Privacy information for staff and applicants

Introduction

Anglia Ruskin University Higher Education Corporation (ARU) is committed to protecting your personal information when you use our services. 

When saying “we”, “our” or “ARU”, we’re referring to Anglia Ruskin University.

Please read the following privacy policy to understand how we use and protect the information obtained via the following online services:

  • any ARU website that links to this Privacy Policy
  • social media or official ARU content on other websites
  • mobile device applications (apps).

It also relates to us using any personal information that you provide by phone, SMS, email, in letters and other correspondence, and in person.

This Privacy Policy explains the following:

  • who we are
  • what personal data we may collect about you
  • where get your personal data from
  • how we will use personal data we collect about you
  • who we share your personal data with
  • how long we hold your personal data
  • the legal basis for processing your personal data
  • your rights regarding the personal data you provide to us
  • the use of cookies on our websites and how you can reject them

By providing us with your personal data and using our services, you agree to the collection and use of this information in accordance with the purposes described above in this privacy notice or as otherwise explained to you.

If you have any requests concerning this Privacy Policy, your personal information, or any queries with regard to our processing please contact dpo@aru.ac.uk.

What personal data will ARU collect about me?

Whenever we ask for your personal data we will always make sure that it is necessary to identify you from the data we collect. If we do need to identify you we will make sure that we only collect and use the minimum details we need for the specific purpose.

We may receive your personal information when you: participate in, access or sign up to any of our services, activities or online content, phone or email us, apply for one of our jobs or create an account on our website.

We will collect the following about applicants for employment:

  • Personal contact details such as names, title, addresses, telephone numbers and personal email addresses.
  • Date of birth.
  • National Insurance number.
  • Copy of driving license, utility bills, bank statement, birth certificate, marriage certificate, passport.
  • Recruitment information (including work history, copies of right to work documentation, references, education and qualifications and other information included in a CV or cover letter or as part of the application process).
  • Equality information including your gender; nationality, marital status, ethnicity, religion, sexual orientation and disability details.

Once you become a member of staff we will also collect (at different times) some or all of the following:

  • Next of kin/ emergency contact information.
  • Marital status and dependants.
  • Bank account details, payroll records and tax status information.
  • Employment records (including job titles, start date, grade, salary, employment type, work base, continuous service details, working hours, terms and conditions, department, training records and professional memberships).
  • Disciplinary and grievance information.
  • Information about your time at the University and any support provided
  • Salary, annual leave, pension and benefits information.
  • Probation, performance and appraisal information.
  • Photographs.
  • Absence and sickness details.
  • Maternity, paternity and shared parental leave details.

ARU also collects data about how you use ARU mobile apps, websites or other university-related online content, and the device(s) you use to access these services. This includes collecting unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or other network device on the web. For more information, please see the section on cookies within this privacy notice.

In all cases your personal data will be processed confidentially and securely.

Use of Sensitive Personal Data

Known as ‘Special Category Data’, this includes information relating to racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life and sexual orientation and criminal convictions and offences.

We may process special categories of personal data in the following circumstances where:

  • we need to carry out our legal obligations or exercise rights in connection with employment. Processing will be carried out in accordance our policy on processing special categories of personal data and the additional safeguards in place for such processing.
  • it is necessary to assess your working capacity, in accordance with employment law or pursuant to a contract with a health professional, and subject to confidentiality safeguards.
  • it is needed in the public interest, such as for equal opportunities monitoring or in relation to eligibility for or benefits payable under our occupational pension scheme.
  • it is needed in relation to legal claims.
  • it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your agreement.
  • you have already made the information public.
  • where you have given your explicit written consent.

We will use personal data:

  • about your physical and/or mental health or disability status to carry out our legal obligations or exercise rights in connection with your employment, for example to ensure your health and safety in the workplace and to assess your fitness to work and working capacity, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits on occasions in conjunction with occupational health or other health professionals subject to confidentiality.
  • about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • relating to trade union membership to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

Information about criminal convictions

We will only collect and use information relating to criminal convictions where:

  • the law allows us to do so. This will usually be where such processing is necessary to carry out our legal obligations due to the nature of the role.  Such information will be collected and used as part of the recruitment process or we may be notified directly by you or others in the course of you working for us.
  • it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your agreement or where you have already made the information public.

