Skip to main navigationSkip to main content
The University of Southampton
Human Resources

Data Protection


This webpage sets out how the University collects, holds and processes the personal data of our employees for HR and payroll purposes, their rights regarding their data and provides key contact information for queries relating to personal data issues.

This webpage refers mainly to personal data relating to employees of the University, but the same principles apply to personal data relating to other data subjects within the HR area of responsibility such as job applicants, casual workers and unpaid Visitors.

This webpage has a particular focus on processing personal data for HR and payroll purposes. 

You can find more information on the University’s governance of Data Protection, Freedom of Information and Data Breaches on the Corporate Governance Data Protection and Freedom of Information webpage.


Your Data Protection

Key definitions

What is personal data?

Lawful basis for processing personal data

Privacy Notices

Retention periods

Your rights

Subject Access Requests and Data Breaches

Key Contacts

Your Data Protection

The General Data Protection Regulation (GDPR) came into effect from 25 May 2018.  As an EU Regulation, the new law took effect automatically and when the UK leaves the EU, the GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill. The UK Government has also published the UK Data Protection Act 2018, which will supplement GDPR standards in the UK. This means that, even post-Brexit, the University will need to comply with the GDPR.

The GDPR’s data protection principles are similar to those under the old UK Data Protection Act 1998.  The University must be able to demonstrate that any personal data we handle is:

How do we protect your personal data?

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Our HR staff have a legal duty to keep Data about you confidential. There are strict codes of conduct in place to keep your Data safe. HR staff abide by the General Data Protection Regulations 2018, the UK Data Protection Act 2018 and the University’s Data Protection Policy.

We endeavour to ensure that suitable organisational and technical measures are in place to prevent the unlawful or unauthorised processing of your Data and against the accidental loss of or damage to your Data. This includes:

Key definitions

Term Definition 
Data subject

An individual who is the subject of personal data and, for the purposes of HR related data processing will usually be an employee, a casual worker or unpaid Visitor. 

Does not count an individual who has died or who cannot be identified or distinguished from others as a data subject.

Data Controller

A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.  

The University of Southampton is the Data Controller and our registration number with the Information Commissioner’s Office is Z6801020.

Data Processor

Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.  

This predominantly refers to third parties outside of the University (e.g. pensions providers or benefits providers such as Computershare or Cyclescheme)

Data Protection Officer (DPO) 

Will monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

The DPO is independent, an expert in data protection, adequately resourced, and report to the highest management level.


Data means information which –(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

Subject Access Request 

An individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Neither are they entitled to information simply because they may be interested in it. It is important to establish whether the information requested falls within the definition of personal data. In most cases, it will be obvious whether the information being requested is personal data, but the ICO has produced separate guidance to help decide in cases where it is unclear: Determining what is personal data (pdf). Please also see the key definitions.

Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.

Various exemptions from the right of subject access apply in certain circumstances or to certain types of personal data; see Exemptions.

Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. 


What is personal data?

Personal data means data which relate to a living individual who can be identified –

Personal data is any information relating to a person who can be identified, directly or indirectly, either by an ‘identifier’ such as their name, or an identification number, or by location or online data, or through factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special categories of personal data and criminal records data

Special rules apply if the University is processing "special categories" of data (this is broadly the same as sensitive personal data under the Data Protection Act 1998). The special categories of data are data that relates to an employee's;

If the University processes special categories of data, we have to show that one of the specific legal grounds for processing such data applies. The grounds for processing special categories of data under the GDPR that are most likely to be relevant in the employment context are that:

Personal data relating to criminal convictions and offences is not included in the "special categories" of data, but is subject to similar additional protection.

Criminal records checks are permissible when recruiting for a role which involves working with children or vulnerable adults.

Processing medical records will also remain permissible where they are necessary for preventative or occupational medicine, assessing working capacity, or confirming medical diagnoses.

Lawful basis for processing personal data

There are six grounds for processing personal data under the GDPR. These are that:

The most relevant of these in relation to HR and the employment context are performance of a contract, compliance with a legal obligation and the legitimate interests of the employer (the University).

Performance of a contract

The University has to process some employee data to perform our obligations to employees and workers under their contracts of employment. For example, to pay our employees, we have to process personal data such as names, working hours and bank account details.

