This notice explains how Human Resources and Development (“HR & D”) of Cranfield University (“the University”, “we” and “our”) will collect and use, or otherwise process, the personal data of our employees to manage the employment relationship. The notice also covers those who have a temporary or ongoing relationship with the University (e.g. those not registered as staff or students, for example a visiting/academic fellow or emeritus professor) (“you” and “your”).

In broad terms, your data is used to manage the University’s relationship with you, including welcoming you to the University community, engaging with you during your time here, and continuing your relationship with the University following your departure. We are committed to ensuring that your personal data is handled in accordance with the principles set out in Data Protection legislation, as in force from time to time.

What information do we collect about you?

In order to carry out our duties as an employer and host, we must collect and process your personal data. We may also generate personal data about you in connection with your activities as part of, or interactions with, the University community.

A record relating to your employment or visit will be held by HR & OD. Information may also be held by individual departments, such as security (regarding your access to the site and CCTV images) and IT (regarding your use of computing facilities). Please consult the Intranet pages to view privacy notices applicable to classes of personal data.

We collect and process your personal data for a number of purposes, including (but not limited to), records of:

  • your application (including results of any testing), your qualifications, references and your terms of employment;
  • your personal details such as name, date of birth, diversity data, contact and next-of-kin details, financial details such as bank account, and National Insurance number;
  • your immigration and employment status, including details of any visa you hold and copies of passports;
  • your position, salary and grade details, including data held on staff organograms;
  • your superannuation and other pension provisions;
  • your career progression, including probation details, performance development reviews, learning and development training, promotions and the HAY job evaluation;
  • workload, academic contribution models and work allocation details;
  • information on any clearances required, such as Disclosure and Barring Service check;
  • audio and/or video recording data of staff giving lectures, presentations and workshops;
  • details of absences including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • grievances, disciplinary proceedings or investigations prompted by or relating to you;
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief;
  • Health and Safety matters (including accident reports);
  • results of any assessments and/or occupational testing;
  • photographs, video/audio recordings relating to promotional and research activities; and
  • for academics, data pertaining to accreditations.

The University may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

Records kept will include relevant correspondence between you, us and/or third parties, as applicable.

To the extent that we have a contract with you, the primary legal basis for processing your personal data is that the processing is necessary for the performance of our contract/relationship with you, or in order to take steps at your request prior to entering into a contract.

In addition, processing of your personal data may be necessary for compliance with our legal obligations, or may be necessary in pursuit of our legitimate interests (where we have concluded that our interests do not impact inappropriately on your fundamental rights and freedoms). We have a legitimate interest in fulfilling our employment duties and obligations, and managing our relationship with you.

Sensitive personal data

Our records as set out above will, by necessity, include details of special category personal data, or data concerning criminal offences. We will only process such data in relation to you where the processing meets one or more of the conditions for processing such data, as set out in Data Protection legislation:

  • We have a number of employment law duties and obligations, which require us to process special category and criminal conviction data, including those relating to ensuring the fair treatment of employees, and maintaining a safe and secure working environment.
  • In addition, where necessary, special category data will be processed for the purposes of preventive or occupational medicine, including in order to assess the working capacity of an employee;
  • Certain processing may also be necessary processing to enable the establishment, exercise or defence of legal claims, or for research and statistical purposes.

We also request you to declare diversity data (protected characteristics) at the time of your application for a post and through equality monitoring exercises. Provision of this data, which is processed by us for statistical purposes, is optional.

Sharing and disclosing your personal information

Data is held by HR & OD in confidence, with access to manual and electronic personnel files carefully controlled. The contents of your file may ordinarily only be seen by selected members of the HR & OD community, and other persons, as authorised by the Director of Human Resources.

Access to personal data held by individual departments will be limited in accordance with that department's operational needs.

We may disclose certain personal data to external bodies in compliance with legal obligations. The amount of information provided to external bodies is limited to that which is permitted by Data Protection legislation.

Non-exhaustive examples of bodies to whom we are required by law to disclose data are:

Disclosure to Reason
Home Office, UK Visas and Immigration To fulfil the University's obligations as a visa sponsor
Verifile, the Disclosure and Barring Service (DBS)
and National Security Vetting (NSV)
Required for certain sensitive posts to assess applicant's suitability for positions of trust or where the post works with vulnerable people or children.
The Office for Students (OfS) Data submitted for the Research Excellence Framework (REF) which is a system for assessing the quality of research in higher education.
Data submitted for the Prevent duty (framework for monitoring in higher education in England)
HM Revenues & Customs (HMRC) Real Time Information released to HM Revenue & Customs (HMRC) in order to collect Income Tax and National Insurance contributions (NICs) from employees.
Higher Education Statistics Agency (HESA) Some information will be sent to the HESA for statistical analysis and to allow government agencies to carry out their statutory functions.
You are advised to refer to the HESA staff collection notice for further details
Universities Superannuation Scheme (USS)
and Local Government Pension Scheme (LGPS)
Data required for the provision of pensions by these providers.

We may also disclose certain personal data to external bodies where it is in our legitimate interests to do so, for example as part of our relationship with you, or for the purpose of aiding police and similar authorities in their investigations. We also have a legitimate interest in outsourcing data processing activities to third parties, where appropriate and in accordance with requirements of Data Protection legislation. Again, the amount of information provided to external bodies is limited to that which is permitted by Data Protection legislation.

Non-exhaustive examples of information we may elect to disclose are set out in the table below.

Disclosure to Reason
Agencies with responsibilities for the prevention and detection of crime,
apprehension and prosecution of offenders, or collection of a tax or duty.
As necessary, and with appropriate consideration of your rights and freedoms
Mortgage lender and letting agencies In order to allow these organisations to verify for mortgages and tenancy agreements.
Release of this information is subject to a written request being received from the employee.
Occupational Health and
our Employee Assistance Provider
To enable the provision of these facilities.
Third party data processors To facilitate the activities of the University.
Any transfer will be subject to an appropriate, formal agreement between the University and the processor.

Transferring information overseas

Your personal information may be transferred outside of the United Kingdom and where this occurs it will always take place under legitimate processing purposes and with the following controls. For example, personal data may be processed by a third-party provider, such as SHL's Talent Assessment Services, who state that a limited number of their personnel in the U.S. and India offices may also have access to Personal Information. Where this occurs, the transfer will be done on the basis that anyone to whom we pass it to protects it in the same way we would and in accordance with applicable laws. Therefore, when we transfer your information to countries outside of the), UK, we will only do so where;

  • the transfer has been authorised by the relevant data protection authority; and/or
  • we have entered into a contract with the organisation with which we are sharing your information (on standard contractual terms approved by the relevant regulatory authorities to ensure your information is adequately protected). If you wish to obtain a copy of the relevant data protection clauses, please contact the GDPR Team at

How long we keep your personal information

The University will keep your personal data only as long as is necessary to conclude the purpose(s), as set out above, for which it was collected. All data is held incompliance with Data Protection legislation, and in accordance with the Data Retention Schedule.

Automated decision-making

Employment decisions are not based solely on automated decision-making.

Your rights

You have the right: to ask us for access to, rectification or erasure of your data; to restrict processing (pending correction or deletion); to object to communications; and to ask for the transfer of your data electronically to a third party (data portability). Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you wish to make such a request, please write to:

University Data Protection Officer
Executive Office
Cranfield University
MK43 0AL


You retain the right at all times to lodge a complaint about our management of your personal data with the Information Commissioner’s Office at

Last update

This statement was last updated on 11 January 2021.