GDPR Privacy Notice for Employees | St. Lawrence University

GDPR Privacy Notice for Employees

2018 GDPR PRIVACY NOTICE FOR EMPLOYEES

THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY ST LAWRENCE UNIVERSITY (“SLU,” “WE,” “OUR,” AND “US”), AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY. FOR THIS PURPOSE, THE TERM “EMPLOYEE” INCLUDES FACULTY, OTHER EMPLOYEES, GOVERNING BOARD MEMBERS, STUDENTS, VOLUNTEERS, CERTAIN INDEPENDENT CONTRACTORS, AND CERTAIN OTHER INDIVIDUALS PROVIDING SERVICES TO SLU. THE TERM “EMPLOYMENT” INCLUDES, BUT IS NOT LIMITED TO, FULL OR PART-TIME EMPLOYMENT, AN APPOINTMENT, ACCEPTANCE AS A VOLUNTEER, SERVICE AS A CONSULTANT, ETC.

This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).

What is “Personal Data” and “Processing”?

Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is a natural person who can be identified, directly or indirectly, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.

The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because the unauthorized use of this type of Personal Data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health, or (D) data concerning a natural personal’s sex life or sexual orientation.

How and When Do We Collect Your Personal Data?

We may lawfully collect your Personal Data in a number of ways for legitimate purposes. For example, we may collect your Personal Data: (i) from the information you provide to us when you interact with us before applying (e.g., when you express your interest in working at SLU); (ii) when you apply for a position at SLU and complete employment forms or other documentation; (iii) when you communicate with us by telephone, email or via our website (e.g., in order to make inquiries or raise concerns); (iv) when you interact with us during your time as an employee at SLU, for one or more of the purposes set out below; and (v) from third parties (e.g., from recruitment organizations, government agencies in connection with visas, or from your previous college, university, or employers), who may provide records or a reference about you. In addition, we may, to the extent permitted by law, monitor your computer and telephone use. Failure to provide any Personal Data reasonably requested of you may result in an automatic disqualification from the recruitment and/or application for employment process.

The Types of Personal Data We Collect

We may process the following types of Personal Data about you that are described in the Notice, to the extent we obtain it in connection with your employment or other interaction with us and to the extent permitted by law. Such Personal Data might include: (i) your name, and contact information (i.e., local and permanent address, email address and telephone number); (ii) your date of birth, gender and gender identity, Social Security number or taxpayer identification number; (iii) insurance information; (iv) your passport or national identity card details; (v) your country of domicile and your nationality; (vi) your unique employee identification number; and (vii) information relating to your education and employment history, including the school(s) and other colleges or universities you have attended, places where you have worked, the courses you have completed, dates of study and examination results. We also might collect and keep: (i) records relating to your work product, and other information in your employment record (including disciplinary records); (ii) information about both academic and extracurricular interests and activities; (iii) information about criminal convictions and offenses; (iv) information concerning your health and medical conditions (e.g., disability and dietary needs); (v) information about your racial or ethnic origin, religion or similar beliefs, and/or sexual orientation; and (vi) information about your personal or family circumstances.

We also might collect: your recruitment information (including your original employment application form and associated information submitted at that time); other data relating to your recruitment (including your offer of employment or appointment letter and related correspondence, references we collected in relation to your appointment, and any pre-employment assessment of you); and evidence of your right to work in the United States (or, if applicable, another country).

We generally collect your Personal Data, which could include, but is not limited to, your photograph; your current and any previous job descriptions; your current and any previous contracts of employment and related correspondence; your training and development qualifications, requests and requirements; records of your performance appraisals; records, where they exist, of any investigation or review into your conduct or performance; records of absences from work (including, but not limited to, annual leave entitlement, sick leave, parental leave and bereavement leave); correspondence between you and SLU, and between other SLU employees, regarding any matters relating to your employment and any related issues (including, but not limited to, changes to duties, responsibilities and benefits, your retirement, resignation or exit from SLU, and personal and professional references provided by SLU to you or a third party at your request).

We also may collect: certain banking information from you; details related to your employee benefits, including your pension and beneficiary information; your current and previous salary and other earnings (e.g., maternity pay, disability, and overtime), and the amounts you have paid in payroll taxes; and correspondence between you and SLU, and between other SLU employees, relating to your pay, benefits and other remuneration. For example, we maintain records of your use or enrollment in any employee benefits provided by us, which we may collect in the aggregate and monitor to review the effectiveness and desirability of our employee benefit offerings. The legal basis for this processing is that it is in our legitimate interest to ensure that any employee benefits offered by SLU represent good value for money to both you and us. Finally, we might collect the details of your preferred emergency contact, including his or her name, relationship to you, and his or her contact details.

How Your Personal Data Will Be Used

As your employer, SLU needs to keep and process information about you (including your Personal Data) for normal employment purposes. The Personal Data we hold and process will be used lawfully for our management and administrative use. We will keep and use it to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, while you are working for us, and throughout the period you provide services to us, up until the termination of our employment relationship with you. This includes using Personal Data to enable us to comply with any employment contracts, collective bargaining agreements, severance agreements, and similar contracts, to comply with any legal requirements, pursue our legitimate interests as an employer, and protect our legal position in the event of legal proceedings. The legal basis for processing your Personal Data is that it is necessary for you to be employed by us as an employee, where you will be subject to our governing documents. If you do not provide the Personal Data we request, we may be unable, in some circumstances, to comply with our obligations, and we will tell you about the implications of that decision.

Much of the Personal Data we process will have been provided by you, but some Personal Data may come from other internal sources (e.g., other employees, governing board members, or students, as applicable), previous employers, or in some cases, external sources.

We generally will not access personal data about you from social media sites, unless there is a legitimate interest for us to do so and it is done in a lawful manner (for example, if the role you have applied for has a significant public-facing element to it, or is involved with publicity and presenting us to the general public). Consequently, we do not routinely screen applicants’ social media profiles, but if aspects of your social media profile are brought to our attention and give rise to concerns about your suitability for the role in question, we may need to consider them.

How We Share Your Personal Data

For the purposes referred to in this Notice and relying on the lawful bases for processing as set out above, we may share your Personal Data with certain third parties in accordance with applicable law. We may disclose limited Personal Data to a variety of recipients if we determine it to be appropriate and lawful, including: (i) the U.S. Department of Education, the U.S. Department of Labor, the Internal Revenue Service, other federal agencies and relevant state agencies and/or offices; and (ii) other individuals where there is a legitimate reason for their receiving the information, including disclosures to: (a) third parties who work with us to provide employment services; (b) third parties who work with us to provide employee benefits (e.g., health, dental, retirement, and fringe benefits); (c) third parties who are contracted to provide IT services for us; (d) organizations operating anti-plagiarism software on our behalf; (e) internal and external auditors, attorneys, and other professional service providers; and (f) certain third parties interested in tracking employee progress, including: (1) current or potential education providers; (2) current or potential employers (e.g., to provide references); (3) professional and regulatory bodies in relation to the confirmation of qualifications, professional registration, conduct, and the accreditation of courses; (4) government departments and agencies where we have a statutory obligation to provide information; (5) police or law enforcement agencies; (6) next-of-kin (where there is a legitimate reason for disclosure); (7) third parties conducting surveys (e.g., a compensation survey); and (8) third parties engaged in fundraising and alumni relations efforts on our behalf.

Retention of Your Personal Data

Your Personal Data will be stored in accordance with our records retention policy, which is governed in part by New York and/or Federal law, and is available at [HYPERLINK].

Your Rights with Respect to Your Personal Data

Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data, (ii) rectification of mistakes or errors and/or erasure of your Personal Data, (iii) that we restrict processing, and (iv) that we provide your Personal Data to you in a portable format.

In certain circumstances, you also may have the right to object to our processing of your Personal Data.

If SLU requested, and you provided your explicit consent for the processing of your Personal Data, you have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.

If you would like more information about, or if you would like to exercise any of these individual rights, please contact our Data Protection Officer (contact information is below).

Questions/Concerns/Complaints

If you have questions, concerns or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (contact information is below). You also have the right to lodge a complaint with the applicable Supervisory Authority (available here) if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint.

Relevant SLU Contacts

SLU may be a “controller” and also may be a “processor” (as those terms are used in the GDPR) of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed you can contact: Vice President for Community and Employee Relations Lisa Cania, lcania@stlawu.edu