Privacy notice for employees, casual workers and contractors


We could not exercise our responsibilities and fulfil our employment, training and support obligations to you without collecting, holding and using your personal data. This guide explains what we do with your personal information and why. When you use other University services, we will give you further information at that time.

This Guide applies to candidates who register on our i-recruitment system; applicants who actively apply for a live vacancy and are assessed at one or more stages of the recruitment and selection process; employees and former employees, casual workers and contractors engaged to carry out work for us.

Who is the data controller

Heriot-Watt University is the Data Controller for personal data we hold about you for all the categories above. Where we use the term ‘University’, this includes all members of the Heriot-Watt University Group. If you work for Heriot-Watt University Malaysia (HWUM) it is a legal entity in its own right and is, the data controller. Heriot-Watt University processes your data on its behalf. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation (GDPR) and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates.

What personal information we collect and use

We collect and hold personal information in all formats for the purposes set out in this guide:
  • Personal and family details
  • Education and training records
  • Relevant employment details
  • Financial information
  • Disciplinary and attendance records
  • Goods or services provided
  • Visual images, personal appearance and behaviour

Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also known as special categories of data, which may include:

  • Age
  • Criminal proceedings, outcomes and sentences
  • Disability
  • Family life
  • Marriage and Civil Partnership
  • Offences and alleged offences
  • Physical or mental health details
  • Pregnancy and maternity
  • Racial or ethnic origin
  • Gender reassignment
  • Religion and belief (inclludinh no belief)
  • Sex
  • Sexual orientation
  • Trades Union membership

Why we collect and use your personal data

1.  For employment and engagement purposes: to provide you with work, learning and development and support services, assess your work, record your progress and confer awards
What's our legal basis?
  • For most of these activities we need to process your data to fulfil a contract or service agreement you have entered into with us
  • If you register your interest in receiving information about suitable vacancies, or optional free or membership services, e.g. sports facilities, you can opt into communication about these and withdraw your consent to them at any time
  • The University Charter and Statutes gives us legal authority to process your personal data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University as Data Controller; For example: to publish details of our academics’ research activities on our website
  • If we seek your feedback on your experience of working at the University, through surveys, focus groups or other engagement activities, you can chose to participate and withdraw your consent at any time.

If you have applied to us through another agent such as a recruitment agency or head-hunter we will have received the information that you have provided to them.

We collect and use your information to:

For candidates

  • Enable us to notify you of suitable vacancies you may be interested in

For applicants

  • Employ or engage you
  • Conduct recruitment and selection assessments as appropriate

For employees and workers

  • Employ or engage you
  • Monitor and manage performance and attendance, conduct assessments where appropriate
  • Reward and remuneration purposes, e.g. promotions, re-grading etc
  • Provide confirmation of awards such as Spirit of HWU
  • Provide training and development opportunities via internal and external trainers
  • Give you access to IT, library, mentoring, social, sport, catering, archive, and other services to the University community
  • Deal with grievance, capability and disciplinary matters promptly and fairly
  • Seek your feedback on our working environment, terms and conditions, workplace opportunities and facilities

For contractors and suppliers of services

  • Engage you to provide services

2.  For administrative and financial purposes: to administer all aspects of your pay, pension and benefits

What's our legal basis?

  • We need to process your data to fulfil a contract you have entered into with us

This may include:

  • Pay, pensions and benefits including salary sacrifice schemes, expenses
  • Fees and payments
  • Catering services
  • Club and facility memberships
  • Certificates of sponsorship and visas

3.  To meet our duty of care to you and our legal obligations

What's our legal basis? Where this is necessary to:

  • Comply with a legal obligation; this may be under employment, social security and social protection law, immigration law or another statutory duty
  • Protect vital interests in an emergency
  • Exercise or defend legal claims or comply with court judgements
  • Provide medical and health services
  • Protect public health
  • Comply with legal duties in the substantial public interest e.g. for equality monitoring


  • To meet our legal duty of care to you under health and safety and safeguarding laws
  • To provide counselling and occupational health services
  • To protect your vital interests or someone else’s e.g. in a medical emergency
  • To comply with a statutory obligation e.g. under relevant tax or immigration law
  • To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and employees on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like HESA. You can choose whether you want to provide information for this purpose. If a worker, employee or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to appropriate staff to ensure that reasonable adjustments are made, enabling disabled employees to meet their full potential and to work safely.

4.  For public safety and the prevention and detection of crime

What's our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences
  • Where required by law
  • For the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images
  • Reporting incidences of suspected criminal activity to the Police
  • Use of Disclosure Scotland or other Criminal records or Disclosure services prior to appointment to relevant posts
  • Monitoring use of IT facilities
  • Applying security, welfare and other procedural measures where necessary for the safety and security of employees and workers, students and the wider University community under health and safety and other relevant laws

5.  To promote the University

What's our legal basis?

