Accessibility statement

Privacy notice - staff

This privacy notice is for University of York staff. It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. 

For the purposes of this privacy notice, University of York is the Data Controller as defined in the UK GDPR. We are registered with the Information Commissioner’s Office and our entry can be found here. Our registration number is: Z4855807.    

Where do we get your data from?

The organisation collects information about you in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

What data do we have?

Personal data including:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • the terms and conditions of your employment;
  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • details of your bank account and national insurance number;
  • information about your marital status, next of kin, dependants and emergency contacts;
  • information about your nationality and entitlement to work in the UK;
  • information about your criminal record;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
  • details of trade union membership;
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

Special category data including information about disability, trade union membership, health, ethnicity and racial origin.  

What is our legal basis for processing your data?

The University needs to collect and retain certain types of data, in various formats, about its current and past staff for HR purposes. Typically, data will be processed:

  • on the grounds of contractual requirement or to take steps to enter into a contract with you; 
  • because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter);
  • because it is necessary for our or a third party’s legitimate interests;
  • to allow us to comply with our legal obligations;
  • to protect your or another person’s vital interests;
  • to monitor equality and diversity;
  • because you have given us your consent or, in the case of special category data, your explicit consent.

How do we use your data?

The University may process your personal data (including special category data) for the following purposes:

  1. to pay employees and workers, and administer pensions and benefits;
  2. to maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
  3. to enable effective communication with you as a University employee;
  4. to provide you with and manage your use of University facilities and services as an employee;
  5. to operate recruitment and promotion processes;
  6. to operate and keep a record of work attendance and absence and related management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  7. to operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  8. to operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  9. to operate and keep a record of training and development activities undertaken and planned;
  10. to operate and keep a record of employee performance and related processes, including recognition schemes;
  11. to plan for career development, and for succession planning and workforce management purposes;
  12. to provide you with educational services through the FutureLearn platform; 
  13. for alumni relations purposes. For details see here
  14. to obtain and provide occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
  15. to check, where necessary, that staff are eligible to work with children, patients and other vulnerable adults;
  16. to ensure effective general HR and business administration;
  17. to maintain and promote equality in the workplace;
  18. to provide references on request for current or former employees;
  19. to respond to and defend against legal claims;
  20. to compile statistical and personal returns which the University may be required to publish or pass to government bodies or the Higher Education Statistics Agency (HESA); 
  21. to maintain the safety and security of the campus for all users. This may include the use of CCTV for crime prevention and detection purposes.

In addition, please note

  • while on campus you may be captured in photographs or video footage as part of a wider group shot. These images/recordings may be used by the University for promotional purposes e.g. in the development of the University’s prospectus. If you have any concerns about the use of your image please contact the Acting Data Protection Officer for more information,
  • the University uses lecture capture technology to record University teaching (typically audio only). In addition, students are sometimes granted permission to make their own recordings (again, typically audio only). As a result, the content of your lectures, seminars and other teaching sessions may be recorded. For rules around the use of recordings see here: 

Who do we share your data with?

The University may share your data with:

  • employees and agents of the University;
  • third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (e.g. software and system providers);
  • other HE institutions, 3rd party providers or employers involved in your employment;
  • FutureLearn as part of the provision of courses on their platform; 
  • LinkedIn Learning as part of the provision of courses on their platform;
  • research collaborators or funders for purposes of preparing and submitting funding bids or managing collaborative research projects. This may include the sharing of salary information for purposes of costing staff onto research bids; 
  • government departments/agencies to whom we have a statutory obligation to release information (including the Higher Education Statistics Agency (HESA) (HESA's notice is available here), the Home Office UK Visas and Immigration, and HM Revenue and Customs;
  • HiveHR Limited for the purposes of administering the University’s staff survey;
  • law enforcement agencies such as the police or relevant authorities dealing with emergency situations (only as required or appropriate and in line with Data Protection legislation);
  • the Medical Schools Council, in order to monitor trends in clinical academic staffing as a basis for partnership between the NHS and universities; and to promote, maintain and improve high equality education, research and clinical practice in the UK. 

The University may also disclose your data to other 3rd parties not listed above on a case-by-case basis. Disclosures will be made in full accordance with the data protection legislation and only where necessary. Consent will be sought from you where appropriate and you will be told about such disclosures unless exceptional circumstances apply.

Where the University, Government or their respective agents (e.g. Office for Students) hold personal information provided by students, they may need to check the accuracy of this information against external data sources. This might involve contacting institutions to confirm qualifications obtained, for example, or checking whether a Higher Education Statistics Agency record already exists for a student. Any such checks will be made in compliance with data protection law.

How do we keep your data secure?

Data is stored in a range of different places, including in your personnel file, in the organisation's HR management systems and in other IT systems (including the organisation's email system).

The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information see,   

How do we transfer your data safely internationally?

In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the UK. In respect of such transfers, the University will comply with our obligations under UK GDPR and ensure an adequate level of protection for all transferred data.  

How long will we keep your data?

The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.   

What rights do you have in relation to your data?

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. You can verify or correct information in your staff record online by using MyView, available For all other requests, see  

Questions or concerns

If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the University’s Acting Data Protection Officer at

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see  

Changes to our privacy notice

We keep our privacy notice under regular review. This notice was last updated on 8th February 2021.