller of your personal data, to:
- use your personal data lawfully, fairly and in a transparent way;
- collect your personal data only for valid purposes we have clearly explained to you and not used in any way that is incompatible with those purposes;
- collect and hold personal data which is relevant to the purposes we have told you about and limited only to those purposes;
- keep your personal data accurate and up to date;
- keep your personal data only for as long as is necessary for the purposes OUI has told you about; and
- keep your personal data securely.
HOW WE OBTAIN YOUR PERSONAL DATA
We collect personal data about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from a recruitment or employment agency.
We sometimes collect additional information from other third parties including former employers and referees.
We collect additional personal data in the course of job-related activities when you work for us.
Other Sources: We also obtain personal data from other sources. These sources include:
- Publicly-available information from social networks when you have granted the relevant permissions;
- Publicly-available information retrieved using search engines
- Publicly-available sources such as Companies House, the electoral register, other open government databases and the GMC register
THE TYPES OF PERSONAL DATA WE USE AND HOW WE USE THEM
The types of personal data we collect and use, the purposes for which we use your personal data, and the legal bases we rely on to allow us to use your personal data in that way are set out in the table below.
Where the legal basis is our legitimate interests or the legitimate interests of a third party, we have also indicated what those interests are.
We may have more than one legal basis for using your personal data. If you want to know which of the bases applies where more than one basis has been set out in the table below, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.
| TYPE OF PERSONAL DATA | HOW WE USE THAT DATA | THE LAWFUL BASIS FOR OUR PROCESSING THAT DATA |
| Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses | To manage payroll; to maintain personnel files in relation to your employment; to arrange private medical insurance; to make arrangements for your pension and the company’s payments to your pension; to enable you to have access to a University card; to enable you to have access to a University email account; Administering the contract we have entered into with you
Liaising with your pension provider. To provide the following benefit to you: Medical Insurance. Paying you and, if you are an employee, deducting tax and National Insurance contributions. |
Performance of employment contact between employee and OUI |
| Date of birth | To obtain a University card for you; to verify identity; to arrange private medical insurance; to make arrangements for your pension and the company’s payments to your pension; to calculate your retirement date; to manage payroll | Performance of employment contact between employee and OUI |
| Gender | To monitor and report on gender diversity. Equal opportunities monitoring. | Legal obligation |
| Dependants names and dates of birth | to arrange family leave and pay including statutory maternity, adoption, paternity and shared parental pay, pension arrangements and private medical insurance including any arrangements for dependents | Legal obligation |
| Next of kin and emergency contact information | In case of emergency
CoreHR, SP, personnel files |
Vital interests |
| National Insurance number | Paying you and, if you are an employee, deducting tax and National Insurance contributions. | Legal obligation |
| Bank account details, payroll records and tax status information | SP, personnel files and Core
Expenses. Paying you and, if you are an employee, deducting tax and National Insurance contributions. |
Performance of employment contact between employee and OUI |
| Salary, annual leave, pension and benefits information | SP, HR secure docs and personnel files. Pension to Aviva and OSPS.
Benefits – held at Axa and benefits in kind at University So people can participate in benefits package |
Performance of employment contact between employee and OUI |
| Start date | Sp and core, personnel files. To calculate continuous service and pay. Administering your contract. | Performance of employment contact between employee and OUI |
| Location of employment or workplace | In their contract. HR records. Buildings access. | Performance of employment contact between employee and OUI |
| Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process) | Agencies
Secure docs, Personnel files. Right to work goes on Core and SP. Checking you are legally entitled to work in the UK.
References – personnel files and agencies.
Making a decision about your recruitment or appointment. |
Legal requirement
Performance of employment contact between employee and OUI |
| Employment records (including job titles, work history, working hours, training records and professional memberships, disciplinary and grievance information) | Secure docs, Core, personnel files
Monitor performance, education, training and development requirements, record in case of queries, to provide references to external parties asking for confirmation of your employment Memberships only if relevant to the business and in relation to expenses paid by the company. Gathering evidence for possible grievance or disciplinary hearings.
|
Performance of employment contact between employee and OUI |
| Compensation history | SP, Core. 7 years post someone leaving.
Enables to check errors and enquiries by HMRC |
Legal requirement –
Statutory retention period |
| Performance information | Day to day management of employees. In emails, personnel files. Conducting performance reviews, managing performance and determining performance requirements. Making decisions about salary reviews. Making decisions about continued employment or engagement. | Performance of employment contact between employee and OUI |
| Information about your use of our information and communications systems including mobile phone records.
CCTV footage and building access information |
To monitor your use of our information and communications systems to ensure compliance with our IT policies.
