In some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including our data processors, training providers, government agencies (including the Health & Safety Executive, Local Health Authorities/Trusts, etc) and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions, statutory payments (such as maternity, adoption, etc).

This notice describes planned, regular data sharing and types of one-off data sharing which we know will usually arise. There may be additional one-off circumstances in which we share data with third parties which are not covered in this Notice or other privacy information, such as where a government or other public sector body exercises a legal right to require information in relation to a specific situation. We will only share information with third parties where we are satisfied that the sharing complies with the data protection laws.

We will disclose limited staff data to a variety of recipients including:

  • our employees, agencies, BU and subsidiary company Board members and contractors where there is a legitimate reason for their receiving the information (including service providers, such as our external IT support providers, our insurers and external legal and financial advisers)
  • current, past or potential employers of our staff (to provide or obtain references with your consent)
  • letting agents, banks, mortgage companies (to provide references with your consent)
  • professional and regulatory bodies (e.g. NMC, HCPC, BPS, SRA, BSB, ACCA) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process
  • Companies House in respect of director and company secretarial appointments and resignations for BU subsidiary companies (with your consent and in accordance with our legal obligations)
  • external organisations for the purposes of gaining professional accreditations or memberships (e.g. AACSB, AMBA. EQUIS). This information may include your name, career history, membership of professional associations and your publications
  • external assessors in respect of recruitment information relating to Professorial or Senior roles
  • UK Higher Education Funding Bodies and associated organisations including the REF, Research England, UK Research & Innovation, DfE, HEFCE and HEFCW and SFC
  • if your appointment is externally funded, the relevant funding body
  • the Higher Education Statistics Agency (HESA) on an annual basis in respect of anonymised data on our staff and Board members. For further information on how HESA collect and process information please see their website: https://www.hesa.ac.uk/about/regulation/data-protection/notices
  • government departments and agencies where we have a statutory obligation or other legal basis to provide information (e.g. Her Majesty's Revenue and Customs (HMRC), the Higher Education Funding Council for England (HEFCE), the Home Office (in connection with UK visas and immigration))
  • for roles that require security and criminal records checks, you’ll be asked to share your data with the Disclosure and Barring Service (DBS) and GBG Group, our external provider of online disclosure services
  • third parties who work with us to provide staff support services (e.g. coaching and mentoring and occupational health services)
  • third parties who are contracted to provide out–of–hours IT services for us
  • other higher education providers or employers where the member of staff is taking part in an exchange programme or other collaboration as part of their employment
  • external organisations including funders and third-party clients (for example, where our member of staff is named as part of a research application for external funding or is to be involved in providing consultancy services to an external organisation)
  • crime prevention or detection agencies (e.g. the police, security organisations, Department for Works and Pensions and local authorities)
  • pension providers (including, TPS, NHS, USS, LGPS)
  • emergency contacts (but only where we have consent from the member of staff or there is a legitimate reason for the disclosure)
  • healthcare, social and welfare organisations
  • representatives of a current, former or potential member of staff (but only where we have consent from the member of staff or there is a legitimate basis for the disclosure)
  • internal and external auditors
  • debt collection and tracing agencies
  • courts and tribunals
  • local and central government
  • trade union and staff associations (where information is already in the public domain or we have consent from the member of staff)
  • survey and research organisations, for example the annual staff survey
  • publications press and the media
  • to the new employer, where staff transfer to another organisation under TUPE regulations as required by law
  • software and data hosting providers, this will be subject to a formal data sharing agreement between the University and the supplier
  • internal or external auditors or investigators for the purposes of an internal or external audit or investigation

Certain personal information about our staff is available in the public domain and is shared on our website. Data that is publicly available world-wide and may be disclosed to third-parties, includes;

  • Names of members of Council and Senate
  • Names and academic qualifications of staff
  • Staff biographies
  • Workplace contact details
  • Other information relating to staff that they have agreed to share in the public domain or on our website.

We will send some of the staff information we hold to the Higher Education Statistics Agency (HESA). This does not include the name or contact details of staff. HESA collects and is responsible for the database in which HESA staff records are stored. HESA uses that information in its own right – to publish statistics about staff in higher education, for example. HESA also processes the information held in the databases for other organisations. The data protection laws also apply to HESA.

If a member of staff provides us with information about their disability status, ethnicity, sexual orientation, gender reassignment, parental leave or religion, this will be included in the HESA staff record. This helps to make sure people are being given equal opportunities and to prevent unlawful discrimination. HESA will not use this information in any way to make decisions about you.

For more information about the way HESA use staff information please visit the HESA website which contains the staff collection notice.

Non-routine data sharing in exceptional circumstances

We will share personal data with emergency services and/or the person you have identified to us as being your emergency contact, where this is necessary to safeguard your position or that of other individuals. 

More information: We will also share personal data with the police or other organisations with responsibility for investigating potential crimes such as fraud (e.g. local authority fraud investigation teams) where satisfied that this is necessary for the prevention or detection of crime. This may include sharing special category data such as health information.

Depending on the nature of the situation which has arisen, sharing with the emergency services could include sharing information with the police, National Health Service organisations and the Fire Service. This will be when disclosure is necessary to protect your vital interests, i.e. where you are at clear risk of harm, or to protect the vital interests of others e.g. if they are at risk of harm from your actions. We will only share special category data on this basis if it is not possible for us to obtain a valid consent from you to the disclosure. Where the police have told us, and we are satisfied that this is the case, that sharing your data with them is necessary for the purposes of preventing or detecting crime. Disclosure is necessary for the purposes of protecting you or others from risk of harm, or for prevention/detection of crime: these are purposes in the substantial public interest.

Privacy Notice Contents

  1. Introduction

  2. When and how we collect your data

  3. What personal data we process and why

  4. Lawful basis for processing your personal data

  5. How we hold your personal data and for how long

  6. Data Sharing

  7. Overseas transfers of personal data

  8. Your rights as a data subject and how to exercise them

  9. Further Information