0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

College Employee Privacy Notice

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

Recruitment and retention of staff

  • Deciding on your recruitment/appointment;
  • Determining the terms on which you work for us;
  • Checking that you are legally entitled to work in the UK;
  • Checking your criminal history, including PVG Disclosure Scotland checks;
  • Assessing qualifications, including decisions about promotions;
  • Making decisions about your continued employment;
  • Undertaking/implementing salary reviews and calculating compensation, e.g. voluntary severance;
  • When outsourcing particular business areas of the college, we are required to provide information to your new employer in adherence with TUPE regulations.

Payroll and pensions administration (including National Insurance and Tax Administration)

  • Paying you and deducting tax and national insurance contributions;
  • Providing employee benefits to you;
  • Liaising with your pension provider and the Department of Work & Pensions

Supporting your Continuing Professional Development and career progression

  • Identifying education, training and development requirements (e.g. Training Needs Analysis);
  • Conducting appraisal/development reviews.

For occupational health and managing sickness absence purposes

  • Ascertaining your fitness to work when managing sickness absence.
  • Referring you to Occupational Health to assess your fitness for work (this may be an internal or external practitioner); a separate Occupational Health privacy notice will be provided at that time.

For disciplinary and conduct purposes

  • Gathering evidence during the course of investigations for possible disciplinary, grievance or capability hearings;
  • To monitor your use and ensure the security of our information and communication systems, in partnership with IT, to ensure compliance with our IT Policies;
  • Dealing with legal disputes involving you or other employees.

For health and safety purposes

  • Complying with health and safety obligations (e.g. monitoring compulsory training).
  • Dealing with legal disputes arising from accidents at work.

For Equality and Diversity monitoring purposes

  • Equal opportunities monitoring, in line with legal obligations, to promote inclusion.

For management planning purposes

  • Business management and planning, including accounting and auditing;
  • Producing quarterly and annual statistical HR Dashboards and analysis for senior management and relevant committee (if applicable) to inform business planning which includes headcount (and full-time equivalents), establishment, turnover, absence, department, salary band, contract status (permanent or temporary), length of service, recruitment, training, pay gaps and workforce demographics such as gender, ethnicity, age, disability, part-time status.
  • To understand why employees leave the College and to help provide feedback and improve College services. We collect this data through the Exit Interview Questionnaire, which employees can choose to complete. HR will store and use the data to analyse trends and monitor statistics. It will also be used, on an anonymous statistical basis, to provide high-level reports to the Executive Team and Senior Management Team. 

For collective bargaining purposes

  • Providing information and data to Colleges Scotland under the Trade Union and Labour Relations (Consolidation) Act 1992, which enables agreements to be reached under National Bargaining with recognised Trade Unions, i.e. pay agreements, job evaluation, etc.

What personal data do we collect?

  • Name/Title
  • Address(es)
  • Telephone number(s) – home and mobile
  • Personal email address
  • Date of birth
  • Gender
  • Marital status
  • Dependants
  • Next of kin
  • Emergency contact information
  • National Insurance number
  • Bank account details
  • Payroll number and tax code
  • Salary
  • Pension scheme details
  • Benefit information, e.g. childcare voucher membership
  • Application form (or if via agency, CV and covering letter)
  • Proof of Right to Work
  • References
  • Qualification certificates
  • PVG Membership Number
  • Start and end dates of employment
  • Job title
  • Your opinions on your employment at the College (where you are completing an Exit questionnaire)

We also process special category personal data:

  • Race
  • Ethnicity
  • Religious beliefs
  • Sexual orientation
  • Disability
  • Gender identity
  • Criminal convictions information
  • Medical questionnaire
  • Absence records and reasons, as these may contain health data or other special category data
  • Occupational Health reports
  • Trade Union membership

How are we collecting this information? What is the source?

We will collect the majority of your personal information directly from you, particularly during our recruitment and selection process. If you applied for a post through myjobscotland.gov.uk, we will have received your information from My Job Scotland, who will be a separate controller of your personal data. For more information on how they process your data, please refer to their privacy notice.

