Privacy Notice for Employees, Workers and Contractors

CONTENTS

You can click through to the specific content areas set out below.

Why this notice is important

Introduction

How we obtain your personal data

The types of personal data we use and how we use them

Special Categories of Personal Data

Your Consent

Automated decision making

Sharing your personal data

Transfers of your personal data outside the EU

Data security

How long we keep your personal data

Your rights

Complaints and enquiries

How to contact us

Changes to this Privacy Notice and your personal data

 

WHY THIS PRIVACY NOTICE IS IMPORTANT

This Privacy Notice applies to all current and former employees, workers and contractors of Oxford University Innovation Limited (OUI).

Please read this Privacy Notice carefully. It sets out how we use your personal data, both during your working relationship with us, and after that relationship has ended.

It also sets out your rights as a data subject.

Please read this Privacy Notice together with any other privacy notice we may provide for specific circumstances when we process your personal data.

This Privacy Notice supplements those other notices; it does not replace them.

This Privacy Notice does not form part of any contract of employment or contract to provide services.

INTRODUCTION

Personal data is information about an identifiable individual. Anonymous or anonymised data about an individual is not personal data.

This Privacy Notice applies when we control the purposes for which your personal data is collected and used.

Data protection law obliges us, as a controller of your personal data, to:

  1. use your personal data lawfully, fairly and in a transparent way;
  2. collect your personal data only for valid purposes we have clearly explained to you and not used in any way that is incompatible with those purposes;
  3. collect and hold personal data which is relevant to the purposes we have told you about and limited only to those purposes;
  4. keep your personal data accurate and up to date;
  5. keep your personal data only for as long as is necessary for the purposes OUI has told you about; and
  6. keep your personal data securely.

HOW WE OBTAIN YOUR PERSONAL DATA

We collect personal data about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from a recruitment or employment agency.

We sometimes collect additional information from other third parties including former employers and referees.

We collect additional personal data in the course of job-related activities when you work for us.

Other Sources: We also obtain personal data from other sources. These sources include:

  • Publicly-available information from social networks when you have granted the relevant permissions;
  • Publicly-available information retrieved using search engines
  • Publicly-available sources such as Companies House, the electoral register, other open government databases and the GMC register

THE TYPES OF PERSONAL DATA WE USE AND HOW WE USE THEM

The types of personal data we collect and use, the purposes for which we use your personal data, and the legal bases we rely on to allow us to use your personal data in that way are set out in the table below.

Where the legal basis is our legitimate interests or the legitimate interests of a third party, we have also indicated what those interests are.

We may have more than one legal basis for using your personal data. If you want to know which of the bases applies where more than one basis has been set out in the table below, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.

TYPE OF PERSONAL DATA HOW WE USE THAT DATA THE LAWFUL BASIS FOR OUR PROCESSING THAT DATA
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses To manage payroll; to maintain personnel files in relation to your employment; to arrange private medical insurance; to make arrangements for your pension and the company’s payments to your pension; to enable you to have access to a University card; to enable you to have access to a University email account; Administering the contract we have entered into with you

Liaising with your pension provider.

To provide the following benefit to you: Medical Insurance.

Paying you and, if you are an employee, deducting tax and National Insurance contributions.

Performance of employment contact between employee and OUI
Date of birth To obtain a University card for you; to verify identity; to arrange private medical insurance; to make arrangements for your pension and the company’s payments to your pension; to calculate your retirement date; to manage payroll Performance of employment contact between employee and OUI
Gender To monitor and report on gender diversity. Equal opportunities monitoring. Legal obligation
Dependants names and dates of birth to arrange family leave and pay including statutory maternity, adoption, paternity and shared parental pay, pension arrangements and private medical insurance including any arrangements for dependents Legal obligation
Next of kin and emergency contact information In case of emergency

CoreHR, SP, personnel files

Vital interests
National Insurance number Paying you and, if you are an employee, deducting tax and National Insurance contributions. Legal obligation
Bank account details, payroll records and tax status information SP, personnel files and Core

Expenses. Paying you and, if you are an employee, deducting tax and National Insurance contributions.

Performance of employment contact between employee and OUI
Salary, annual leave, pension and benefits information SP, HR secure docs and personnel files. Pension to Aviva and OSPS.

Benefits – held at Axa and benefits in kind at University

So people can participate in benefits package

Performance of employment contact between employee and OUI
Start date Sp and core, personnel files. To calculate continuous service and pay. Administering your contract. Performance of employment contact between employee and OUI
Location of employment or workplace In their contract. HR records. Buildings access. Performance of employment contact between employee and OUI
Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process) Agencies

Secure docs, Personnel files.

Right to work goes on Core and SP.

Checking you are legally entitled to work in the UK.

 

References – personnel files and agencies.

 

Making a decision about your recruitment or appointment.

 

 

Legal requirement

 

 

Performance of employment contact between employee and OUI

Employment records (including job titles, work history, working hours, training records and professional memberships, disciplinary and grievance information) Secure docs, Core, personnel files

Monitor performance, education, training and development requirements, record in case of queries, to provide references to external parties asking for confirmation of your employment

Memberships only if relevant to the business and in relation to expenses paid by the company.

