Staff Privacy Notice
Glasgow Clyde College (‘the College’) is committed to protecting the privacy and security of your personal information. This privacy notice outlines how we collect and use your personal data prior to, during and after your working relationship with us; from initial enquiries to application and recruitment processes through to payroll, pension provision and other employment services we provide.
This notice applies to all employees, Board Members, fixed-term workers and contractors (hereafter ‘staff’). All your personal information will be treated in accordance with UK data protection law.
In terms of data protection legislation, Glasgow Clyde College, 690 Mosspark Road, Cardonald, Glasgow, G52 3AY, is the Controller for information it receives in relation to you and is registered with the Information Commissioner’s Office, registration number Z7497735.
2 Purpose of the Privacy Notice
The purpose of this Privacy Notice is to inform staff how their personal information will be used, outlining the Colleges responsibilities and obligations as a Controller and:
- Explains the lawful basis relied on when processing your personal data
- Provides an overview of the purposes for which your personal data is used
- Explains the sources of the information we hold
- Sets out the types of information which we process
- Informs you who has access to your personal data and the limited conditions under which your personal data may be shared with third parties
- Explains your privacy rights and the steps you can take to exercise these
- Explains how we will protect your personal data, keeping it safe and secure
3 Personal information processed under contract (and other lawful bases)
Your personal data is processed by the College as you are taking steps to become party to, have or have had a contract with us. The College must use your personal information to fulfil its contractual obligations to you (outlined below). The College processes your special category ‘sensitive’ data, for example equalities and health data, where this is necessary for purposes related to your employment. Without processing your information, it will not be possible for you to become a member of staff.
The College will only process your personal data where we have a lawful basis to do so, for example under legal obligation in the prevention and detection of crime or reporting of equalities data to government bodies or during our performance of a task carried out in the public interest, for example reporting to the Scottish Funding Council for audit purposes.
Special category ‘sensitive’ data processed by the College may include:
- information collected during equalities monitoring such as ethnicity or religion, or in relation to your health for the purposes of carrying out requirements incumbent on the College and you under employment law
- health data, where required, may be shared for the purpose of occupational medicine, where this service has been outsourced to a third party
- health and disability data may be processed to ensure reasonable adjustments can be made to support you in your work
- criminal conviction data, where you are required to have a Disclosure Scotland and/or PVG check as part of your contract
- certain equalities information may be shared to public sector bodies and unions in an anonymised form (your identifying information including name, data of birth, address is removed), to ensure equality of opportunity, under substantial public interest using relevant legislation for example the Equality Act;
- trade union membership information may be processed, to ensure membership payments are made
- in an emergency, information may be shared to medical professionals
4 Why we process your information
We need to process your data as part of our contract with you. This ranges from initial job application, through the recruitment process to annual reviews, staff development and training, providing occupational health, pensions and other services as part of your contract. In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is mandatory to check a successful applicant's eligibility to work in the UK before employment starts.
Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
The College may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. We may also collect information about applicants health to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment. Personal data may be processed for the following purposes, including but not limited to:
- Application and recruitment
- Making and keeping staff records on central systems, maintaining your staff record and managing HR processes
- Support purposes, including the provision of advice and support to you, occupational health, health and safety, attendance monitoring, where you need or choose to access these services
- Undertaking enquiries and investigations in relation to complaints, staff conduct, fitness to practice, academic appeals, and any other enquiries and investigations in line with college policies
- Carrying out criminal record checks for staff through Disclosure Scotland including Protecting Vulnerable Groups (PVG) membership scheme
- Managing college services including IT services, library services and events
- Providing staff development and training opportunities, often via third-party providers
- Administering financial matters including payment of salaries. Financial information may be shared outside of the College including sharing information with pension providers
- Communication purposes including email, text messages and other electronic communications
- Providing reports to education sector bodies, such as the Scottish Funding Council and Glasgow Regional Colleges Board, which provides funding to Glasgow Clyde College
- For the purposes of ensuring that our College community remains safe and inclusive, including the management of behavioural or disciplinary issues (including use or misuse of electronic and communication systems and social media) and use of CCTV
- Research including monitoring quality and performance
- Contacting your emergency contacts
- Providing references to future employers
- Statistical and archive purposes
5 Sources of Information
The personal information held about you is obtained from several sources including the following:
- Personal data provided by you in person, by letter, by telephone or by email when enquiring and discussing, applying to, and enrolling.
- Personal data provided by your previous employer(s), by letter, by telephone or by email in relation to your application, employment and/or ongoing support where appropriate.
- Personal data built up about you during your employment including assessments, training, conduct, your use of IT systems and Information Services.
- Financial information provided by you and from payroll or pensions, or sponsors
- Criminal record checks from Disclosure Scotland
6 What information do we collect?
The College collects a range of information about you. This may include:
- your name, address and contact details, including personal email address and telephone number
- date of birth, gender, marital status and dependants
- details of your qualifications, skills, experience and employment history
- CV, cover letter and references from previous employers
- next of kin and emergency contact information
- National Insurance number
- bank account details, payroll records and tax status information
- salary, annual leave, pension, and information about your current level of remuneration, including benefit entitlements
- workplace location
- CCTV footage and other information collected electronically, for example using your staff card to access printers, IT and telephony access and use
- start and end dates
- copy of driving licence, passport, or utility bill
- employment records, including job titles, work history, working hours, training records and professional memberships
- Personal Development Plan (PDP)
- Dignity at Work
- disciplinary and grievance information
- whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
- information about your entitlement to work in the UK
We may also collect and process special category ‘sensitive’ data for example:
- information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions
- Trade Union Membership
- Information about your health, including any medical conditions, health and sickness records
- Information about criminal convictions and offences
7 Sources of information
The College may collect personal information about you in a variety of ways. For example, you may provide the data directly to us through application forms, CVs or resumes, your passport or other identity documents, or collected through interviews or other forms of assessment.