We will ask you to keep your personal information up to date throughout your time with us by updating our self-service HR system. However, in certain circumstances, we will collect information from third parties, including:

  • Former employers
  • Employment agencies
  • Disclosure Scotland
  • GPs/Consultants/Occupational Health professionals
  • HMRC
  • Department of Work and Pensions

Management Referral

When making a referral, managers/HR are asked to confirm that the employee has been informed of the referral details before submitting. The referral cannot proceed if this is not confirmed with the employee. The OH Referral Form requires confirmation that the employee has been fully informed of the referral, of their rights, and, if applicable, that their consent under the Access to Medical Reports Act 1988 (AMRA) has been received prior to an OH assessment and report being carried out.

Under AMRA, employees have the right to see the report before it is sent to their line manager and HR. Section 3 of AMRA requires that medical reports and applications for them are not processed unless the individual has given their consent. This is consent under AMRA and not under data protection law. Under Sections 4 and 5 of AMRA, employees have rights and can request that inaccurate information be corrected. If the medical professional considers this to be accurate, a note on the report will be added to reflect this accurately. Upon receiving the report for review, employees are given a timeframe to contact Occupational Health with their consent under AMRA to release the report.

New Employment Health Questionnaires

As referenced earlier, as an employer, the College has a duty of care to all employees to ensure their health and safety at work and, when applicable, to identify and implement any reasonable adjustments required to enable them to work. Therefore, the College requires new employees to undergo a health screening to determine whether they are fit to perform the tasks they will be performing and to identify any reasonable adjustments that may be required.

The questionnaire is used solely to assess fitness to work and, if necessary, to implement reasonable adjustments to ensure the employee can work.

Health Surveillance

For specific roles, health surveillance may be necessary when a risk assessment indicates that an individual may be exposed to workplace hazards, such as noise. The employer will be sent a fitness-to-work certificate following the health surveillance appointment.

The lawful basis for the processing

For processing of the majority of your personal data, the lawful basis is UK General Data Protection Regulation (UK GDPR) Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract”.

For the Exit Questionnaire/Interview process, the lawful basis is UK GDPR Article 6(1)(f), which states that “processing is necessary for the legitimate interests pursued by the controller or by a third party…”. You have a choice as to whether you complete the Exit Questionnaire/interview.

Where your special category personal data are processed, the lawful basis is UK GDPR Article  9(2)(b)  “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.

  • Where employees’ health data are processed, several laws require this. They are as follows: Health and Safety at Work etc. Act 1974; The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013; and Employment Rights Act 1996.
  • Where employees' special category demographic information (gender identity, sexual orientation, race, ethnicity) is required, the specific law authorising this is the Equality Act 2010.
  • Where employees’ criminal conviction data are processed, the specific law authorising this is the Protection of Vulnerable Groups (Scotland) Act 2007.
  • Where employees’ data are processed for collective bargaining, involving Colleges Scotland, the specific law authorising this is the Trade Union and Labour Relations (Consolidation) Act 1992.

Exceptionally, we may also use your personal information where we need to protect your, or someone else’s, vital interests; UK GDPR Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person” would apply.

Who we share the information with

We share your personal information with the following third-party data controllers:

  • Disclosure Scotland
  • Audit Scotland (as part of the National Fraud Initiative)
  • Pension providers (e.g. Lothian Pension Fund, STSS & Prudential for AVCs);
  • HMRC;
  • Colleges Scotland (e.g. national initiatives such as National Bargaining);
  • GPs/Consultants/Occupational Health practitioners (a separate privacy notice will be provided at that time);

We share your personal information with the following data processor:

  • Midland HR (providers of iTrent) only for the purposes of maintaining and upgrading the HR system and resolving technical queries. Edinburgh College hosts the iTrent application and database internally.

How long do we hold the personal data?

We will retain personal data about employees for a maximum of six years after their employment has ceased, with certain exceptions:

The college will retain documents relating to pre-employment health screenings of individuals exposed to hazardous substances through their employment, and records about major injuries arising from workplace accidents, for 40 years after an employee’s employment has ceased.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF