Employee data privacy statement | University of Westminster, London

Personal data means any information relating to a person who could be directly or indirectly identified by that information. This definition provides for a wide range of ways that a person may be identified by their data. This includes their name, identification number, location data or an online identifier. Some information is considered to be ‘Special Category’ information and needs more protection because of its sensitivity.

The University of Westminster is the Data Controller for the personal information held in relation to your employment. This Privacy Notice is in addition to the University’s privacy notice.

How we collect information

We collect information about you when you

Apply for a role at the university
Become a colleague at the university
Throughout your employment and when your employment ends

Confidentiality

The information you provide relating to your employment will only be shared with colleagues from the People Culture and Wellbeing service. Access to your personal information is limited by permissions to only those staff and administrators who need access to manage your employment with us or where otherwise allowed by UK law.

What information we collect and hold

Personal information collected includes:

Name
Address
Date of birth
Telephone number
Personal email address
Employment and education history (including CV’s, cover letters and personal statements)
Education and qualifications
Reasons for applying for a post and supporting evidence
Scoring against interview questions
Data relating to pre-employment (bank details, salary, references, contract details, Terms and Conditions and DBS checks)
Emergency contact details/next of kin details
Employment record
Records of authorised deductions
Personal files, including application, probation records, correspondence, contract changes, employment history, employee relation documentation and outcomes
Dates and reasons for all periods of absence
Professional Development Review (PDRs) records
Exit questionnaires
Redundancy calculations including, length of service, leaving date, payroll number, national insurance number, age of leaving, salary, employer enhancement and any payments
Learning and development records and any qualifications obtained
ID documentation, such as passport, driving licence, visas and evidence of qualifications
ID references such as national insurance numbers, employee number and Higher Education Statistics Agency (HESA) reference

Special category information collected includes:

Previous offences (where applicable to an application)
Pre employment medical checks
Details of referrals to Occupational Health
Disciplinary, misconduct, grievance and capability records
Disability records and declarations
Ethnicity, diversity and inclusion data
Union memberships
Industrial action days taken

How the personal information we hold is used

Your personal information will be used for:

Recruitment, selection and interviewing
Processing new starters
Conducting Right to Work checks
Running payroll processes
Processing of movements of staff from one post to another within the organisation
In order to pay your salary and manage authorised deductions, such as income tax, national insurance, pension, childcare vouchers, union membership fees and payments to third parties
Keeping a record of your employment
Recording and managing sickness, including referrals to Occupational Health
Recording and managing leave
Recording, payment and/or deduction of other leave e.g. maternity leave, paternity leave, special leave
Processing leavers
Providing employment references
Processing expenses claims
Paying overtime
Managing changes to roles e.g. job evaluations
Managing colleague case files
Negotiating and agreeing settlement agreements
Providing you with redundancy calculations
Recording performance objectives and achievements annually
Recording personal learning and development (including completion of mandatory eLearning modules)
Running and promoting staff benefit schemes
Administrating colleague assistance loans
Administration of enhanced life insurance policies
Allowing you to access the information held about you via the self service portal
Conducting staff surveys
Producing workforce statistics, collating statistical reports and monitoring performance of our services
For reporting purposes e.g. equal pay audits, gender pay gap and internal reporting of HR metrics, reports will contain anonymised data only
Auditing our policies and processes with internal and external auditors
Administering pension schemes
Provision of access to University sites and facilities, and use of IT services, including the University Library systems, and the IT tools you require for your role
Ensuring the safety and security of employees, including safeguarding
Provide information to the Higher Education Statistics Agency (HESA) for their use and purposes

Our reason for processing your personal data

We process your personal data for the following reason

Contract: the processing is necessary for a contract or we need to take specific steps before entering into a contract
Legal obligation: the processing is necessary for us to comply with the law
Vital interests: the processing is necessary to protect someone’s life
Public task: the processing is necessary for the perform a task in the public interest

