Privacy notices for past, present and prospective City staff members.
Important notice: From the 1 August 2024 City, University of London and St George’s, University of London have merged to become City St George’s, University of London. City St George's is the Data Controller for personal data processed on its behalf.
Our details have been updated with the Information Commissioner’s Office. Data subject notifications will be issued in due course, and privacy notices will be aligned and updated during this transition period. In the meantime, information rights queries should be directed to dataprotection@city.ac.uk.
Identity and contact details of the Data Controller
City, University of London is the Data Controller, meaning that it determines the processes to be used when using your personal data and is committed to protecting the rights of individuals in line with the new General Data Protection Regulation (GDPR).
City’s Data Protection Officer can be contacted via email at dataprotection@city.ac.uk
City, University of London is committed to being transparent about how it collects and uses data and in meeting its data protection obligations.
This privacy notice explains how we use your personal information and your rights regarding that information.
What information do we collect?
City collects, stores and processes a range of personal data through its HR, IT and Property and Facilities systems such as CCTV footage, for further information please read our CCTV policy. We may also obtain information from third parties, such as employment agencies, background check providers or referees.
‘Personal data’ here means ‘information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information’.
The personal data collected, stored and processed by City may include special category data (a term which refers to special categories of personal data or criminal conviction and offences data, which are considered to be more sensitive and which may be processed more limited circumstances).
Why does the University process personal data?
City collects, stores and processes a range of biographical, financial, and work-related personal data about you which is essential for the purposes of your employment (e.g. to comply with applicable legal, tax, equality monitoring, accounting requirements); or for the operational needs of the University (e.g. we may process data gathered through City’s computer and telephone facilities for purposes such as preventing and detecting criminal acts, investigating complaints, and in the course of formal employment processes.)
City may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to fulfil its public sector equality duty obligations. Where data requested from you it is not essential, you have the option to ‘Prefer not to say’ or leave the field blank
We may also collect disability information to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.
Through its Information Technology systems, City collect and processes personal data relating to:
- the provision, operation and lifecycle of user IDs, email accounts, telephones, laptops, desktops and other IT supplied devices.
- the use of authentication (sign-in) and authorisation systems to deliver teaching, research and administrative services and resources, run directly by the University or third parties
- supporting, monitoring and ensuring the quality and security of the networks, systems and services we operate (including where appropriate to monitor your use of those facilities in accordance with University policies, for example on the acceptable use of IT), and for training purposes.
- your inclusion in the staff directories
- assessments of the usage and effectiveness of our IT facilities and services.
City also collect a range of data for security purposes, including by operating security cameras in various locations on our premises and the production of photo ID cards, to enable relevant authorities to monitor City’s performance and to intervene or assist with incidents as appropriate.
Read City's Data Protection Policy.
What is our legal basis for processing your personal data?
City relies on several different legal basis depending on the processing being performed:
Contract: the processing is necessary for a contract the University has with the individual, or because they have asked City to take specific steps before entering into a contract. The University needs to collect your personal data in order to carry out the employment contract that we have entered into with you and ensure you are paid.
Legal obligation: the processing is necessary for the University to comply with the law (not including contractual obligations). The university also needs to collect your data to ensure we are complying with legal requirements such as:
- ensuring tax and National Insurance is paid
- carrying out checks in relation to your right to work in the UK and
- making reasonable adjustments for disabled employees
Special category data: Article 9(2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.
Legitimate interests: We process your personal data because it is necessary for our or a third party's legitimate interests. Our "legitimate interests" include our interests in running City in a professional and sustainable manner.
Who has access to data?
Your information is only shared when necessary to comply with applicable legal, tax, equality monitoring, accounting requirements or the operational needs of the University. This may include staff in the HR directorate, senior managers in the business area and IT staff, if access to the data is necessary for the performance of their roles.
Equality data is given in confidence and will only be used for statistical purposes. This information is not shared and the HR directorate does not publish information where the figures are below 5.
Where necessary City will disclose, outside the institution, relevant items of your personal data as set out below:
- Sponsors or funding organisations (including the Student Loans Company). Where a contract exists, data will be disclosed in accordance with the terms of the contract.
- Professional bodies (e.g. Law Society, Nursing and Midwifery Council)
- For the purposes of confirming your qualifications & accreditations
- Personal data is shared with the Higher Education Statistics Agency (HESA), part of Jisc, for statistical and research purposes as outlined in the HESA Collection notices. Personal data may also be shared with agencies such as the Quality Assurance Agency.
- Local Government Departments, including Council Tax, Electoral Services and Transport for London for the purpose of assessing and collecting Council Tax
- UK Agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security, e.g. Benefit or Tax Inspectors, the Police, UK Visas and Immigration (UKVI) or the Foreign and Commonwealth Office always with consideration of your rights and freedoms
- The University of London for the purposes of allowing you access to shared facilities
In addition City employs the services of various suppliers and agents as data processers. In each case your information will only be shared with these third parties in accordance with the data protection principles.
Data retention - For how long does the University keep data?
City retains personal information it collects from you where there is an ongoing business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When there is no ongoing business need to process your personal information, City will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then City will securely store your personal information and isolate it from any further processing until deletion is possible.
Individual access control data will be kept on a secure server for a maximum of 30 days, after which time it will be destroyed or encrypted and archived securely to prevent unauthorised access.
HR data will be transferred to your Human Resources file (electronic and paper based) and retained during your employment. Your full employee record is then kept for 6 years following your departure from the organisation. Information may in some cases be retained for a longer period where this is required for operational reasons, e.g. in the determination of entitlements under pension schemes provided for staff at City.
How does the University protect data?
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
These internal policies and controls ensure that your information will not generally be transferred outside of the EU. Where information is held outside the EU on behalf of City, the University will ensure that the relevant requirements of the GPDR are followed in full.
In the case of staff working at institutions outside the EU, the University may also share personal data with partner institutions. In respect of any transfer of data outside the EU, the University will comply with our obligations under Data Protection Law and ensure an adequate level of protection for all transferred data.
Your rights
As a data subject, you have a number of rights. Anyone wishing to access Personal Data About themselves should read the how to access information policy. This applies to staff, students, former students and anyone else the University may hold personal information about.
Read more information relating to the Right of Access, Right to Erasure and the Right to rectification.
How to complain to the Information Commissioner’s Office
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO).
If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.
Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.
Telephone: 0303 123 1113.
Email contact can be made by accessing www.ico.org.uk