Data protection policy
Policy on management of personal and sensitive data in accordance with...
Last updated: 24 May 2023
At King’s College London, we collect data so we can operate effectively and provide you with the best experience at the university.
We process your personal information under the Data Protection Act 2018 and subsequent enactments – including the EU General Data Protection Regulation (GDPR) that came into force on 25 May 2018.
The university’s Data Protection Policy regulates how we use the personal information people provide, in accordance with GDPR.
King’s Human Resources (HR) Department has an additional Privacy Notice that is used in conjunction with the university’s Data Protection Policy and King’s Core Privacy Notice.
The lawful basis on which we process most personal information is for the fulfilment of an employment contract and our legitimate interests in managing the employment relationship.
We have a contract with you and we need to process your personal data to ensure compliance with the contract and enable management of the employment relationship.
There are sometimes circumstances where we process your personal sensitive information on the lawful basis of legal obligation.
An example is the need to transfer data between King’s and government departments for the purposes of UK Visas and Immigration (UKVI), Disclosure & Barring Service (DBS) or tax administration.
We also process sensitive personal data to comply with our legal requirement under the Public Sector Equality Duty (Equality Act 2010).
This includes the reporting and analytics we carry out regarding personal sensitive information such as gender, ethnicity or sexual orientation.
This data informs projects and initiatives across the university, such as Athena Swan, Race Equality Charter Mark and Stonewall.
The Information Commissioner’s Office provides further information on the lawful bases for processing personal information.
We may amend the HR Privacy Notice to reflect changes in our processing of data. We encourage you to review this notice periodically to stay informed of how the university is protecting your privacy.
Your name, address, telephone number, email address and emergency contact details.
Proof of your right to live and work in the UK.
Your date of birth, legal sex, gender, trans history, nationality, ethnicity, religion, disability status and sexual orientation.
Your employment history prior to King’s; plus other relevant experience, achievements, skills and qualifications.
Your employment references and the results of any pre-employment screening.
Information required to comply with requests from law enforcement authorities or court orders.
The results of interviews and tests in your recruitment process or any promotion process.
Terms and conditions of your employment, any contract variations and your employment history at King’s.
Employee relations details, including information regarding conduct, performance, requests, complaints, grievances and disputes.
Your employee benefits (e.g. childcare voucher schemes).
Pay and pension details, National Insurance number, tax coding and details of the bank or building society account into which your salary is paid.
Reasons for periods of absence (e.g. maternity/paternity leave, sickness absence, unauthorised absence, industrial action).
Health information relevant to your employment at King’s (including any information relevant to adjustments which may reasonably be required in respect of any disabilities).
To pay you; administer your employee benefits; and calculate any tax, National Insurance contributions, pension deductions, deductions for unauthorised absence or industrial action, or statutory payments that are due (e.g. sick or parental leave pay).
To enable management of the employment relationship, and cooperate with any College or external complaints, disciplinary or investigatory process including informing conversations regarding the management of your performance and attendance and dealing with requests, complaints, grievances and disputes.
To supply references to prospective employers.
To enable business decision-making at King’s, eg Business Planning Round, UniForum Benchmarking, student education planning and workforce planning.
To fulfil our statutory statistical obligations to organisations such as the Higher Education Statistics Agency (HESA).
To fulfil our legal obligations under the Equality Act 2010 Public Sector Equality Duty.
To enable equality analyses to be data informed, fulfilling our obligation to eliminate discrimination, promote equality of opportunity and foster good relations between different people.
To inform diversity and inclusion projects including Athena SWAN, Race Equality Charter Mark, Stonewall and Business Disability Forum accreditation.
To fulfil our legal reporting duties for gender pay gaps and ethnicity pay gaps.
You provide us with some data when you join King’s and complete the onboarding process. You provide more information when you update your data. During the course of the employment relationship, we also collect information from you and from others internally, such as managers, colleagues and students.
We obtain data from third parties when a pre-employment check is required. For example, this might be from UK government departments such as UK Visas and Immigration (UKVI) or the Disclosure & Barring Service (DBS).
We only share your personal identifiable data if there is a legitimate business reason. For example, we may share your data with teams in the HR and Finance Departments; your manager; and senior management.
Your personal Equality, Diversity and Inclusion data will not be shared with your line manager except to the extent (if any) that it is necessary to enable your line manager to manage the employment relationship, e.g. any disabilities for which adjustments may reasonably be required.
We sometimes use third parties to process data on our behalf, subject to contractual restrictions with regard to confidentiality and security, and in addition to our GDPR obligations. We will not disclose your data to third parties without your consent, except where they are acting as authorised agents for the university for the purposes listed below; or where we are permitted or required to do so under GDPR.
Typical third parties include:
Public authorities and public partnerships such as police or government departments, if required by law.
Businesses contracted to help us deliver services, for example CriticalArc, Cubane Consulting and PeopleInsights.
HESA, as legally required.
Professional bodies such as the General Medical Council, General Dental Council and the Universities and Colleges Employers Association (UCEA).
If you are seconded or deployed to another employer, that employer.
If the King’s undertaking in which you are employed is transferred to another organisation, that organisation.
King’s is legally required to check that staff who are deployed in areas where CQC activity takes place have been vaccinated against COVID-19. In order to fulfil this legal requirement, King’s will share National Insurance Number, date of birth and home postcode of relevant members of staff to King’s College Hospital NHS Foundation Trust, Guy’s and St Thomas’ NHS Foundation Trust and South London and Maudsley NHS Foundation Trust in order for them to verify vaccination status via the National Immunisation Management Service (NIMS) database.
King’s follows the Privacy by Design approach to all new data processing activities. Privacy by Design is where any action a company undertakes that involves processing personal data must have data protection and privacy in mind at every step.
Our systems, drives and email accounts are secure. They are accessed only by authorised users, based on the specific requirements of their roles.
We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date. We only keep data for so long as it is needed.
King’s Information Compliance team advises on data protection at the start of any new, large-scale activities.
Additionally:
All HR and Finance staff sign confidentiality agreements and complete mandatory data protection training.
Confidential data sent in emails is encrypted and/or password protected.
Access to shared folders where personal information is stored is restricted.
Access to systems is restricted to authorised users.
Security profiles within systems mean users can only access the records and information they need to do their jobs.
The processing of personal and sensitive data to inform diversity and inclusion initiatives is carried out at an aggregate level and does not allow individuals to be identified.
For processing activities detailed in this privacy notice, we do not transfer personal data outside of the UK, unless you are seconded or deployed outside the UK, in which case we will ensure that we meet the requirements of GDPR.
We store your data in line with our retention and disposal schedule, which you can find below.
King’s processes your personal information in accordance with your rights under data protection legislation.
You can find details about your rights under data protection legislation in King’s core privacy notice.
If you have queries about how your rights are upheld, please contact the Information Compliance team at info-compliance@kcl.ac.uk
You can access your information via our Requests for Personal Information webpage.
If you are unhappy with how your data was processed, please contact King’s Information Compliance team in the first instance at info-compliance@kcl.ac.uk
If you are not satisfied with our response, you can then consider taking the matter to the Information Commissioner’s Office.
To keep your information up to date, please see the Managing your personal records at King’s internal page.
Policy on management of personal and sensitive data in accordance with...
Requests for Personal Information Requests for your personal information...