Privacy notice: ad hoc workers

This privacy notice tells you what to expect us to do with your personal information when you are an ad hoc worker at the University of Central Lancashire (UCLan). Personal information (or personal data) is any information which relates to and identifies you. Data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA)) set out how we should handle your personal information.

The University of Central Lancashire Higher Education Corporation is the controller for the personal information we process, unless otherwise stated. We are registered with the Information Commissioner’s Office and our registration number is Z5512420.

There are many ways you can contact us, including by phone, email, social media and post. Please see our main contact details on our website.

You can contact the People Team on 01772 89 2324 or email: peopleteam@uclan.ac.uk

UCLan’s Information Governance Manager & Data Protection Officer can be contacted on DPFOIA@uclan.ac.uk. Further information and contact details can be found on the data protection pages of our website.

Most of the information we use is provided by you directly or generated by you as a result of the work you do for the University. This includes information collected via the ad hoc worker system (Dashboard Technology); identity documents including biometric cards; forms completed by you at the start of, or during, work; information you provide in correspondence; or through interviews and meetings. The People Team or the service that engages your services may also collect information about you from third parties, such as references, providers of background checks for workers and criminal record checks.

Where relevant to the work you are undertaking, the University also uses your photograph; information you generate as a result of your use of corporate systems including the email system; CCTV images captured by our CCTV system; and financial information about you. If you are a part of our academic community, we may also use information about you generated as a result of research you undertake, whether at UCLan or another institution.

When you undertake any work for UCLan, we use information about you for a variety of purposes. The main purposes are set out below.

For People Team purposes and the administration of the work you undertake

We use your information to provide a People service and administer all elements of the work you undertake, including: managing your engagement; maintaining accurate and up-to-date records and contact details of workers; ensuring effective general People and payroll administration, including auto-enrolment in a pension scheme where criteria are met; ascertaining your eligibility to work in the UK; complying with employment and equality law; responding to and defending against legal claims; and maintaining and promoting equality, diversity and inclusion within the workplace.

Operation of the University’s regulations, policies, procedures and codes of practice

We will use information about you if you make, or are the subject of, a complaint or allegation involving another ad hoc worker, a student, member of staff or external party under any of the University’s rules, regulations, policies, procedures or codes of practice. We may also use information about you that is publicly available, such as information posted to social media and other public forums, where this is relevant in a particular case e.g. complaints about inappropriate posts on social media. Information will be used to investigate complaints or allegations, manage the outcomes and put in place any remedies, including additional support or disciplinary measures.

Security and crime prevention

The University operates a CCTV system for security and crime prevention purposes. This covers University buildings (inside and outside) and public areas across our campuses. Your images are likely to be captured by the CCTV system while you are on, in, or near University premises. CCTV footage will be used to maintain the security of the University community, enhance public safety, prevent and detect crime and apprehend and prosecute offenders. CCTV footage may be used, where there is a lawful basis, in the investigation of complaints and allegations made under the University’s rules, regulations, policies, procedures and codes of practice. Further information is available in our CCTV Privacy Notice.

We make available the SafeZone app to the University community. If you are eligible to use SafeZone and you choose to use the app, will use information (including location data) collected via your use of the app to help ensure the safety of you and others on and around campus (or anywhere else in the world, if you use the app elsewhere), and manage and monitor check-ins and alerts. We will also use SafeZone to send emergency text alerts (and push notifications, if you have downloaded the app) in the event of a serious incident, campus closure, significant IT issue, etc. that we need to notify lots of individuals about at the same time. The SafeZone app is provided on our behalf by CriticalArc, a third party under contract to the University.

All University buildings have security access controls and require you to scan your corporate card to enter and exit. The door entry system collects information each time your card is used to show the date and time you enter and leave a particular building. This information is used to ensure that only authorised individuals can access our buildings; it is also used to check building occupancy for safety and security purposes, and for research purposes to establish patterns of use of buildings and services across our estate.

Delivery of facilities and services

Where applicable, depending on the work you are engaged to undertake, we will use your information to provide you with services and facilities such as an IT service, library and parking permits.

We use your photograph for identification purposes on your corporate card, if you are eligible for a card. If you are eligible for an email account, we also make your photograph available within our internal email system for identification purposes, to enhance security and to promote strong working relationships.

To provide an effective IT service, if you are eligible we use your information to create a network account, monitor the use and security of our systems and networks, including managing our multi factor authentication solution to enable you to access our systems, provide technical support and for all related administrative and security purposes, including system testing and development. Where we provide you with an email account, we will have access to all the emails you send and receive from that account and may access email content for legitimate business or employment purposes. Further information can be found in the Email Use Policy.

Communicating with you

We will use your information to communicate effectively with you via email, post, telephone, text (SMS), social media or other methods, as appropriate. We will send you messages about a variety of things such as the administration of the work you are undertaking, events and activities happening at the University or notify you of emergency or other significant situations relating to the University which may affect you.

Research, reporting and statistics

We will use your information to compile statistics and for research, surveys and market research to help with corporate planning, reporting and University administration.

Monitoring and compliance

We will use your information to ensure and monitor our compliance with legislation including laws relating to equality, health and safety and immigration. We will also use your information to monitor our compliance with regulatory requirements set by external agencies.

