A woman with her back to the camera delivers a speech to three other females

Data Protection for Staff

Data Protection for Staff

Buckinghamshire New University is a registered data controller and will collect and use information about its employees in accordance with the data protection principles set out in the Data Protection Act 1998 and the European General Data Protection Regulation (GD

This privacy notice outlines what you can expect when Buckinghamshire New University collects your information, if you are a current employee or if you have a temporary or ongoing relationship with the University but are not registered as a member of staff or student (e.g. a visiting fellow or emeritus professor).

Acceptance of the terms of this notice is a condition of employment.

In order to carry out its duties as an employer, the University must collect and process data relating to its staff. A record relating to your employment will be held by the Human Resources Directorate. Information about your employment may also be kept by individual departments. Data held about you may include, but is not restricted to, the following:

  • Application forms;
  • Personal details such as name, date of birth, contact details, National Insurance number and next-of-kin information;
  • Visa details and copies of passports;
  • Bank or building society account details;
  • Salary, grade and superannuation details;
  • Sensitive personal data (e.g. for equality and diversity monitoring);
  • Data held on staff organograms;
  • Records concerning appraisal, training and the HERA role-analysis programme;
  • Sickness and other absence details;
  • Proceedings relating to promotions;
  • Contracts or terms and conditions of employment;
  • Correspondence between the member of staff and the University;
  • Correspondence between University and third parties on behalf of a member of staff (e.g. employment references);
  • Records of grievances;
  • Investigations into breaches of terms and conditions of employment;
  • Records of disciplinary proceedings; and
  • Health and safety records (including accident reports).

The University holds and processes personal data and sensitive personal data about its current, past or prospective staff and others who are defined as data subjects under the Data Protection Act.

Personal data is data relating to a living individual who can be identified from that data (e.g. name, address, telephone number and staff number). It can also include expressions of opinions about an individual.

Sensitive Personal Data (or “special categories of data” as described under the GDPR) relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Personal data concerning disability is sensitive data.

We will collect and process personal data about you for the purposes described below. The University recognises the significance of sensitive personal data and will only process such data if certain conditions are met.

We ask you to declare your ethnic origin and any disabilities at the time of your application for a post. These fall within the definition of sensitive personal data. If you choose to provide such data, you give your consent for the University to use them, in an aggregated form, for statistical purposes.

Your HR file may also contain sensitive personal data in relation to health or sickness, maternity leave or paternity leave. These records will be kept in strict confidence and will not be released to third parties without your explicit consent.

The University processes staff personal data in order to:

  • Pay your salary into your bank account;
  • Review staff performance;
  • Assess suitability for promotion;
  • Monitor absence and sickness records in accordance with HR policy;
  • Enable staff to undertake their roles in teaching, research and administration;
  • Publish basic contact details internally and externally as appropriate; and
  • Record the research activities of academic staff which may be published in a staff profile page on the University website.

The University will also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.

The University may monitor usage of its IT systems and access user information on its systems and networks that is normally private. Any institutional monitoring or access will comply with UK legislation and be justifiable, fair and proportionate.  Such activity will be conducted in line with the University’s policy on monitoring computer and network use.

Personal data about employees is normally provided to the University by a prospective member of staff on an application form and is added to by the University over the course of their employment. Personal data may also be received by the University from partner institutions in the form of CVs and applications from partner college staff.

Where data is held by the Human Resources Directorate, access to personnel files is carefully controlled and may only be seen by the members of the Senior Management Team and other persons, if authorised by the Human Resources Director.

Access to personal data held by individual departments will be limited in accordance with that department's operational needs.

The University may disclose certain personal data to external bodies as categorised below where we have a legitimate reason to use that data or where the University is under a legal requirement to do so. Information will be disclosed in accordance with the provisions and obligations of the Data Protection Act. Please note this is not an exhaustive list.

Disclosure to


Government Departments

In order to fulfil the University's obligations as a visa sponsor, information will be released to the Home Office, UK Visas and Immigration (UKVI).  Real time information is also released to HM Revenue & Customs (HMRC) in order to collect Income Tax and National Insurance contributions (NICs) from employees.

