Data Protection and Document Retention Statement

Human Resources Department
Data Protection and Document Retention Statement
1. Data Protection Statement
The First Principle of the Data Protection Act 1998 requires that personal data is
processed fairly and lawfully. The Human Resources department is committed to
protecting the privacy and confidentiality of personal information relating to job applicants
and employees.
The University’s Data Controller is the Academic Registrar. Where an individual feels
that the rules of data protection have been compromised within Human Resources, they
should contact the Data Controller or Deputy Director of Human Resources.
Personal data held by the University in Human Resources will be used for the purposes
of recruitment and administering/managing the employment relationship only. Disclosure
of personal information to a third party will only occur with the expression permission of
the applicant/employee, unless the University has a statutory/legal obligation to disclose
the information or it is necessary to protect the vital interests of the individual (e.g. where
disclosing the data is required to fulfil a medical emergency).
1.1 The right to subject access
In accordance with the Data Protection Act, an employee has the right to be informed of
the information held about him/her and to discover to whom it has been disclosed.
Should an employee wish to access their personnel file held in Human Resources, they
must make a formal request to Human Resources in accordance with the University’s
Open Files Policy1.
2. Document Retention
The aim of this Statement is to provide a framework for the retention and disposal of
personal data held in the Human Resources department, which is both sensitive and nonsensitive in its nature.
This Statement is written with due regard to the principles and guidelines laid out in the
Data Protection Act 2008, the Information Commissioner’s Employment Practices Data
Protection Code, the Data Protection (Processing of Sensitive Personal Data) Order 2000
and other guidance available from relevant professional bodies, such as the Chartered
Institute of Personnel and Development.
Where appropriate, reference is made to the retention and disposal of both electronic and
paper files. The Human Resources Department electronic management information
system is ‘Professional Personnel’, provided by Infosupport.
Under the DPA, HE institutions are exempt from furnishing to their employee copies of any confidential
references written about them by the HE institution.
S/HR/Policies/Data Protection Statement (October 2010)
Within this Statement, the time limits for keeping records are based on the time limits for
potential tribunal or civil claims. Where the recommended retention period given is 6
years, this is based on the 6 year time limit within which legal proceedings must be
commenced as laid down in the Limitation Act 1980
2.1 Recruitment
In applying for vacant posts at York St John University, applicants provide information by
way of the following:
Application Form
Personal Details Form
Equal Opportunities Monitoring Form
These are retained in paper format throughout the selection process and personal details
recorded within the Recruitment Module of Professional Personnel.
Recruitment files are ‘closed’ once the interview process has been concluded. The Equal
Opportunities Monitoring Forms, which contain sensitive personal data2, are removed
and destroyed immediately. Application Forms, Personal Details Forms and other
documentation associated with the selection process are retained for a period of 6
months in a secure, fireproof cabinet, after which time they are also destroyed.
As regards the sensitive and non-sensitive data held electronically, this will be retained
for an appropriate period for the purpose of statistical, historical analysis in accordance
with the University’s commitment to keep under review the existence or absence of
equality of opportunity of treatment.
2.2 Personnel Files
Personnel files, including disciplinary records, will be retained for 6 years after an
employee’s employment ceases with YSJ. As standard, all personnel files include the
following documents:
Application Form.
Equal Opportunities Monitoring Form.
Two references.
Asylum and Immigration documentation (copy of passport or full birth certificate
plus document containing National Insurance number).
Appointment form including personal details, bank details and emergency contact.
Pre-employment fitness declaration (plus Occupational Health clearance if
Pension forms.
Copies of qualifications (if appropriate)
Medical certificates and self-certificates.
Section 2 of the DPA refers to sensitive personal data to mean data regarding an individual's race or ethnic
origin, political opinion, religious beliefs, trade union membership, physical or mental health, sex life, criminal
proceedings or convictions.
S/HR/Policies/Data Protection Statement (October 2010)
In relation to personal data held electronically, this will be retained for an appropriate
period for the purpose of statistical, historical analysis. Personal data held electronically
on the HR database includes:
Name, address, date of birth, national insurance number, emergency contact.
Equal opportunities data (gender, ethnic origin, disability, nationality,
religion/belief, sexual orientation).
Sickness absence history.
Senior Executive records will be retained permanently for historical reasons. For the
purposes of this Statement, Senior Executive roles are considered to be the Vice
Chancellor and Deputy Vice Chancellor.
2.3 Statutory Retention Periods.
Health and Safety legislation places specific obligations on employers in relation to
record retention. These require that medical records are retained for 40 years from the
date of last entry:
 Under the Control of Lead at Work Regulations 1998
 As specified by the Control of Substances Hazardous to Health Regulations 1999
(COSHH), and
 Under the Control of Asbestos at Work Regulations 1987/1998
Where these apply, personnel files will be maintained by the University for 40 years.
3. Working off site
The seventh principle of the Data Protection Act (1998) requires that ‘Appropriate
technical and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or damage to,
personal data’. It is recognised that, on occasions members of the HR Team may be
required to work outside of the office. This could take the form of using home computers,
lap tops or palm computers, which do not necessarily have the requisite security
measures that are present on computers within the HR Office. This will only be allowable
if the devices have relevant encryption software, which can be provided by IT Services,
and are password protected. Under no circumstances should personal data of employees
by transported on portable storage devices, such as memory sticks.
Wherever possible, personal data will not be worked on outside of the office. However, it
is recognised that this may be necessary, in exceptional circumstances.
4. Personal files held in Departments/Faculties
It is recognised that Departments/Faculties maintain their own personal records relating
to employees in their area. Where this is the case it is a requirement that these are held
in a secure, lockable cabinet and treated with appropriate levels of confidentiality. All
information held in local files must be sent to the HR department when an employee
leaves the employment of York St John. This includes any information held
electronically, such as e-mails. HR will place this information in the employee’s central
personnel file, which is retained for 6 years.
S/HR/Policies/Data Protection Statement (October 2010)
5. Purpose of HR Data
Personal data held by HR is primarily used for reporting purposes. This includes:
Informing workforce planning.
Equal opportunities profile mapping.
Sickness absence.
KPI Monitoring.
6. Checking/amending personal data
If employees need to update their personal information they should contact the Human
Resources department: E: T: 01904 876955/6435.
S/HR/Policies/Data Protection Statement (October 2010)