  • Where we have your consent
  • Where necessary for archiving purposes in the public interest

We may take photographs, and other images and recordings of employees and workers for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of University life down the years.

6.   For archiving and research

What's our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

While always protecting your rights to privacy we will:

  • Keep a permanent archival record of your time working with us
  • Retain copies of promotional material and other records of University community life that may include images and other data about you
  • Support academic research under strict confidentiality
  • Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment and retention

Who your information may be shared with and why

We may publish or share your personal data only where we have your consent or where one of the following conditions are met.
We may appoint people and organisations to work for us and contract with them to act as data processors on our behalf under a duty of confidentiality to ensure the security of your data for any of the above purposes. Examples include:
  • Members of the University Court, e.g. Remuneration Committee
  • Recruitment Agencies and Executive Search companies
  • Pensions providers
  • Payroll service providers
  • Health and wellbeing services
  • Other advisory services, e.g. Financial Advisers, Immigration support
  • Training Providers
  • IT Services including:
    • HR Systems supplier
    • Payroll systems supplier
    • Email service providers
    • Hosting communications services
    • IT systems maintenance
    • Safety and incident management systems

For appointment, employment or engagement services

We will also disclose limited personal data where this is necessary for the following reasons:

  • Verify your employment history and relevant qualifications, e.g. in a reference for a potential employer or agency
  • Verify your tax status for, e.g. IR35 supplier purposes
  • Enable you to participate in the Staff Survey, or other official surveys that give us your feedback on our working practices, environment, leadership and facilities
  • Provide references to other employers where requested

For academic purposes

If you are employed as a Graduate Level, Trades or Modern Apprentice: or you are undertaking a formal qualification as part of your job role, e.g. PGCAP; ILM etc.

  • With a partner institution to deliver a programme collaboratively or jointly between the University and the partner institution. For example, an Approved Learning Partner
  • With our external examiners: to check that our assessment of your work is fair
  • For official independent assessment of our programmes e.g. by the QAA

And to:

  • Verify your employment history and relevant qualifications, e.g. in a reference for a potential employer or agency
  • Confirm your attendance, progress and assessment marks to your sponsor or the institution through which you are studying (if this is not Heriot-Watt University)
  • Enable you to participate in official surveys that give us your feedback on our working practices, environment, leadership and facilities

To meet our legal obligations to you and to other organisations

We will:

  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency
  • Submit statistical returns to the government or its agencies, including the Scottish Funding Council, and other official bodies, such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. You can find a copy of the HESA Data collection notice 
  • Meet a statutory or regulatory obligation, e.g. a court order; debt collection, arrestment of wages, etc
  • Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and staff at UK campuses who are subject to immigration law and about applicants and staff at our Dubai and Malaysia campuses to the relevant government authorities
  • Provide limited information necessary to an organisation with a statutory function, such as the police, Home Office or other Government Agency; Disclosure Scotland or other relevant disclosure services, where this is necessary for law enforcement

International data transfers

As a global organisation we need to process your personal information in a country other than the UK, where you may be working temporarily, when this is necessary to provide you with work in accordance with your contract of employment, meet a legal obligation, fulfil a contract with you, or we have your consent. For example if you apply to Go Global or another exchange programme, staff at the campus or institution you are applying to will need to process your data.
When doing so, we:
  • Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law
  • Apply the same high standards of privacy and security wherever we process your data

Automated decision making

We do not take any decisions about you that would affect your application for and employment based solely on automated processing or profiling.

How long we keep your data

We keep information about you only for as long as needed during your employment/ engagement with us and meet our legal obligations and rights. Almost all your personal data is destroyed securely 6 years after you leave the University. We keep a limited permanent record of your attendance as set out in our Retention Schedule, what jobs you undertook and any personal achievements/awards so that we can verify this as needed, and for archival purposes. More information about how long we keep your personal data and why can be found on our Manage Information page.

Your rights

You have the right to:

  • Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request 
  • We may make a charge for additional copies of the same information Ask us to correct inaccurate or incomplete data if it is not part of the Employee Self-Service facility on our HR Information System

If you think we are acting unfairly or unlawfully you can:

Under certain conditions you also have the right to ask us to:

  • Restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns
  • Erase your information or tell us to stop using it to make decisions about you
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing;
  • Provide you with a portable electronic copy of data you’ve given us

Data Protection Officer and contact details

If you have any questions about what we do with your personal information or your rights under privacy laws, you can contactus at the addresses below.

Find out more about your rights under privacy law

In our Data Protection Policy and our webpages.

Find out about our Information Security policies and procedures.

On the website of the UK Information Commissioner's Office.

Key information

Ann Jones

Helen Hymers

Helen Hymers