Skip to main content

Data protection notice for staff

This notice sets out how the university deals with the personal information of people employed at the university.

This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

Identity of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with data protection legislation. In order to carry out its functions and obligations in respect of your recruitment and employment, it is necessary for the university to collect, store, analyse, disclose and otherwise process your personal data.

The university is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

The following gives an indication of the types of information which are currently collected and processed at different stages from application through to appointment and throughout your employment at the university:

  • your name, address and contact details, including email address and telephone number
  • your date of birth and gender
  • ID photograph* and staff number
  • details of your qualifications, skills, experience and employment history with previous employers and with the university
  • information about your remuneration, including entitlement to benefits such as pensions
  • details of your bank account and national insurance number
  • your marital status, dependants and emergency contacts
  • your nationality and entitlement to work in the UK
  • information about any criminal records
  • details of your schedule (days of work and working hours) and attendance at work
  • details of periods of leave taken by you
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance, including PDRs, performance improvement plans and related correspondence
  • information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments and also details of any referrals to Occupational Health
  • equal opportunities monitoring information including information about your ethnic origin, sexual orientation and religion or belief
  • Welsh Language skills

This personal data includes categories of data classed as ‘special categories’ such as that collected for equality of opportunity monitoring (e.g. ethnicity, religious beliefs or sexual orientation).

The university may collect this information in a variety of ways. For example, data might be collected through the application process, obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

We will also hold information supplied by third parties such as references from former employers and information from criminal records checks (if necessary for your role).

*Your photograph will be used, where necessary, for the purposes of identifying you in the course of the university’s legitimate business, and will appear on your university ID card. Appropriate provision will be made for those wishing to cover their face for religious reasons.

What is our legal basis for processing your personal data?

There are a number of legal ways in which we can process your data, the most relevant include:

Legal basisExplanation


By becoming a Cardiff University member of staff, we will be required to collect, store, use and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the purpose of entering into or for the performance of your contractual agreement with the university. We will also use your information for certain purposes after you cease to be an employee. See GDPR Article 6(1)(b).


The university will obtain consent from you in order to assist with your pastoral and welfare needs (e.g. the counselling service and services to staff with disabilities). See GDPR Article 6(1)(a).


Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. See GDPR Article 6(1)(f).


Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university (see GDPR Article 6(1)(e)) and for statistical and research purposes. See GDPR Article 89.


Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.


Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010. See GDPR Article 9(2)(j).

Some sensitive personal data (referred to as Special Categories) such as ethnic origin, sexual orientation and also including information about health or medical conditions, is processed in order to carry out employment law obligations GDPR Article 9(2)(b) and to comply with other legislation such as the Equality Act 2010 and Health and Safety at Work Act 1974.

For what purposes will your information be used?

The purposes and related legal basis (number in brackets) under which the university may process your personal data are as follows, (although given the complexity of the relationships that the university has with its staff, this is not exhaustive):

  • staff administration (including recruitment, appointment, provision and uptake of references, training, promotion, performance assessment, disciplinary matters, health, pensions and other employment related matters) (1)
  • access to, and security of, university facilities (including library services, computing services, sports and conference facilities) (1)
  • To assist in pastoral and welfare needs (eg the counselling service and services to staff with disabilities) (2)
  • accounting and financial purposes including pay and expenses (1)
  • workforce planning and other strategic planning activities (1)
  • internal and external auditing purposes (5)
  • meeting health and safety obligations and to ensure that reasonable adjustments are put in place (5)
  • to fulfil equality of opportunity monitoring obligations (5)(6)
  • promotion of the university’s academic expertise profile and furtherance of the university’s development programme, as appropriate (4)
  • the production and, as appropriate, distribution of research and educational materials (4)
  • respond to and defend against legal claims (5)
  • collection of CCTV images for the prevention of crime and prosecution of offenders and other purposes as per our CCTV Code of Practice (3)
  • carrying out statutory duties to provide information to external agencies (see ‘Sharing information with others’ for further details)
  • and other activities that fall within the pursuit of the university’s legitimate business and do not infringe your rights and freedoms (3).

Sharing information with others

Where necessary the university will disclose, outside the university, relevant items of your personal data.

Disclosure to


Government departments and other UK agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security.

In order to meet statutory requirements and otherwise as necessary in the public interest, and with consideration of your rights and freedoms. (Includes HMRC, Department for Work and Pensions, Home Office UK Borders Agency, Passports and Immigration and the Police).

The Higher Education Funding Council (HEFCW) and its agents.

In order to meet statutory requirements including providing data to the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency. You are advised to refer to the collection notices on the HESA website for further details about what information will be disclosed.

NHS organisations in England and Wales.

Where this is necessary for management purposes in connection with the performance of your contractual or honorary contract duties.

Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society).

Where this is necessary for course accreditation purposes and/or the performance of your contractual duties.

Research funding bodies, project partners, third party auditors and their agents

Where this is necessary to comply with the funding bodies’ requirements for research project audits and/or verification processes in line with legal obligations agreed within the project documentation.

Research - Wellcome Trust

We will share upheld allegations of bullying or harassment with respect to staff members who are apply for or in receipt of Wellcome Trust funding. This will only be the case where there is a current disciplinary warning or active sanction in place.

Potential employers or providers of education whom you have approached.

For the purposes of confirming your employment with Cardiff University.

Members of the public.

When required by the Freedom of Information Act 2000 and the disclosure does not breach any of the Data Protection Principles.

The university may from time to time make other disclosures without your consent where necessary and where another legal basis applies. However, these will always be in accordance with the provisions of Data Protection legislation and your interests will be considered.

Who will have access to your data?

Your information may be shared internally, including with members of the HR Department (including payroll and pensions), your line manager and other members of staff where necessary to perform their role.

The university may share your data with third parties in order to obtain references with regards to recruitment or promotion from other employers or individuals, or to obtain necessary criminal records checks from the Disclosure and Barring Service. We may also share data with third parties where necessary to support specific functions eg to obtain endorsements to support academic promotions, to enable benchmarking data for the university.

How long will your information be held?

Elements of your personal data will be retained securely by the university in accordance with the university’s Records Management Policy and Records Retention Schedules for a specified period of time after your employment with us ceases.

Your data protection rights

Under data protection legislation you have a number of rights such as a right to request a copy of your personal data held by the university. To find out more about your rights and how you can exercise them please see our web page your data protection rights.

Your responsibilities

You have a responsibility to keep your personal details accurate and up to date by updating your details via the CORE Portal or where this is not available, through notification to the university’s human resources division. Where, in the course of your employment, you submit to the university the personal information of others (i.e for next of kin) you should ensure that you have the permission of those individuals to do so.

You also have responsibilities under the data protection legislation for any personal data relating to other people which you may access whilst at the university. This responsibility is in addition to any obligations arising from professional ethics or codes of conduct.

It is a criminal offence for staff to knowingly and recklessly disclose personal data to anyone who is not entitled to receive it or to seek to obtain data to which they are not entitled. The university will take a serious view of any breach of data protection legislation by any of its members, including the consideration of disciplinary action as per our data protection policy.

Do we transfer information outside the UK?

Generally, information you provide to us is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How to raise a query, concern or complaint

If you still have queries, concerns or wish to raise a complaint, details of how you can contact the university data protection officer and the Information Commissioner’s Office are available on our Data protection page.

Updated: February 2023