To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution |
Performance of employment contact between employee and OUI
Our legitimate interest in ensuring the security of the premises for staff and visitors |
| Photographs | to provide you with a University card to enable access to OUI and University buildings and facilities
Internal use including maintain the photo structure chart and celebrating success & to maintain the People section of the OUI website |
Performance of employment contact between employee and OUI
OUI’s and the University’s legitimate interest in controlling access to our facilities |
Aggregated Data: We collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not personal data because it does not directly or indirectly identify you.
If we combine or connect any aggregated data with your personal data so that you can be identified, the combined data will be used in accordance with this Privacy Notice.
SPECIAL CATEGORIES OF PERSONAL DATA
The special categories of personal data we collect and use, the purposes for which we use that personal data, the legal bases we rely on to allow us to use your personal data in that way and further justification for using that personal data are set out in the table below.
| TYPE OF SPECIAL CATEGORY OF PERSONAL DATA | HOW WE USE THAT DATA | THE LAWFUL BASIS AND JUSTIFICATION FOR OUR PROCESSING THAT DATA |
| Information about your health, including any disability and/or medical condition and health and sickness records | To ensure health and safety in the workplace
To assess your fitness to work or to provide appropriate workplace adjustments
To monitor and manage sickness absence. Held on SP and personnel files. Statutory retention and compliance. Compliance with disability legislation.
To administer benefits
In case of a medical emergency |
Necessary for compliance with a legal obligation to which we are subject
Necessary for the performance of your contract with us
Necessary to carry out our legal obligations or exercise rights in connection with employment and social security
Necessary for the performance of your contract with us
Necessary to protect your vital interests where you cannot give consent |
YOUR CONSENT
We do not need your consent if we use special categories of your personal data as set out above.
In limited circumstances, we may ask for your written consent to allow us to process special categories of your personal data. If we ask for your written consent, we will provide you with full details of the special category personal data we would like to process and the reason we need to process it, so that you can consider whether or not you are willing to give your consent.
It is not a condition of your contract with us that you give us any such consent and you will always be free to withhold that consent.
CHANGE OF PURPOSE
We will use your personal data only for the purposes for which we collected it, unless:
a) we reasonably consider that we need to use it for another purpose and that other purpose is compatible with the original purpose; or
b) we anonymise your personal data and use it for research or statistical purposes.
For an explanation as to how our use of your personal data for a new purpose is compatible with the original purpose, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.
If we intend to use your personal data for an unrelated purpose, we will contact you to explain the legal basis which allows us to use your personal data for that unrelated purpose.
If we use your personal data for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes and we impose the safeguards required by the law, those purposes are treated as being compatible with the original purpose.
AUTOMATED DECISION-MAKING
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, but we will notify you in writing if this position changes.
SHARING YOUR PERSONAL DATA
We share your personal data with:
– Our insurance broker and the insurance company which provides your health insurance.
– Our pensions broker and the company which provides your pension, and the University in relation to pension provision.
– Anyone else, if necessary to administer our working relationship with you.
– The University of Oxford as part of our regular reporting activities.
– The University of Oxford for the purposes of processing our payroll and pensions, ensuring compliance with legal obligations for example right to work. L&D records where you have used University training opportunities.
– and anyone else we engage to process personal data for us, such as the provider of our IT systems. That person will be obliged to use your personal data only for our purposes, to process it only in accordance with our instructions and to have appropriate security measures in place to protect your personal data.
– If necessary to obtain advice, to our professional advisers who owe an obligation of confidence to us.
– To law enforcement agencies, if we know of think that you are engaged in any illegal activity.
– Anyone, if necessary to comply with any law or regulation.
– Anyone, if necessary to enforce our rights or to protect our property or to protect the rights or property of anyone else.
– A purchaser of OUI or of our business or any business assets – we may disclose your personal data to the prospective buyer(s) and its or their professional advisers and, if our business assets are sold, our customers’ personal data will be one of the assets transferred.
– Any business with which we merge or merge part of our business.
– Any company or business which we acquire.
TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE EU
We transfer your personal data outside the European Union, but we do not do so unless at least one of the following applies:
a) We transfer it to a country which the European Commission has decided ensures an adequate level of protection for personal data or if the recipient has entered into the Standard Contractual Clauses published by the European Commission. If you wish to see a copy of the Standard Contractual Clauses, please email enquiries@innovation.ox.ac.uk.
b) We transfer your personal data to an entity in the United States which participates in the Privacy Shield. That obliges the US entity to protect personal data shared between the European Union and the US. For more information please click here.
c) You have given your explicit consent to the transfer of your personal data. (If you have given that consent you may withdraw it at any time by emailing enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.)
d) We cannot perform our contract with you without making that transfer.
e) We cannot take steps you have requested us to take without making that transfer.
f) We cannot enter into or perform a contract with someone else and which is in your interests without making that transfer.
g) The transfer is necessary for important reasons of public interest.
h) The transfer is necessary for the establishment, exercise or defence of legal claims.
Your personal data will be accessed by our staff when they are outside the European Union, but the same safeguards will apply as though our staff were accessing your personal data from within the European Union.
DATA SECURITY
We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will process your personal data on only on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach. If the law obliges us to do so, we will inform the Information Commissioner’s Office and you of a breach of security involving your personal data.
HOW LONG WE KEEP YOUR PERSONAL DATA
We will keep your personal data about you only for so long as is necessary to achieve the purpose for which we have collected that data, or as required by law, or as required to meet any legal, accounting, or reporting requirements.
When deciding what is the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances you can ask us to delete your personal data. Please see Your Rights.
If we anonymise your personal data, it will no longer be personal data and we may use it indefinitely.
Once you are no longer an employee, worker or contractor of OUI we will securely destroy your personal information unless it is retained as set out in this privacy policy.
We will retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.
Details of the retention periods for different types of HR data are available here.
YOUR RIGHTS
In certain circumstances you have the right to:
Request access to your personal data: You have the right to receive confirmation of whether or not we are holding or using your personal data and, if we are, to obtain a copy of your personal data.
Request the correction of your personal data: You have the right to have any incomplete or inaccurate personal data we hold about you corrected. We may need to verify the accuracy of any new data you provide.
Request the erasure of your personal data (the right to be forgotten): You have the right to ask us to delete or remove personal data where we have no good reason to continue using it.
You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to our using it (see below), where we have used your personal data unlawfully or where we are required to erase your personal data to comply with the law. We may not always be able to comply with your request for erasure for legal reasons which we will inform you about if you request erasure.
Request a restriction on the processing of your personal data: You have the right to ask us to suspend the processing of your personal data in the following circumstances:
a) if you want us to establish the data’s accuracy;
b) where our use of your personal data is unlawful but you do not want us to erase it;
c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
d) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
Object to the processing of your personal data: You have the right to object where we are relying on our legitimate interests (or those of a third party) and your particular situation leads you to think our processing affects your fundamental rights and freedoms.
In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data and that those grounds override your rights and freedoms.
Object to the use of your personal data for direct marketing purposes: You have the right to object where we are processing your personal data for direct marketing purposes.
Withdraw consent: Where you have given consent to our using your personal data for a specific purpose, you have the right to withdraw that consent at any time. Your withdrawal of consent will not affect the lawfulness of any use of your personal data based on your consent before you withdraw consent.
Request the transfer of your personal data (data portability): You have the right, where you provided your personal data to us, you gave consent to our using your personal data or we used that personal data to perform a contract with you and we have processed that data by automated means, to receive the personal data you have provided to us and to have us transmit that data to another person, if it is feasible to do so.
If you want to exercise any of the above rights please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.
We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is complicated or you have made a number of requests. In this case, we will notify you and keep you updated.
Normally you will not have to pay a fee to access your personal data or to exercise any other right, but we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any other right. This is to ensure that personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
YOU ARE NOT OBLIGED TO PROVIDE US WITH ANY PERSONAL DATA
You may decide not to give us any personal data, but if you do not provide data which is necessary for us to perform our contract with you, we may not be able to perform some of our obligations (such as paying you or providing you with a benefit) or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
COMPLAINTS AND ENQUIRIES
We take any complaints we receive very seriously. Please bring it to our attention if you think that our collection or use of your personal data is unfair, misleading or inappropriate.
We also welcome any suggestions for improving our procedures.
This Privacy Notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of our collection and use of personal data, but please feel free to contact us if you want any additional information or further explanation.
You have the right to make a complaint about the way we have used your personal data to the UK Information Commissioner’s Office (the ICO). The ICO’s contact details are: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or www.ico.org.uk, but please give us a chance to address your concerns before you contact the ICO.
HOW TO CONTACT US
If you want to ask us about this Privacy Notice, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.
CHANGES TO THIS PRIVACY NOTICE AND YOUR PERSONAL DATA
We keep this Privacy Notice under review. It was last updated on 14 March 2019.
We may update this Privacy Notice at any time, and we will provide you with a new Privacy Notice if we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
It is important that your personal data is accurate and up to date. Please let us know if your personal data changes whilst you are an employee, worker or contractor of OUI.