The University relies on the following lawful bases from the UK GDPR to process information about you for the purposes set out in this notice:

Article 6(1)(b), which allows us to process personal data when it is necessary for the performance of a contract or for steps taken with a view to entering into a contract. You indicate you would like to enter into a contract for services with us when you register on Dashboard, and you enter into a contract for services with us (your contract) when you accept an offer of work via Dashboard and become an ad hoc worker. Under your contract, we administer all activities associated with the performance of the work you are engaged to undertake and your status as an ad hoc worker, including communicating messages to you in a variety of formats. We require you to provide any information we reasonably request for these purposes otherwise we cannot deliver your services contract.

Article 6(1)(c), which allows us to process personal data when it is necessary to comply with a legal obligation, such as our obligation to provide reasonable adjustments under the Equality Act 2010 if you request them, as well as monitoring compliance with laws relating to immigration (e.g. visas) and health and safety, among other things.

Article 6(1)(e), which allows us to process personal data where it is necessary to perform a task in the public interest. Internal reporting, monitoring, research and auditing are carried out as part of the performance of our public tasks.

Article 6(1)(f), which allows us to process personal data where it is in our, or someone else’s, legitimate interests to do so and it does not unduly prejudice your rights and freedoms. We rely on this condition to, among other things:

• communicate marketing messages to you (unless you opt out). It is in the University’s legitimate interests to promote its services, courses and events to those who may be interested.
• monitor and test the security and appropriate use of our IT networks and associated technology.
• provide a security service and CCTV monitoring. It is in the interests of the University community and the general public to make UCLan a safe and secure place to work, live and study.
• produce some internal reports, research and statistics. It is in our legitimate interests to use these to evaluate, plan and assess how the University is operating and make any changes we think are appropriate and will benefit current and future workers, staff and students.

We also process some information only if you provide your consent. In this case, Article 6(1)(a) applies, and Article 9(2)(a) applies where the information is special category data (special category data is information about your race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for ID purposes, health, sex life or sexual orientation). It will be clear where we are relying on your consent to collect and use your information because consent will be requested at the time you provide the information. When you are asked for consent, we will explain why we are asking for the information and how we will use it if you choose to provide it. Consent can be withdrawn at any time and we will explain how you can do this in each individual case.

Where we process special category data for the purposes set out in this notice, we rely on the following additional lawful bases from the UK GDPR and DPA:

Article 9(2)(g) UK GDPR, which allows us to process special category data if the processing is necessary in the substantial public interest and there is a basis to do so in law. The law which allows us to rely on this basis is section 10 DPA by virtue of Schedule 1(6) and Schedule 1(8) DPA. Schedule 1(6) DPA enables us to process special category data where we are required to do so by law, such as when we comply with the Equality Act 2010; Schedule 1(8) DPA enables us to process information such ethnicity, religion, sexual orientation or data concerning health for equality monitoring purposes.

When processing special category data in reliance on the above conditions from Schedule 1 DPA the University must have an appropriate policy document, which can be read here: Data Protection: Processing special category data and criminal convictions data.

Article 9(2)(j) UK GDPR, which allows us to process special category data for archiving, scientific or historical research purposes or statistical purposes, where there is a basis to do so in law. The law which allows us to rely on this basis is section 10 DPA by virtue of Schedule 1(4) DPA.

We share your information with a range of external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to and we consider it to be appropriate under the circumstances. The external parties we may share information with include the following:

• Government agencies and authorities, including the police and DWP for the prevention and detection of crime, apprehension and prosecution of offenders, the collection of tax or duty and safeguarding national security, among other things.
• Executive agencies or non-departmental public bodies such as UK Visas and Immigration, HM Revenue and Customs and the Health and Safety Executive.
• Professional and regulatory bodies if this is relevant to the work you are engaged to undertake.
• University insurers: information, including accident forms, is shared with our insurers to provide insurance cover and to enable us to make insurance claims.
• Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records.
• Companies or organisations acting on our behalf: We use processors who are third parties who provide elements of services for us, for example Microsoft, which provides our email system and other Office products and apps; and Dashboard, which provides our system for registering and managing ad hoc workers. We have contracts in place with our processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.

Occasionally we may need to send your personal information outside the European Economic Area (EEA) e.g. to obtain references or a service from a processor. In the case of references, these transfers are carried out because they are necessary steps in the engagement process. All other transfers are carried out with appropriate safeguards in place to protect your information and ensure it remains secure, such as the UK International Data Transfer Agreement or the UK International Data Transfer Addendum.

Records relating to the work you undertake at the University will be retained for various time periods depending on the activity they relate to. Generally, records relating to People Team purposes will be retained for a maximum of six years following the termination of your services contract. There are exceptions, such as information relating to accidents at work; this information is retained for 40 years after the termination of your services contract.

Other information associated with the work you undertake, such as information relating to your IT network account (if applicable) and network monitoring, is retained for one year after the end of the specific activity. For example, network monitoring records will be kept for one year following the end of the monitoring activity.

Further information about retention periods can be obtained from the University’s retention schedule by contacting your work coordinator, if you do not have access to the staff intranet.

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Further information about each of these rights can be found on the Information Commissioner’s Office website. To make a request to exercise any of these rights, please contact the Information Governance Manager & Data Protection Officer on DPFOIA@uclan.ac.uk.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For further information or to make a request, please see the data protection pages of our website.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to any processing we carry out, if we carry it out on the basis that it forms part of our public task or is in our legitimate interests. You also have the right to object to your personal information being used for direct marketing purposes.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information because we have your consent or because it is necessary for your contract, and the processing is automated.

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact the relevant part of the University or the Information Governance Manager & Data Protection Officer and we will respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, which is the UK supervisory authority for data protection. Further information can be found on the data protection pages of our website.