Updating and correcting your personal data

You can see your employee information we hold by logging into Business World. It is important that the personal data we hold about you is accurate and current so please keep us informed if your data changes during your relationship with us. You can do this by contacting Human Resources.

We may contact you by post, telephone or fax as well as by email, SMS and MMS. If you change your mind about being contacted in the future by any of these means you will be given the option to change your preferences.

Anyone taking part in university activities where they may be photographed, filmed, videoed or otherwise captured in image form: Where possible and practical to do so, we will seek written agreement for image capture and explain any intended use. Where this is not possible for practical reasons, unless express objections are received following our raising awareness that image capture will be taking place, individuals attending an event at ARU are deemed to have given their agreement by attending or remaining at the event. Any queries should be raised with the event host in the first instance.

Where the University publishes personal data on its website (such as name, contact details or image) and on Social Media tools (such as Twitter or Facebook) it will be accessible to users from all over the world. Your information can also be searched for using an identifier such as your name, and may be copied and used by any other person using the Internet. Most importantly, once your personal information has been published on the Internet, ARU has limited or no control over its subsequent use and disclosure, and cannot guarantee it has the technical control to remove it from publication. Please consider this for activities where we may ask for your consent to use your data in this way.

ARU will maintain a permanent record of its activities; particularly of key initiatives, major milestones in our history and of the work of key individuals associated with us. Where this archive collection may include personal data we will comply with the law by having appropriate safeguards in place to ensure our use of the data does not affect your rights, including where we may display, publish or provide researcher access to our collections. We do this under our legitimate interests’ and hold ‘special category data’ for archival purposes as the law allows.

Where do we get your personal data from?

  • From you when you disclose your personal data during the application process and over the course of your relationship with us as your employer, either as a member of staff or as former staff/ employee. i.e. when accessing or using any of our services such as occupational health, financial services, training and development, or counselling services.
  • From third party organisations (this can include Recruitment Agencies, Government Departments such as the Home Office, Disclosure and Barring Service,  Educational establishments, medical practitioners, HMRC, pension and payroll provider, former employers and other institutions). In circumstances whereby, we obtain personal data from a third party we will exercise due diligence to ensure that the third party has a legitimate entitlement to process the personal data and disclose it to us.

How do we use your personal data?

We set out in the legal basis section of this policy all the purposes for which we may process your personal data, identifying the legal basis and those external parties to whom we may disclose that personal information

  • To perform all tasks associated with the recruitment and administration of employees including but not limited to the following human resources services, payroll, pensions, and occupational health;
  • For staff including applicants, current and former staff we set out in the section below (click on the relevant tab) all the purposes for which we will process your personal data identifying the legal basis and those external parties to whom we may disclose the personal information;
  • To ensure that content is presented in the most effective manner for you and is cross platform and browser compatible;
  • To analyse the information we collect so that we can administer, support and improve our services;
  • To provide you with information, products or services that you request from us or which we feel may interest you, where you have agreed to be contacted for such purposes.
  • To notify you about changes to our service.

We may contact you by post, telephone or fax as well as by email, SMS and MMS. If you change your mind about being contacted in the future by any of these means then please contact dpo@aru.ac.uk.

Automated decision making and how decisions are made

Some of ARU's positions have specific qualification requirements and automated processing will be applied at application stage through our e-recruitment system to confirm these are met. All applicants will be asked to confirm whether they meet the specific criteria for the post they are applying for by selecting a Yes/ No answer. They will be allowed to proceed with an application where they confirm the requirement is met. If the applicant disagrees with the decision they have 21 days to request a reconsideration.

Who do we share your personal data with?

Any personal data is disclosed to ARU staff with a need to know, such as Occupational Health, Employee Assistance Programme provider, Disclosure and Barring Service, HMRC, Payroll and Pensions providers, UKVI, Unions and other organisations acting on behalf of ARU, all under contract or legal agreement in the administration of our employees’ data.

We will share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you (including benefits) or where we have another legitimate interest in doing so. ”Third parties” includes third-party service providers (including contractors and designated agents).