We may also collect personal data about you from third parties, such as references supplied by former employers, information from pension providers or criminal convictions and offences data from Disclosure Scotland through the PVG scheme where necessary. We will only seek information from third parties once a job offer to you has been made.
8 Sharing information with others
8.1 Using your Emergency Contact Details
Emergency contact details will only be used in exceptional circumstances, for example when we believe that there are significant concerns about your health or wellbeing.
8.2 Access to and Disclosure of Information
We will manage your information securely. Access to your information by College staff or other individuals acting on our behalf, for example contractors or third -party service providers, is on a need-to-know basis and will only be processed in accordance with data protection law, under our instruction and in-line with this privacy notice. We have technical and organisational measures in place to safeguard your information.
8.3 Sharing your Personal Data
Your information may be shared internally for the purposes of the recruitment exercise, where identifiable personal and equality data is removed, and applications are assessed on the individual meeting the essential criteria for the post. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
We will not share your data with third parties unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers to obtain references for you.
The College outsources a number of employee services. Some of these are under contract with the supplier who act as a Processor on our behalf; the College, as the Controller, tells the supplier how to process your data, when to delete it and so on. Your data may be provided to organisations including but not limited to:
- Microsoft to support your use of Office 365, One Drive and SharePoint, including Outlook for emails, calendars and other apps used through this service
- VLE providers for example Canvas or Moodle and organisations involved in supporting these environments including PowerBi
- Training providers
- Childcare Voucher providers, for example Sodexo
- Cycle to work scheme delivery partners, for example Halfords
In other circumstances, the College will share your data to another organisation who then become the Controller. This means they determine how your data will be processed, becoming accountable for this. These organisations include:
- Occupational Health scheme provider, for example Integral
- Credit Unions, including Scotwest
- The Scottish Public Pension Agency, Strathclyde Pension Fund or other pension providers
- the National Fraud Initiative as required by law
- Student Loans, where deductions are taken directly from salaries
- Earning arrestment’s, where debts are deducted directly from salaries
- the Scottish Funding Council, Colleges Scotland and Glasgow College’s Regional Board, for funding, audit and reporting purposes. Where possible, personal information is removed before sharing this data to ensure anonymity, but there may be circumstances where your personal information will be shared.
Safeguards are in place to protect your personal data when it is shared with a third party. These safeguards are documented in legally binding contracts and data sharing agreements.
Where you have provided consent for your data to be processed, you can withdraw your consent at any time, effectively stopping this processing.
9 Protecting your information
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is only accessed by our employees on a need-to-know basis in the performance of their duties in relation to the recruitment process and employment service.
The College has a series of technical and organisational measures in place to protect and safeguard all the information that it holds, including internal policies and procedures. For example, data is securely stored onsite, on internal and external servers under contract, where appropriate data and devices are encrypted, staff receive training and briefing on information security and data handling and staff only access data on a ‘need-to-know’ basis. The College is Cyber Essentials Plus accredited and ensures any third parties it shares information with provides a similar level of security.
10 Storage of your personal data
Your personal data will be stored safely and securely across the College, including on your application record, in HR management systems and on other IT systems. Some data is held on UK servers under contract, for example on Microsoft One Drive, SharePoint and Outlook (email, calendar and tasks). There are other circumstances where your data may be stored within the European Economic Area (EEA), ensuring your data is still governed under EU and UK data protection law.
11 Retention of your personal information
The College only holds data for the minimum time necessary to fulfil the purpose for which it was collected. To ensure this, the College has a Data Retention Schedule in place.
For unsuccessful applications for employment, the College will hold your data on file for six months after the end of the relevant recruitment process.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained with all other data processed during your time with us. Your data will be destroyed one year after your contract ends with the College.
12 Making sure your personal information is accurate
The College strives to ensure that all personal data remain current and accurate. If you become aware of any incorrect information held, you have the right to request that this is rectified. There are certain areas where we rely upon you to inform us of any changes to your personal data, for example bank details, contact information and emergency contact details. It is your responsibility to inform us of these changes.
13 International data transfers
Most of your data is held by the College within the UK. There may be some instances where your data is processed within the European Economic Area (EEA) or some very limited instances where your data may be shared beyond the EEA, for example sharing of information to partner institutes to support exchange trips or where a software service provider may have a specialist team based outside the EEA or you use online web applications or social media. When doing so, we ensure that appropriate safeguards are in place to protect your information and your rights under data protection law.
14 Your Privacy Rights
Under data protection law, you have legal rights in relation to your information, including:
- your right to be informed of how your data is being processed, (as in this privacy notice)
- your right to access and obtain a copy of your data on request, often referred to as a subject access request
- your right to ask an organisation to change incorrect or incomplete data
- your right to ask an organisation to delete or stop processing your data under certain circumstances
- your right to object to the processing of your data under certain circumstances
Further details about your privacy rights can be found on the Information Commissioner’s Office website here.
15 Data protection contact details and further information
If you would like further information about how the College processes your personal data or you have a concern about how your data is being processed, please contact our Data Protection Officer (DPO). You can do this by:
Email: firstname.lastname@example.org or email@example.com
Telephone: 07904 908 944
If you are dissatisfied with the response, you have the right to lodge a complaint with the Information Commissioner’s Office using their website https://ico.org.uk/make-a-complaint/ or by phone on 0303 123 1113. Alternatively, you can write to them:
Information Commissioner’s Office
Telephone: 0303 123 1113
We review our privacy information regularly. If we anticipate that substantial changes will be made to the way we process your data, we will update our privacy information and communicate the changes to you before starting any new processing. Last updated May 2022.