This is also relevant for our processing data in relation to employees' contractual benefits, such as recording details of absences to ensure that employees receive their entitlements under the University’s occupational sick pay scheme.

Compliance with legal obligations

Like any employer, the University has a range of legal obligations relating to our employees. If an employee goes on maternity leave, she has a right to return to work and may be entitled to statutory maternity pay (SMP). We will need to process information about her pay and about the dates on which she starts and finishes maternity leave to make sure we are paying her the SMP to which she is entitled and allowing her to return to work at the appropriate time.

This is also the case in relation to retaining records of disciplinary and grievance proceedings to enable us to comply with, for example, the obligation not to dismiss an employee unfairly.  Similarly, the University will have to keep records of employees' worked hours to ensure compliance with the rules on maximum working hours and the national minimum wage.

The employer's legitimate interests

The University may rely on legitimate interests as the legal basis for processing data in some situations where it is necessary to process data but not in connection with the performance of a contract or compliance with a legal obligation.

The University might rely on its legitimate interests as the legal basis for processing where we retain personal data about unsuccessful job applicants for a period in case an applicant makes a complaint about the recruitment process. In this case, it is necessary for us to hold and process data for its legitimate interests in defending a potential legal claim.

The University's legitimate interests would also provide a legal basis for processing personal data in relation to appraisals which are necessary for the University’s interests in maintaining performance standards.

Privacy Notices

Being transparent and providing accessible information to individuals about how employers will use their personal data is a key element of the EU General Data Protection Regulation (GDPR).  The most common way to provide this information is in a privacy notice.

The University currently has four Privacy Notices relating to the processing of personal data for HR purposes.

Privacy Notice Recruitment - Applicant stage

Privacy Notice Recruitment - Employee stage

Privacy Notice - UniWorkforce

Privacy Notice - Visitors

Privacy Notice - Royalties

Privacy Notice - ERE Promotion and Re-Banding

We are currently working on improving our range of privacy notices to reflect the diverse nature of HR practices that require the collection, processing and retention of personal data. 

Retention periods

The General Data Protection Regulations require the University to retain personal data no longer than is necessary for the purpose it was obtained for.

This section should be read in conjunction with the University's Data Protection Policy and Finance Policy 4 – Retention of Financial and Associated Legal Documents for all payroll and pensions retention purposes.  That document provides the University’s Finance policy position.

The University will ensure that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  We will;

The University's core HR document retention schedule sets out the University’s planned retention schedule for HR, payroll and pensions related documents.

Guidance for Managers – retention of local records

You must make sure that you have taken appropriate measures to ensure the security of the documents (and copies of the documents) your staff may have provided you with.  When not being used, you must ensure that they are safely secured.

Be mindful that the supporting documents you receive from individuals are likely to include significant amounts of their personal data (be it job applications, fit for work certificates or documents relating to their appraisal or performance reviews). 

Records relating to recruitment

Document Type Retention 
 Applications (all applicants) Primary record held and retained in eRecruit.  No local retention required.  Securely and confidentially dispose after recruitment completed
 Applications (successful candidate)

 Interview notes

remember that your notes may form part of the successful candidate's permanent employment record.  Make sure that your written comments are factual, fair and non-discriminatory.

Store securely* for 12 months and then securely and confidentially dispose
 Evidence of right to work Primary document must be returned to the candidate.  Copies must be forwarded to Recruitment.  Do not retain local copies   
 Proof of educational qualifications where required for the position
 Professional registration (if applicable)
 Health data - medical clearance (if applicable)
 DBS and criminal records data (if applicable)
Sensitive personal data (i.e. gender, race, sexual orientation etc.) Line managers should not see this data, but if supplied in error, ensure primary document is forwarded to Recruitment.  Do not retain local copies
Health data (i.e. occupational health report for reasonable adjustments if applicable) Store securely* for duration of employment or until obsolete and then securely and confidentially dispose
Appointment offer details Primary record held and retained in eRecruit.  No local retention required.  Securely and confidentially dispose after recruitment completed

* Store securely - lockable cupboards or drawers, or in password protected folders if stored electronically

Records relating to employees

You will need to make sure any locally held records are stored securely (either password protected or in lockable cabinets/draws etc. with restricted access)

Document Retention period 
 Induction You can securely store local HR/payroll data (including performance/appraisal, absence management data etc.) relating to current employees for the lifetime of their employment followed by up to 6 years (plus current) for HMRC/tax purposes (but recognise that in certain circumstances, data can be legitimately disposed sooner than that – e.g. timesheets – please refer to the above retention schedule for details)

You must confidentially dispose of local employment records for former employees if they left more than 7 years ago.  