The following activities are carried out currently by or with the assistance of the following third-party service providers at applicant stage:

  • recruitment
  • UK visas and immigration
  • recruitment assessment providers
  • employment law advisers
  • occupational health services
  • criminal records checks - Disclosure and Barring Service

And once you are a member of staff we will also carry out:

  • payroll
  • pension provision administration
  • recruitment
  • employee data recording and management
  • UK visas and immigration
  • third party benefit provisions including Private Medical Insurance, Life Assurance, biannual medical checks (Bupa), cycle scheme
  • employee assistance programme
  • occupational health services
  • childcare vouchers provision
  • criminal records checks - Disclosure and Barring Service
  • absence management
  • staff opinion and exit survey providers
  • staff appraisal processing
  • e-learning provision
  • shredding and archiving provisions
  • union membership
  • statistical data provision
  • employment law advisers

Where we receive notification, from the Office of the Independent Adjudicator (OIA), of a complaint made by a current or previous student we may be required to disclose relevant personal data to the OIA to assist in their investigation.

In addition, we will share anonymised statistical information with the following third-parties: ONS, UCEA, Xpert HR, HESA, DLA Piper, Equality Challenge Unit - Athena Swan and Inclusive Employers.

All our third-party service providers, including any change in provider, are required, under contract, to take appropriate security measures to protect your personal data in line with our policies.

ARU only permit a third-party service to process your personal data for specified purposes and in accordance with our instructions. We do not allow our third-party service providers to use your personal data for their own purposes.

Under our legitimate interests we permit third parties under contract to hold and provide access to employee data on our systems in secure IT cloud storage facilities, and to securely store hard-copy data in commercial storage facilities.

Please note that countries outside the European Economic Area do not always have the same strong data protection laws. However, we will always take steps to ensure that your information is used by third parties in accordance with the terms of this Privacy Policy.

Unless required or permitted to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your agreement.

How long do we keep your personal data?

Your personal data will be held confidentially for as long as necessary to fulfil the purposes for which it was it collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

The personal data you provide as part of the recruitment process will only be shared with those who need to see your application for administrative purposes, selection, statistical analysis and research. The data will be archived on our e-recruitment system after a period of inactivity and anonymised equality data will only be available for statistical returns.

Should you be appointed to a position, the personal data provided on application (including equality monitoring data) will continue to be held by Anglia Ruskin University as part of its employee records.

Personal data held as part of your employee record, unless otherwise deleted in accordance with the retention schedule, will be archived 1 year after the end of employment and kept for a minimum of 6 years after the end of employment. 

Data will be retained in accordance with our retention schedule Records Retention Schedule.

If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.

What is the legal basis for using your personal data?

The personal data we obtain from you is used to enter into a contract of employment with you or to perform ARU’s obligations under your contract of employment, to comply with a legal obligation imposed on ARU or where it is necessary for ARU's legitimate interests or those of a third party, provided your interests and fundamental rights do not override them.

The situations in which we will process the following categories of personal data are listed below.

A: Recruitment

Specific Purpose

Legal Basis

1. Informing our decision about employing you and determining the terms on which you will work for us, requiring you to provide:

  • Work history details
  • Employment references
  • Details of education and qualifications
  • Other information included in a CV or covering letter
  • Photographs
  • Copies of:
    • Driving licence
    • Utility bills
    • Bank statement
    • Birth certificate
    • Marriage certificate
    • Passport

Necessary for the purposes of:

  • entering into our contract of employment with you

2. Checking you are legally entitled to work in the UK, providing copies of ‘Right to Work’ documentation

  • complying with a legal obligation imposed upon ARU

3. Ascertaining your fitness and suitability to work through:

  • Providing medical details (1) and
  • undertaking Disclosure and Barring Services (DBS) checks and providing criminal records details where required by your prospective role (2)

Necessary for the purposes of:

  • entering into our contract of employment with you (1)
  • complying with a legal obligation imposed upon ARU (2)

Where we process Special Category data for these purposes, we do so because it is:

  • necessary in accordance with the rights of ARU under employment law (1)
  • complying with a legal obligation imposed upon ARU (2)

4. Ensuring ARU complies with its commitment and legal obligation to be an equal opportunities employer, by requesting applicants on a voluntary basis for details of characteristics, including those protected under the Equalities Act (2010) and using this data to monitor fair treatment in the recruitment process

Necessary for the purposes of:

  • a Legitimate Interest of ensuring fair treatment in recruitment (for characteristics not protected by the Equalities Act (2010))
  • A Legal Obligation (for protected characteristics)

Where we process special category data for this purpose, we do so because it is necessary:

  • for reasons of substantial public interest

B: In Employment

Specific Purpose

Legal Basis

1. Maintaining a record of our employment relationship with you, including:

  1. Identity: Basic details to identify you such as your name, address, date of birth and any previous names. Photographic images.
  2. Personal contact details (e.g. telephone number, email address) to contact you regarding your recruitment, in the event of a personal or business emergency when you become an employee, or to support checking your identity through Multi-Factor Authentication when accessing our IT systems.
  3. Your role: Grade, dates of employment, terms and conditions and any amendments over the course of your employment including periods of maternity, paternity and shared parental leave details.
  4. Financial: Your National Insurance number, Bank account details, payroll and pensions records and tax status information, benefits information. Managing payment deductions such as childcare payments and Trade Union Membership.
  5. Performance: Your probation record and appraisal records; performance reviews, managing your performance and recording future performance requirements.
  6. Development: Details of professional body memberships Training records, including evidence of mandatory learning and attendance at delivery sessions.
  7. Disciplinary and Grievance: Maintaining records of the management of instances of complaint about our or your actions relating to your employment.
  8. Support: Records of any support provided to you such as Occupational Health assessments, counselling and adjustments to your working conditions and environment.
  9. Assessments: Records of an assessment process to establish the necessary qualifications and competence for a role or task, including supporting promotion decisions.
  10. Criminal Records: Disclosure & Barring Service (DBS) check outcomes for roles which require them.
  11. Attendance & Health: Recording absences from work along with the reasons provided and any evidence supporting this, managing the offer of support to you including Occupational Health assessments, managing payments and investigating unauthorised absences (1).
  12. End of Contract: Closure of your contract and the provision of any standard reference for your future employment.
  13. Health Emergency: Sharing your medical details with health professionals in emergency situations (2).
  14. Public Health matters: using health data shared by you to inform our Emergency Plan activities (3)

Necessary for the purposes of:

  • Performing our contract of employment with you

Where we process Special Category data for these purposes, we do so because it is necessary:

  • under our employment law obligations
  • for the purposes of occupational medicine, for the assessment of the working capacity of an employee (1)
  • to protect your vital interests (2)
  • with your explicit consent (3)

2. Ensuring the safety of our campuses and verifying authority to represent ARU by use of name and image on Security ID cards.

  • Necessary for the performance of a task in the public interest namely the health and safety of individuals using the services or facilities of a public body.

3. Holding recorded footage of you obtained from CCTV cameras for preventing and detecting crime (1), your health and safety (2) and internal investigations of breaches of policy (3).

  • Necessary for the performance of a task in the public interest namely the health and safety of individuals using the services or facilities of a public body (1,2)
  • Necessary for the performance of our employment contract with you (3)

4. Where you chose to provide this, use of your image on our IT systems (such as skype, email, Teams etc) to assist in better identifying you to other staff and students.

  • Under your consent which you control through our IT systems.

5. Supporting grant applications or research proposals for evaluation by external research funding bodies or prospective research partners, and evidencing effective progress and outcomes and the appropriate expenditure of awarded funds (including evidence of payments to individuals) where these are conditions of agreements

  • Necessary for the performance of a task in the public interest namely the carrying out of research projects in the public interest.

6. Supporting and promoting University activities by publishing academic and senior role profiles, and publishing profiles of Students including the names of Academics working with them

  • Necessary for the legitimate interest of publicising the qualifications, experience and academic interests of our academic staff to encourage student applications and interest in ARU research projects.0

7. Disclosing information which is held on ARU records which are subject to statutory requests for information (e.g. Subject Access Requests under Data Protection law, Freedom of Information Requests etc) in line with legal requirements whilst fully considering applying exemptions relating to personal data

  • Necessary to comply with legal obligations placed on the University through access to information law.

8. Sharing anonymised (1) or pseudonymised (2) data with third parties who compare data with peer bodies and publish statistical data on such matters as pay and employment conditions etc across the University sector.

  1. No legal condition is required.
  2. Necessary for the legitimate interest of comparing ARU’s employment practices with peer groups.

