Staff Privacy Notice for past, present and prospective staff of Alexander College
What is the purpose of this Privacy Notice?
Alexander College collects and processes personal data relating to its staff to manage the employment relationship, to conduct its operations effectively, and to fulfill its legal and regulatory responsibilities. The College is committed to being transparent about how it collects and uses that data to meet its data protection obligations.
This Notice explains how Alexander College will collect, use and share your personal data and sets out your rights in relation to your personal data.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This can be summarised as information that we hold about an individual employee from which they can be identified.
It may include but may not be limited to the following:
- Personal contact information such as name, title, address, telephone number(s) and personal and / or company email addresses.
- Date of birth.
- Details of next of kin or dependents.
- Employment records (including job titles, start date, work history, working hours, training records and professional memberships).
- Workplace location.
- Salary and benefit details and history including payroll records and tax records/information.
- Holiday and absence records.
- Copy documents such as passport or identity card or other identification document provided to us as part of our legal obligation to report to the various departments of the Ministry of Labour and Social Insurances.
- Recruitment information (including references and other information included in a CV or cover letter or as part of the job application process).
- Information relating to qualifications and performance including appraisal records.
- Disciplinary and grievance information.
- CCTV footage and other information obtained through electronic means such as swipecard records, time and attendance data.
- Information about an employee’s use of our information and communications systems.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Sensitive Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
How is Personal Data collected?
Typically, an employee will have provided Personal Data or we have recorded Personal Data about the employee in connection with or in the course of their employment.
We will pass Personal Data to a third party such as our payroll provider, HR advisers or training providers.
For what purposes is Personal Data used?
We will only use Personal Data when the law allows us to which can be summarised under the following headings:
(a) Consent: an individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law.
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party.
Details of the Personal Data that we are most likely to process are set out in Appendix One.
What safeguards are in place?
We will comply with the data protection principles applying in Cyprus which states that Personal Data must be:
- processed fairly, transparently and lawfully ;
- obtained only for one or more specified and lawful purposes and not be further processed in any manner incompatible with that purpose or those purposes;
- be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- be accurate and, where necessary, kept up to date;
- shall not be kept for longer than is necessary for lawful purposes;
- protected by having appropriate technical and organisational measures in place to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the Personal Data;
and in addition Personal Data:
- shall be processed in accordance with the rights of data subjects under applicable legislation;
- shall transferred to a country or territory outside the European Economic Area only in order to fulfil the request of a client and the same time we will ensure that the organisation we will transfer the data to will apply an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
What rights and obligations do Employees have?
Duty to inform us of changes
It is important that Personal Data is kept accurate and up to date. Employees should please advise us if their personal information changes whilst they are employed by us.
Rights in connection with Personal Data
Under certain circumstances, individuals have the right to:
- Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about them.
- Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to process on this ground.
- Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
- Request the transfer of Personal Data to another party.
- Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller.
What we may need to comply with a Data Subject Access Request
We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.
No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Right to withdraw consent
In certain circumstances, consent may be required for the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose unless we have another lawful basis to do so.
Amending this Privacy Notice
We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.
Appendix One – Data Processing
The situations in which we are most likely to process Personal Data are in connection with the following processes set out below:
- Dealing with recruitment or appointment and termination matters including the assessment of experience, qualifications and overall suitability for a particular role.
- Administration of matters connected with the employment relationship.
- Payroll and benefit provision.
- Managing our business including accounting, forecasting, planning, scheduling and auditing.
- Conducting appraisals, managing performance and determining performance requirements.
- Dealing with grievance and disciplinary matters.
- Dealing with training and development requirements and related issues.
- Dealing with conflicts and disputes involving employees.
- To monitor the use of our information and communication systems to ensure compliance with our IT policies.
- Managing absence including assessing fitness to work.
- Health and safety matters including compliance.
- To prevent fraud.
- To ensure effective general HR and business administration.
- To provide references on request for current or former employees.
- To respond to and defend against legal claims.
- To maintain and promote equality in the workplace.
We believe that we have a legitimate interest in processing the above Personal Data in the context of the overall employment relationship. Some of the above grounds for processing may overlap and there may be several grounds which justify our use of Personal Data.
Appendix Two – Our safeguarding measures
Please note that will only transfer Personal Data to countries or territories that do not have an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data only in the course of our business and after having evaluated the level of protection of personal data they apply.
We do not use any Personal Data for automated decision making or other forms of profiling.
We aim to keep Personal Data accurate and up to date. Data that is out of date or inaccurate will be amended when we are made aware of that. Employees should notify us if they become aware of any inaccuracies in their Personal Data held by us.
We will not keep Personal Data for longer than is permitted. This means that some data will be destroyed or erased from our systems 2.5 years after the termination of the employment and the remaining seven years after the termination of the employment or when it is no longer lawfully required. For regulatory purposes, we are required to keep certain Personal Data for a seven-year period after which it is securely destroyed.
We have in place procedures and solutions to maintain the security of all personal data from the point of collection to the point of destruction and have taken appropriate measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of personal data. For example, we take the following steps to protect data:
- Staff is trained in relation to the importance of privacy and data security.
- Electronic files can only be accessed via password logins
- Only a limited number of staff has access to the employee data.
We will only pass Personal Data to third parties where we are lawfully obliged to do so. For example, an employee may ask us to provide their salary details to a building society when they apply for a mortgage or we may lawfully pass data to our payroll adviser in order to ensure that employees are paid.
We will not disclose Personal Data to a third party without consent unless we are satisfied that they are legally entitled to the data. Where we do disclose Personal Data to a third party without consent, we will only do so where that third party has confirmed that it has in place adequate measures to protect Personal Data.