 Appraisal / performance review (PPDR)
 Performance management (i.e. capability, disciplinary, grievances etc.)
 Health data - fit notes Primary document must be returned to the employee.  Copies must be forwarded to HR.  Do not retain local copies.
 Health data - maternity, adoption, shared parental or paternity related paperwork
 Health data - occupational health report for reasonable adjustments, if applicable Store securely* for duration of employment or until obsolete and then securely and confidentially dispose.

 Queries relating to these periods should be addressed to in the first instance or in writing to:

The Data Protection Officer

Legal Services

University of Southampton, Highfield

Southampton, SO171BJ


Your rights

Data subjects will have the:

How do you access your data?

You have control over your personal data and can exercise some of these rights through your logon to various HR systems and can change, update and delete some of your personal data as you wish.

Job applicants - can access and manage all their personal data via the e-Recruit portal.  Queries regarding this, including difficulty accessing self-service, should be directed to in the first instance.

Current employees - can access some of their personal data via MyHR, specifically;

In addition, current employees can amend the following personal data themselves via MyHR;

Queries regarding this, including difficulty accessing self-service, should be directed to in the first instance.

Workers engaged via UniWorkforce - will need to direct their queries direct to the UniWorkforce team at as they do not have access to MyHR.

Managers – can access and (in some cases) manage personal data for staff in their direct line management hierarchy via MyHR relating to;

In certain circumstances you can request your data for reuse for your own purposes across different services.

We recognise that not all personal data actions can be made via self-service and that in some circumstances employees or their line managers may need to request access to personal data via HR colleagues.  HR staff take the security of your personal data seriously and will take appropriate and proportionate steps to maintain the protection of your data and your rights, including;

HR colleagues will not normally be able to disclose personal data to anyone other than you or (in some circumstances) a manager in your direct management chain (as recorded in the HR System) without your express written consent.

In cases of Police investigation or fraud investigation (by the Department for Work and Pensions), the University is required to provide all requested information, which may include an employee’s personal data.  In such cases, consent from you is not required.

If you require any further assistance with this please contact: 

Subject Access Requests and Data Breaches

Subject Access Requests

You can use a Subject Access Request to see a copy of the information the University holds about you. You are entitled to be:

However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For more information, please see the Information Commissioner’s Office (ICO) exemptions.

The information will be provided without delay and within a month of receiving the request.  Where requests are complex or numerous, the University is permitted to extend the deadline to three months.

In most circumstances, the information provided will be free of charge.  However, the University is permitted to charge a ‘reasonable fee’ when a request is manifestly unfounded, excessive or repetitive.  Any fee charged by the University will be based on the administrative cost of providing the information.

Any subject access or freedom of information requests should be submitted via this Subject Access Request Form

Or in writing, addressed to:

The Data Protection Officer

Legal Services

University of Southampton, Highfield

Southampton, SO171BJ 

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Personal data breaches can include:

The University must report a notifiable breach to the Information Commissioner’s Office without undue delay, but not later than 72 hours after becoming aware of it.

If, at any time, you suspect a data breach may have occurred please report it via this Data Breach incident report form

Key Contacts

HR Data Lead

If at any stage you are concerned about how your personal data is being used by Human Resources or if you require any further assistance with please contact us via:

Data Protection Officer

If you are unhappy with the way that we have handled your data you can contact the University’s Data Protection Officer via:

This ServiceNow web form

or in writing, addressed to:

The Data Protection Officer

Legal Services

University of Southampton, Highfield

Southampton, SO171BJ

The University also have additional policies and guidelines concerning particular activities. If you would like further information please see our Publication Scheme at:

The University's Governance Data Protection, Freedom of Information and Data Breach webpage

Information Commissioner’s Office

Alternatively, you can contact the Information Commissioner’s Office. See their website at:

Privacy Settings