Gathering evidence for possible grievance or disciplinary hearings.

 

Performance of employment contact between employee and OUI
Compensation history SP, Core. 7 years post someone leaving.

Enables to check errors and enquiries by HMRC

Legal requirement –

Statutory retention period

Performance information Day to day management of employees. In emails, personnel files. Conducting performance reviews, managing performance and determining performance requirements. Making decisions about salary reviews. Making decisions about continued employment or engagement. Performance of employment contact between employee and OUI
Information about your use of our information and communications systems including mobile phone records.

 

CCTV footage and building access information

To monitor your use of our information and communications systems to ensure compliance with our IT policies.

 

To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

Performance of employment contact between employee and OUI

 

 

 

 

 

 

 

Our legitimate interest in ensuring the security of the premises for staff and visitors

Photographs to provide you with a University card to enable access to OUI and University buildings and facilities

 

Internal use including maintain the photo structure chart and celebrating success & to maintain the People section of the OUI website

Performance of employment contact between employee and OUI

 

OUI’s and the University’s legitimate interest in controlling access to our facilities

Aggregated Data: We collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not personal data because it does not directly or indirectly identify you.

If we combine or connect any aggregated data with your personal data so that you can be identified, the combined data will be used in accordance with this Privacy Notice.

SPECIAL CATEGORIES OF PERSONAL DATA

The special categories of personal data we collect and use, the purposes for which we use that personal data, the legal bases we rely on to allow us to use your personal data in that way and further justification for using that personal data are set out in the table below.

TYPE OF SPECIAL CATEGORY OF PERSONAL DATA HOW WE USE THAT DATA THE LAWFUL BASIS AND JUSTIFICATION FOR OUR PROCESSING THAT DATA
Information about your health, including any disability and/or medical condition and health and sickness records To ensure health and safety in the workplace

 

To assess your fitness to work or to provide appropriate workplace adjustments

 

To monitor and manage sickness absence. Held on SP and personnel files. Statutory retention and compliance. Compliance with disability legislation.

 

To administer benefits

 

 

In case of a medical emergency

Necessary for compliance with a legal obligation to which we are subject

 

Necessary for the performance of your contract with us

 

Necessary to carry out our legal obligations or exercise rights in connection with employment and social security

 

 

 

Necessary for the performance of your contract with us

 

Necessary to protect your vital interests where you cannot give consent

 

YOUR CONSENT

We do not need your consent if we use special categories of your personal data as set out above.

In limited circumstances, we may ask for your written consent to allow us to process special categories of your personal data. If we ask for your written consent, we will provide you with full details of the special category personal data we would like to process and the reason we need to process it, so that you can consider whether or not you are willing to give your consent.

It is not a condition of your contract with us that you give us any such consent and you will always be free to withhold that consent.

CHANGE OF PURPOSE

We will use your personal data only for the purposes for which we collected it, unless:

a) we reasonably consider that we need to use it for another purpose and that other purpose is compatible with the original purpose; or

b) we anonymise your personal data and use it for research or statistical purposes.

For an explanation as to how our use of your personal data for a new purpose is compatible with the original purpose, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.

If we intend to use your personal data for an unrelated purpose, we will contact you to explain the legal basis which allows us to use your personal data for that unrelated purpose.

If we use your personal data for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes and we impose the safeguards required by the law, those purposes are treated as being compatible with the original purpose.

AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, but we will notify you in writing if this position changes.

SHARING YOUR PERSONAL DATA

We share your personal data with:

– Our insurance broker and the insurance company which provides your health insurance.

– Our pensions broker and the company which provides your pension, and the University in relation to pension provision.

– Anyone else, if necessary to administer our working relationship with you.

– The University of Oxford as part of our regular reporting activities.

– The University of Oxford for the purposes of processing our payroll and pensions, ensuring compliance with legal obligations for example right to work. L&D records where you have used University training opportunities.

– and anyone else we engage to process personal data for us, such as the provider of our IT systems. That person will be obliged to use your personal data only for our purposes, to process it only in accordance with our instructions and to have appropriate security measures in place to protect your personal data.

– If necessary to obtain advice, to our professional advisers who owe an obligation of confidence to us.

– To law enforcement agencies, if we know of think that you are engaged in any illegal activity.

– Anyone, if necessary to comply with any law or regulation.

– Anyone, if necessary to enforce our rights or to protect our property or to protect the rights or property of anyone else.

– A purchaser of OUI or of our business or any business assets – we may disclose your personal data to the prospective buyer(s) and its or their professional advisers and, if our business assets are sold, our customers’ personal data will be one of the assets transferred.

– Any business with which we merge or merge part of our business.

– Any company or business which we acquire.

TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE EU

We transfer your personal data outside the European Union, but we do not do so unless at least one of the following applies:

a) We transfer it to a country which the European Commission has decided ensures an adequate level of protection for personal data or if the recipient has entered into the Standard Contractual Clauses published by the European Commission. If you wish to see a copy of the Standard Contractual Clauses, please email enquiries@innovation.ox.ac.uk.

b) We transfer your personal data to an entity in the United States which participates in the Privacy Shield. That obliges the US entity to protect personal data shared between the European Union and the US. For more information please click here.

c) You have given your explicit consent to the transfer of your personal data. (If you have given that consent you may withdraw it at any time by emailing enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.)

d) We cannot perform our contract with you without making that transfer.

e) We cannot take steps you have requested us to take without making that transfer.

f) We cannot enter into or perform a contract with someone else and which is in your interests without making that transfer.

g) The transfer is necessary for important reasons of public interest.

h) The transfer is necessary for the establishment, exercise or defence of legal claims.

Your personal data will be accessed by our staff when they are outside the European Union, but the same safeguards will apply as though our staff were accessing your personal data from within the European Union.

DATA SECURITY

We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will process your personal data on only on our instructions and they are subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach. If the law obliges us to do so, we will inform the Information Commissioner’s Office and you of a breach of security involving your personal data.

HOW LONG WE KEEP YOUR PERSONAL DATA

We will keep your personal data about you only for so long as is necessary to achieve the purpose for which we have collected that data, or as required by law, or as required to meet any legal, accounting, or reporting requirements.

When deciding what is the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data. Please see Your Rights.

If we anonymise your personal data, it will no longer be personal data and we may use it indefinitely.

Once you are no longer an employee, worker or contractor of OUI we will securely destroy your personal information unless it is retained as set out in this privacy policy.

We will retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.

Details of the retention periods for different types of HR data are available here.

YOUR RIGHTS

In certain circumstances you have the right to:

Request access to your personal data: You have the right to receive confirmation of whether or not we are holding or using your personal data and, if we are, to obtain a copy of your personal data.

Request the correction of your personal data: You have the right to have any incomplete or inaccurate personal data we hold about you corrected. We may need to verify the accuracy of any new data you provide.

Request the erasure of your personal data (the right to be forgotten): You have the right to ask us to delete or remove personal data where we have no good reason to continue using it.

You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to our using it (see below), where we have used your personal data unlawfully or where we are required to erase your personal data to comply with the law. We may not always be able to comply with your request for erasure for legal reasons which we will inform you about if you request erasure.

Request a restriction on the processing of your personal data: You have the right to ask us to suspend the processing of your personal data in the following circumstances:

a) if you want us to establish the data’s accuracy;

b) where our use of your personal data is unlawful but you do not want us to erase it;

c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

d) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

Object to the processing of your personal data: You have the right to object where we are relying on our legitimate interests (or those of a third party) and your particular situation leads you to think our processing affects your fundamental rights and freedoms.

In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data and that those grounds override your rights and freedoms.

Object to the use of your personal data for direct marketing purposes: You have the right to object where we are processing your personal data for direct marketing purposes.

Withdraw consent: Where you have given consent to our using your personal data for a specific purpose, you have the right to withdraw that consent at any time. Your withdrawal of consent will not affect the lawfulness of any use of your personal data based on your consent before you withdraw consent.

Request the transfer of your personal data (data portability)
: You have the right, where you provided your personal data to us, you gave consent to our using your personal data or we used that personal data to perform a contract with you and we have processed that data by automated means, to receive the personal data you have provided to us and to have us transmit that data to another person, if it is feasible to do so.

If you want to exercise any of the above rights please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.

We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is complicated or you have made a number of requests. In this case, we will notify you and keep you updated.

Normally you will not have to pay a fee to access your personal data or to exercise any other right, but we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any other right. This is to ensure that personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.

YOU ARE NOT OBLIGED TO PROVIDE US WITH ANY PERSONAL DATA

You may decide not to give us any personal data, but if you do not provide data which is necessary for us to perform our contract with you, we may not be able to perform some of our obligations (such as paying you or providing you with a benefit) or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

COMPLAINTS AND ENQUIRIES

We take any complaints we receive very seriously. Please bring it to our attention if you think that our collection or use of your personal data is unfair, misleading or inappropriate.

We also welcome any suggestions for improving our procedures.

This Privacy Notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of our collection and use of personal data, but please feel free to contact us if you want any additional information or further explanation.

You have the right to make a complaint about the way we have used your personal data to the UK Information Commissioner’s Office (the ICO). The ICO’s contact details are: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or www.ico.org.uk, but please give us a chance to address your concerns before you contact the ICO.

HOW TO CONTACT US

If you want to ask us about this Privacy Notice, please email enquiries@innovation.ox.ac.uk with ‘Data Protection Enquiry’ in the subject line of your email.

CHANGES TO THIS PRIVACY NOTICE AND YOUR PERSONAL DATA

We keep this Privacy Notice under review. It was last updated on 14 March 2019.

We may update this Privacy Notice at any time, and we will provide you with a new Privacy Notice if we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

It is important that your personal data is accurate and up to date. Please let us know if your personal data changes whilst you are an employee, worker or contractor of OUI.

Sparks Background Image

Ready to get in touch?

Contact Us
Sparks Background Image
© Oxford University Innovation