Police and Enforcement Agencies

The University may provide data on request to the police and other enforcement agencies (such as Benefit or Tax Inspectors, the Department of Work & Pensions, the Police, UK Visas and Immigration, or the Foreign and Commonwealth Office), with appropriate consideration of your rights and freedoms, relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security.

Disclosure and Barring Service (DBS)

The University is required to send information to the DBS for certain sensitive posts to assess an applicant's suitability for positions of trust.

Higher Education Statistics Agency (HESA)

The University will send some information to HESA for statistical analysis and to allow government agencies to carry out their statutory functions. You are advised to refer to the HESA staff collection notice (www.hesa.ac.uk/collection-notices) for further details.

Office for Students (OfS)

The University will submit data to OfS for the Research Excellence Framework (REF) which is a system for assessing the quality of research in higher education.

Mortgage Lender and Letting Agencies

The University may disclose information to third parties In order to allow them to verify applications for mortgages and tenancy agreements.  Release of this information is subject to written consent from the employee.

Pension Providers

The University will share data with pension providers as required for the provision of pensions by the Local Government Pension Scheme (LGPS), Universities Superannuation Scheme (USS), NHS Pension Scheme, and Teacher Pensions.

Third Party Software Suppliers

Where external computer systems are required, the University may share staff data with software suppliers. Any such transfer will be subject to a formal agreement between the University and those suppliers to ensure the protection of your personal data.

The University will not release data to any unauthorised third person except where you ask us to. This means that we will not release data to banks, friends, relatives etc., without your agreement. If you wish us to provide data in these circumstances you should provide us with written consent to release the data.


The University may need to make other disclosures of your personal information without your consent but any such disclosures will be made with due consideration of your rights, in accordance with the obligations imposed on the University by the Data Protection Act and other relevant legislation.

We will keep your personal data for only as long as is necessary for the purposes for which it was collected. Information about staff is retained and disposed of in accordance with the University’s records retention schedules, which are detailed in the Records Lifecycle Management Scheme.  Some information may be archived for long term historical preservation. Data will be securely destroyed when no longer required.

Personal data about staff is collected and processed by the University for the performance of the employment contract with employees and to meet its statutory and regulatory obligations as an employer.

Some processing activities may also be carried out: under a legal obligation (for example, disclosing personal data to external parties under statutory powers); where it is necessary to protect the vital interests of the member of staff or another party (for example, disclosures to external parties to ensure the safety and wellbeing of individuals); where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements); or where it is necessary for legitimate interests pursued by the University or a third party (the legitimate interests will relate to the efficient, lawful and proportionate delivery of services and will not be to the detriment of the interests or rights of individuals).

Where any of these legal conditions do not apply, the consent of an individual to process their personal data will be sought.

Under the new data privacy legislation you have the right to:

  • Withdraw consent where that is the legal basis of our processing;
  • Access your personal data that we process;
  • Rectify inaccuracies in personal data that we hold about you;
  • Be forgotten so that your details are removed from systems that we use to process your personal data;
  • Restrict the processing in certain ways;
  • Obtain a copy of your data in a commonly used electronic form; and
  • Object certain processing of your personal data by us.

If you wish to request a copy of the personal data held by the University about you or to correct any information we hold about you, contact the relevant department in the first instance.  If you have any further concerns about the accuracy of your personal data as held by the University or you want to submit a data subject request, contact the University’s Data Protection Officer.

Please see the Information Commissioner’s Office web site (https://ico.org.uk) for further information about your data privacy rights. You may also contact the Data Protection Officer for further information.

You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.

We use Cookies (that will collect your personal data) on our web pages. The Buckinghamshire New University website privacy statement explains how data may be gathered about users of the University’s website. The University’s privacy notices do not cover the links within the Buckinghamshire New University



If you have any concerns with regards to the way your personal data is being processed or have a query with regard to this Notice, please contact our Data Protection Officer, Nicholas Roussel-Milner at dpofficer@bnu.ac.uk.

Our general postal address is:

Buckinghamshire New University,

Queen Alexandra Road,

High Wycombe, Buckinghamshire HP11 2JZ

Our telephone number is:

+44 (0)1494 522141

Our ICO data controller registration number:


You also have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. Tel: 0303 123 1113. https://ico.org.uk.