Special category data is processed for the following reasons

Employment, social security and social protection (if authorised by law)
Vital interests

Organisations we may share your information with in relation to this processing

We will share your information with the following organisations;

Our HR system provider
Our occupational health provider (as required)
Suppliers we partner with to provide employee benefits
Pension scheme administrators
The e-DBS service with regard to Disclosure and Barring Service (DBS) checks
Government bodies and their authorised agents in line with current UK Higher Education legislation
Our insurance provider (as required)
Unions

How we protect your information

The personal information we hold will be processed with appropriate security and used in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Your information may be held outside of the UK. Where this is the case, we ensure that appropriate measures are in place to protect your data.

Our data retention policy

We will retain this information only for as long as necessary. We may aggregate and anonymise data for wider internal management reporting or research purposes. Personal data will be kept in line with the university’s retention schedule.

Disclosure of information to third parties

Personal information will not be disclosed to external organisations other than those acting on the instructions of the University. Where this is the case, a written contract will be put in place between the University and the third party setting out appropriate data protection obligations.

We use several commercial companies and partners to either store personal information or to manage it on our behalf. Where we have these arrangements, we ensure that there is a contract or data sharing agreement is in place to ensure that the requirements of data protection legislation are met.

Sometimes we have a legal duty to disclose personal information. We may share your information:

for the detection and prevention of crime and fraudulent activity
if there are serious risks to the public, our staff or to other professionals
to protect a child
to protect adults who are thought to be at risk

Your rights

The law gives you several rights to control which personal information is used by us and how it is used by us.

How can you access the information we hold about you?

You are legally entitled to ask to see any records we hold about you. If you wish to request access to the personal information we hold about you, please contact the Information Compliance Team through the University’s subject access procedure.

How can you request correction of inaccurate information?

Whilst we try to ensure that any personal data we hold about you is correct, there may be situations where the information we hold is no longer accurate. If this is the case, please contact the department holding the information so that any errors can be investigated and corrected. If you don’t know which department to contact please contact the Information Compliance Team.

You can ask to delete information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted, for example, in instances where:

your personal information is no longer needed for the reason why it was collected in the first place
you have removed your consent for us to use your information (where there is no other legal reason for us to use it)
deleting the information is a legal requirement

Please note that there are situations where the right to be forgotten does not apply. Please contact the Information Compliance Team to make a request.

You can ask to limit what we use your data for

In some circumstances, you have the right to restrict what processing an organisation carries out or ask that they stop processing your personal data. When processing is restricted, the organisation may continue to store your data but not process it further. Please contact the Information Compliance Team to make a request.

You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. Please contact the Information Compliance Team to make a request.

You can object

You have the right to object to processing of your personal data at any time. This means that you can stop or prevent an organisation from using your data. However, it only applies in certain circumstances. Please contact the Information Compliance Team to make a request.

Automated decision making and profiling

You have a right to request that decisions based solely on automated processing, including profiling, which may produce a legal effect or affect them significantly, to have some form of human input so they are not automatically generated by a computer. Please contact the Information Compliance Team to make a request.

Right to complain

You have the right to complain about how we use your personal data. In the first instance, please contact the Information Compliance Team.

How to contact us?

If you would like further information or if you have any concerns about how we handle your data, these can be raised with our Information Compliance Team by emailing [email protected] or writing to;

Information Compliance Team
University of Westminster
32-38 Wells Street
London W1T 3UW

Independent advice

Independent advice can be sought from the UK regulator for data protection, the Information Commissioner’s Office (ICO).

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Alternatively, visit www.ico.org.uk or email [email protected].

This privacy notice and updates

If you have any queries about this privacy notice, or about how we hold and use your data, please contact the Information Compliance Team.

We will review and update this privacy notice to reflect changes in our processes and procedures. When such changes occur, we will revise the 'last updated' date on this notice. We encourage you to periodically review this notice to remain informed.

Last reviewed and updated October 2025