C: Surveys, Statistics, Mailing Lists

Specific Purpose

Legal Basis

1. Monitoring ARU’s compliance with Equality law in employment by analysing information including your gender; nationality, marital status, ethnicity, religion, sexual orientation and disability details to review and better understand and benchmark employee retention, attrition rates and general workforce information within the sector.

  • Necessary for the legitimate interest of monitoring our compliance with equalities law.

Where we process Special Category data for these purposes, we do so because it is necessary:

  • under our employment law obligations and/ or
  • for reasons of substantial public interest

2. Sharing anonymised data including your gender, nationality, marital status, ethnicity, religion, sexual orientation and disability details with statutory bodies to support public scrutiny over the Higher Education sector’s compliance with Equality law.

For the purposes of:

  • complying with a legal obligation imposed upon ARU to share equal opportunities monitoring data and compiling statistical returns including those we have to make to the Higher Education Statistics Agency (HESA) and in accordance with obligations under the Equality Act 2010.

Where we process Special Category data for these purposes, we do so because it is necessary:

  • under our employment law obligations and/ or
  • for reasons of substantial public interest

3. Contacting you for your opinions on current and future University initiatives, our policies and facilities

  • Necessary for our legitimate interests namely the improvement of our services.

4. Contacting you where you have requested to be kept informed about specific events, initiatives and special interests

  • Under your consent which you can withdraw at any time.

We will only use your personal data for the purposes for which we collected it unless we reasonably consider that it is needed for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose we will notify you and explain the legal basis which allows us to do so.

The information you provide will be treated confidentially. If you fail to provide all the information ARU may not be able to fulfil our contractual obligations to you or may be prevented from complying with our legal obligations.

Your rights under GDPR

Please read about your rights under Data Protection legislation. It is important to note that the ‘legal basis’ we rely on (above) to process your data determines which of your rights are available. You are not expected to know these details, it is our responsibility to understand how the law applies and to explain it to you when responding to a request from you. Our Rights guidance is an opportunity to provide you with information on how you can expect us to handle your requests.

The law provides for the following rights:

  • To be informed
  • To access your data
  • To rectify (change, update or correct) your data
  • To erase (remove, delete or destroy) your data
  • To restrict our use of your data
  • To data portability
  • To object
  • To not be subject to automated decision-making and profiling

To complain to the Information Commissioner’s Office (ICO): the ICO is the UK supervisory authority for data protection issues. For more information please visit the ICO website.

Information Security

ARU is committed to holding your data securely and uses information security best practice to transmit personal data. Data is held in accordance with the Corporate Information Security Policy . For example, your personal data is accessible only by those authorised and who have a business need for access. When shared with third parties, your personal data is shared with encryption or in password protected files.

Where we have given you (or where you have chosen) a password that enables you to access our systems, you are responsible for keeping this password confidential. You must not share passwords with anyone.

Although we maintain a number of safeguards, fraudulent email requests are occasionally delivered to staff and students. We will never ask for your username or password by email. Any message that does so should be treated as a potential breach of security, no matter how legitimate it may appear. If you are in any doubt, do nothing until you have spoken to a member of the IT Services Customer Support Team.

ARU have put in place procedures to deal with any suspected data security incident and will notify you and any applicable regulator where we are required to do so. If you have any concerns that personal data has been compromised please contact

Processing outside the European Economic Area (EEA)

The law requires us to let you know if we or our suppliers process your personal data outside the EEA (The European Union Member States plus Norway, Iceland & Lichtenstein) and what we have in place to make sure your rights in UK Data Protection law remain in place. We do use suppliers such as software providers, IT support providers and online learning module delivery providers as well as ad hoc IT project suppliers who either host our data or access data for support purposes in countries outside the EEA. We will at all times have in place, in our Agreements with these suppliers, features which protect your data rights as required by GDPR. These include: The relevant country has an ‘Adequacy decision’ in place (meaning UK law recognises its Data Protection laws as equivalent to our own), or the contract contains ‘EU Standard Contractual Clauses’ which are an approved mechanism to legally require suppliers to comply with UK law. We are monitoring the potential impact of Brexit on these EU arrangements and will take appropriate action if the law requires. At present our data processing outside the EEA meets the demands of UK law.