Privacy notice for University Staff

To facilitate your employment with the University of Dundee (“the University”) and to meet all obligations associated with that employment further to legislation, regulation and convention, the University processes your personal data and special categories of your personal data during and after the end of the employment relationship.

How we use your information

Your information is used, in general, for recruitment, administrative, management, legal, pastoral, payroll, pensions, equality and diversity, security and health and safety reasons.

The University must make certain mandatory disclosures of information to bodies such as regulators, law enforcement agencies and local, national and supra-national government bodies in all the countries in which it operates. Examples include the Higher Education Statistics Agency, HMRC, UK Visas and Immigration, Electoral Registration Offices, funding councils or other funding bodies, partner organisations, pension providers and competent professional regulators.

The University may also choose to share information with partners, funding bodies or other entities further to its aims and objectives, whilst respecting your rights and freedoms in relation to your personal data.

You may have provided the University with your information, or we may have received your information from other agents on your behalf (such as a referee or recruitment company) or from your employer if you are a secondee.

Your information may be processed further to your membership of a pension scheme, including the sharing of information between the University and the scheme. There is information on pension schemes at the University on our website. You may also wish to look at the privacy notices provided by your pension scheme.

• Pensions at the University of Dundee

For more information on the manner in which personal data is used by the University, please see the information on our website:

• Data protection at the University of Dundee

Additional information is also provided in privacy notices for Schools, Professional Services and specific activities throughout the University and these notices should be considered individually along with this overview.

Personal data

Your personal data will normally comprise information such as your name, date of birth, ID numbers, addresses, telephone numbers, email addresses, emergency contact information, gender, financial information (for example, payroll and pensions) etc.

Special categories of personal data

Special categories of personal data processed by the University will normally include equality and diversity monitoring information (for example, race, ethnicity, gender identity, religion, sexual orientation, pregnancy, paternity leave status, caring responsibilities), disability information, health and welfare information, trade union membership etc.

Data controller

The University is normally the data controller for the information it holds about you. On occasion, for example, when working in partnership with other organisations, the University may be a joint data controller (where both organisations direct the processing of your data). The University may, from time to time, act as a data processor (where it processes your information on behalf of another organisation, for example where local trades union officers are permitted to use University systems further to their trades union activities).

Your data will be processed in a variety of University systems appropriate to the purpose for which it is being held or used. These include the HR recruitment system, the HR management system, the finance system, Microsoft 365 products (the University's productivity suite, including email), the VLE, the Library management system, research management systems (for example, Pure), the University website (for example, your professional contact information and biography), security access systems (including door access systems), IT systems (including systems administration or security tools or identity management information), manual files in Schools and Professional Services etc.

The University's service providers may be cloud-based or the information may be stored on servers owned and operated by the University’s Digital and Technology Services department. Cloud-based systems may use infrastructure providers based out-with the European Economic Area. Where the University works with overseas partners, this may also require the transfer of your data out-with the EEA. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards, such as the Addendum to the New EU Standard Contractual Clauses or the UK International Data Transfer Agreement, by signing the University’s template data sharing agreement or having in place equivalent adequacy measures.

For more information on the manner in which personal data is used by the University, please see the information published on the University’s data protection webpages.

Lawful processing

In general, the University asserts that it is lawful for it to process your personal data in relation to your employment as that processing is necessary for one or more of the following reasons:

• for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• for compliance with a legal obligation to which the controller is subject;
• to protect the vital interests of the data subject or of another natural person;
• where the processing is necessary for the pursuit of our legitimate interests;
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where processing falls out-with the normal course of business the University may, from time to time, seek your consent to process your data for one or more specific purposes.

In general, the University asserts that it is lawful for it to process special categories of your personal data in relation to your employment as that processing is necessary for one or more of the following reasons:

• for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
• to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
• for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
• for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to [applicable] conditions and safeguards.
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the UK GDPR (as supplemented by section 19 of the Data Protection Act 2018) based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Where processing falls out-with the normal course of business the University may, from time to time, seek your consent to process special categories of personal data for one or more specific purposes.

The University may choose to identify one or more bases for lawful processing in relation to specific activities in this domain. Please see the University website for more information:

• Data protection at the University of Dundee

Your rights

The University respects your rights and preferences in relation to your data. If you wish to update, access, erase, or limit the use of your information, please let us know by emailing dataprotection@dundee.ac.uk. If you wish to complain about the use of your information, please email dataprotection@dundee.ac.uk. You may also wish to contact the Information Commissioner's Office.

Changes to our privacy notice

This Privacy Notice may be updated from time to time. Any updates will appear on this webpage. You should check this notice regularly to keep yourself informed of any changes.

If you have any questions about our privacy notice, please contact the Data Protection Officer on dataprotection@dundee.ac.uk or by post at University of Dundee, Nethergate, Dundee, DD1 4HN.