Staff Privacy Notice
Glasgow Clyde College (‘the College’) is committed to protecting the privacy and security of your personal information. This privacy notice outlines how we collect and use your personal data prior to, during and after your working relationship with us; from initial enquiries, to application and recruitment processes through to payroll, pension provision and other employment services we provide.
This notice applies to all employees, Board Members, fixed-term workers and contractors (hereafter ‘staff’). All your personal information will be treated in accordance with data protection law including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
In terms of Data Protection legislation, Glasgow Clyde College, 690 Mosspark Road, Cardonald, Glasgow, G52 3AY, is the Data Controller for information it receives in relation to you and is registered with the Information Commissioner’s Office, registration number Z7497735.
2 Purpose of the Privacy Notice
The purpose of this Privacy Notice is to inform staff how their personal information will be used, outlining the Colleges responsibilities and obligations as a Data Controller and:
- Explains the lawful basis relied on when processing your personal data;
- Provides an overview of the purposes for which your personal data is used;
- Explains the sources of the information which we hold:
- Sets out the types of information which we process;
- Informs you who has access to your personal data and the limited conditions under which your personal data may be shared with third parties;
- Explains your privacy rights and the steps you can take to exercise these;
- Explains how we will protect your personal data, keeping it safe and secure.
3 Personal information processed under contract (and other lawful bases)
Your personal data is being processed by the College as you are taking steps to become party to, have or have had a contract with us. The College must use your personal information to fulfil its contractual obligations to you (outlined below). The College processes your special category ‘sensitive’ data, for example equalities and health data, where this is necessary for purposes related to employment law. Without processing your information, it will not be possible for you to become a member of staff.
The College may also process your personal data where we are legally required to, for example in the prevention and detection of crime, under legal obligation for example reporting of equalities data to government bodies or during our performance of a task carried out in the public interest or in the exercise of official authority, for example reporting to the Scottish Funding Council for audit purposes.
Special category ‘sensitive’ data processed by the College may include:
- information collected during equalities monitoring such as ethnicity or religion, or in relation to your health are processed for the purposes of carrying out requirements incumbent on the College and you under employment law, using this specified lawful basis in data protection law
- health data, where required, may be shared for the purpose of occupational medicine, where this service has been outsourced to a third party, again using this specified lawful basis in data protection law;
- health and disability data may be processed to ensure reasonable adjustments can be made to support you in your work;
- criminal conviction data, where you are required to have a Disclosure Scotland and/or PVG check as part of your contract with the may be requested and processed
- certain equalities information may be shared to public sector bodies and unions in an anonymised form (your identifying information, for example name, data of birth, address is removed), for example to ensure equality of opportunity, under substantial public interest using relevant legislation such as the Equality Act;
- trade union membership information may be processed, for example to ensure membership payments are made;
- in an emergency, information may be shared to medical professionals.
4 Why we process your information
We need to process your data as part of our contract with you. This ranges from initial job application, through the recruitment process to annual reviews, providing occupational health, pensions and other services as part of your contract. In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is mandatory to check a successful applicant's eligibility to work in the UK before employment starts.
Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
The College may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.
- Application and recruitment purposes.
- Making and keeping staff records on central systems, maintaining your staff record and managing HR processes.
- Support purposes, including the provision of advice and support to you, occupational health, health and safety, attendance monitoring, where you need or choose to access these services.
- Undertaking enquiries and investigations in relation to complaints, staff conduct, fitness to practice, academic appeals, and any other enquiries and investigations in line with college policies.
- Carrying out criminal record checks for staff through Disclosure Scotland including Protecting Vulnerable Groups (PVG) membership scheme.
- Managing college services including IT services, library services and events.
- Administering financial matters including payment of salaries. Financial information may be shared outside of the College including sharing information with pension providers.
- Communication purposes including email, text messages and other electronic communications.
- Providing reports to education sector bodies, such as the Scottish Funding Council and Glasgow Regional Colleges Board, which provides funding to Glasgow Clyde College.
- For the purposes of ensuring that our College community remains safe and inclusive, including the management of behavioural or disciplinary issues (including use or misuse of electronic and communication systems and social media) and use of CCTV.
- Research including monitoring quality and performance.
- Contacting your emergency contacts.
- Providing references to future employers.
- Statistical and archive purposes.
5 Sources of Information
The personal information held about you is obtained from several sources including the following:
- Personal data provided by you in person, by letter, by telephone or by email when enquiring and discussing, applying to and enrolling.
- Personal data provided by your previous employer(s), by letter, by telephone or by email in relation to your application, employment and/or ongoing support where appropriate.
- Personal data built up about you during your employment; assessments; conduct; your use of IT systems and Information Services.
- Financial information provided by you and from payroll or pensions, or sponsors.
- Criminal record checks from Disclosure Scotland.
6 What information do we collect?
The College collects a range of information about you. This may include:
- your name, address and contact details, including personal email address and telephone number;
- date of birth, gender, marital status and dependants;
- details of your qualifications, skills, experience and employment history;
- CV, cover letter and references from previous employers;
- next of kin and emergency contact information;
- National Insurance number;
- bank account details, payroll records and tax status information;
- salary, annual leave, pension and information about your current level of remuneration, including benefit entitlements;
- workplace location;
- CCTV footage and other information collected electronically, for example using your staff card to access printers, IT and telephony access and use;
- start and end dates;
- copy of driving licence, passport or utility bill;
- employment records, including job titles, work history, working hours, training records and professional memberships;
- Personal Development Plan (PDP);
- Dignity at Work;
- disciplinary and grievance information
- whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process; and
- information about your entitlement to work in the UK.
We may also collect and process special category ‘sensitive’ data for example:
- information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
- Trade Union Membership;
- Information about your health, including any medical conditions, health and sickness records;
- Information about criminal convictions and offences.
7 Sources of information
The College may collect personal information about you in a variety of ways. For example, you may provide the data directly to us through application forms, CVs or resumes, your passport or other identity documents, or collected through interviews or other forms of assessment.
We may also collect personal data about you from third parties, such as references supplied by former employers, information from pension providers or criminal convictions and offences data from Disclosure Scotland through the PVG scheme where necessary. We will only seek information from third parties once a job offer to you has been made.
8 Sharing information with others
8.1 Using your Emergency Contact Details
Emergency contact details will only be used in exceptional circumstances, for example when we believe that there are significant concerns about your health or well-being.
8.2 Access to and Disclosure of Information
We will manage your information securely. Access to your information by College staff or other individuals acting on our behalf, for example contractors or service providers, is on a need-to-know basis and will only be processed in accordance with data protection legislation, under our instructions and in-line with this privacy notice. We have technical and organisational measures in place to safeguard your information as required under data protection law.
8.3 Sharing your Personal Data
Your information may be shared internally for the purposes of the recruitment exercise, where identifiable personal and equality data is removed and applications are assessed on the individual meeting the essential criteria for the post. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers to obtain references for you.
The College outsources a number of services we provide to our employees. Some of these are under contract with the supplier who act as a Data Processor on our behalf; the College, as the Data Controller, tells the supplier how to process your data, when to delete it and so on. Your data may be provided to organisations including but not limited to:
- Microsoft to support your use of Office 365, One Drive and SharePoint, including emails, calendars and other apps used through this service;
- Childcare Voucher providers, for example Sodexo;
- Cycle to work scheme delivery partners, for example Halfords.
In other circumstances, the College will share your data to another organisation who then become the Data Controller. This means they determine how your data will be processed and accountable for this. These organisations include:
- Occupational Health scheme provider, for example Integral
- Credit Unions, including Scotwest
- The Scottish Public Pension Agency, Strathclyde Pension Fund or other pension providers;
- the National Fraud Initiative as required by law;
- Student Loans, where deductions are taken directly from salaries;
- Earning arrestments, where debts are deducted directly from salaries;
- the Scottish Funding Council, Colleges Scotland and Glasgow College’s Regional Board, for funding and audit purposes. Where possible, all personal information is removed before sharing this data to ensure anonymity, but there may be circumstances where your personal information will be shared.
Safeguards are in place to protect your personal data when it is shared with a third party. These safeguards are documented in legally-binding contracts and data sharing agreements.
Under data protection law, where you have provided consent for data processing, you can withdraw your consent at any time, effectively preventing your data from being disclosed where consent is required. This sharing can be stopped at any time by withdrawing your consent.
9 Protecting your information
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties in relation to the recruitment process and employment service.
The College has a series of technical and organisational measures in place to protect and safeguard all the information that it holds, including internal policies and procedures. For example, data is securely stored onsite, on internal College or Microsoft servers under contract, where appropriate data and devices are encrypted, staff receive training and briefing on information security and data handling and staff only access data on a ‘need-to-know’ basis. The College is Cyber Essentials Plus accredited and ensures any third parties it shares information with provides a similar level of security.
10 Storage of your personal data
Your personal data will be stored safely and securely in a range of different places across the College infrastructure, including on your application record, in HR management systems and on other IT systems. Most data is held within the College. Some data is held on UK servers under contract, for example on Microsoft One Drive and Outlook (email, calendar and tasks). There are other circumstances where your data may be stored within the European Economic Area (EEA), ensuring your data is still governed under EU and UK data protection law.
11 Retention of your personal information
The College only holds data for the minimum time necessary to fulfil the purpose for which it was collected. To ensure this, the College has a Data Retention Schedule in place.
For unsuccessful applications for employment, the College will hold your data on file for six months after the end of the relevant recruitment process.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained during your employment with all other data processed during your time with us. Your data will be destroyed one year after your contract ends with the College.
12 Making sure your personal information is accurate
The College strives to ensure that all personal data remain current and accurate. If you become aware of any incorrect information held, you have the right to request that this is rectified. There are certain areas where we rely upon you to inform us of any changes to your personal data, for example contact and emergency contact details. It is your responsibility to inform us of these changes.
13 International data transfers
Most of your data is held by the College within the UK. There may be some instances where your data is processed within the European Economic Area (EEA) or some very limited instances where your data may be shared beyond the EEA, for example sharing of information to partner institutes to support exchange trips or where a software service provider may have a specialist team based outside the EEA or you use online web applications or social media. When doing so, we ensure that appropriate safeguards are in place to protect your information and your rights under data protection law.
14 Your Privacy Rights
Under data protection law, you have legal rights in relation to your information, including:
- your right to be informed of how your data is being processed, (as in this privacy notice);
- your right to access and obtain a copy of your data on request, often referred to as a subject access request;
- your right to ask an organisation to change incorrect or incomplete data;
- your right to ask an organisation to delete or stop processing your data under certain circumstances;
- your right to object to the processing of your data under certain circumstances;
- your right to data portability and in relation to automated decision making and profiling.
Further details about your privacy rights can be found on the Information Commissioner’s Office website here.
15 Data protection contact details and further information
If you would like further information about how the College processes your personal data or you have a concern about how your data is being processed, please contact our Data Protection Officer (DPO). You can do this by:
If you are dissatisfied with the response, you have the right to lodge a complaint with the Information Commissioner’s Office using their website https://ico.org.uk/make-a-complaint/ or by phone on 0303-123-1113. Alternatively, you can write to them:
Information Commissioner’s Office
Telephone: 0303 123 1113
We review our privacy information regularly. If we anticipate that substantial changes will be made to the way we process your data, we will update our privacy information and communicate the changes to you before starting any new processing.