The Rhodes Trust collects and processes personal data relating to its employees, contractors and temporary workers. We keep aspects of these records for varying lengths of time, both electronically and physically. Our principles are simple – we will be transparent about the data we are collecting, how we use the information we hold about you.
We collect and process your data for a variety of reasons, if you apply to work for us as an employee or contractor and to manage the employment relationship.
If at any point you have questions about this privacy notice, or how we are using your data, please contact us.
1. About this privacy notice
The purpose of this privacy notice is to explain how the Rhodes Trust ("the Trust", "we", "our", "us") holds and uses personal data about our workforce and any applicants for roles with us ("you"), and how we use it for the purposes of meeting our legal obligations and in connection with our broader working relationship with you.
The Rhodes Trust includes both the offices at Rhodes House in Oxford and our international offices, and across these offices (and related programmes) Rhodes Trust will also engage contractors, casual workers, interns and volunteers (including selectors for its programmes) as well as employees. This notice applies to all such individuals, whether or not employed by the Rhodes Trust, but does not itself confer any status of employment.
2. The data we collect about you
We collect information about you from a variety of sources. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit and payroll forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, the organisation collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies, information obtained from social media monitoring and information from criminal records checks permitted by law. We may hold and process the following types of personal data about you:
- Personal contact details (such as your name, address and contact details, including email address and telephone number, date of birth, gender, marital status and dependents, next of kin and emergency contact information);
- the terms and conditions of your employment;
- recruitment information (including copies of identity documentation, right to work documentation, references and other information included in a CV or cover letter or as part of the application process),
- employment records (including job titles, qualifications, skills, work history including start and end dates with the organisation, working hours, training records and professional memberships)
- information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
- details of your bank account and national insurance number;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record and other vetting or background checks;
- details of your schedule (days of work and working hours), and attendance at work periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence.
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- CCTV footage and other information obtained through electronic means such information about your use of our information and communications systems and your photograph (either provided by you, by other employees, or taken during events at Rhodes House) and;
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
- Sensitive personal data:
We may also need to process information you provide or that we fairly obtain about your criminal convictions and offences (including alleged offences), your health (including any medical condition, health and sickness records), race, ethnic origin, religious beliefs, sexual orientation, political opinions and trade union memberships (“Special Category Data”).
3. How we use your personal data
The Trust needs to process data to enter into an employment contract (or other terms of engagement) with you and to exercise its rights and meet its obligations under that contract. For example, it needs to process your data to provide you with an offer or contract, to pay you in accordance with your contractual entitlement, and to administer benefit, pension and insurance entitlements.
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable employees to take periods of leave to which they are entitled, and to consult with employee representatives if redundancies are proposed or a business transfer is to take place.
For certain positions, including volunteers and selectors in certain roles, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question. It may also be necessary to process criminal records data in the context of disciplinary or grievance proceedings, for example to investigate and take appropriate action if you are suspected of committing an offence (whether at or outside work).
We may also need to process your data to:
- run recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- ensure employees (and others subject to them, such as selectors) are complying with relevant policies and procedures;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental leave, shared parental leave, and parental bereavement leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensure effective general HR and business administration;
- conduct employee engagement surveys;
- provide references on request for current or former employees;
- respond to and defend against legal claims;
- ensure the safeguarding of children and vulnerable adults, where applicable; and
- maintain and promote equality in the workplace.
Internal and external communications
We also use your personal data in the following ways:
- to publish a photograph on the Rhodes internal systems;
- with your permission, we may use photographs of you in public-facing material – e.g. on the website, in printed material, or in social media posts; and
- we will contact you about events and opportunities that may interest you (where relevant to your employment, or otherwise in accordance with your preferences) and any scholar materials and communications we deem necessary
Some special categories of personal data, such as information about health or medical conditions, or racial or ethnic origin, is processed to carry out employment law obligations (such as those in relation to employees with disabilities, for health and safety purposes and to ensure that employees have the right to work in the UK).
Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this may also be done for other reasons of substantial public interest as permitted by the Data Protection Act 2018. For example:
- for the purposes of equal opportunities monitoring (you can ask us to stop processing this data at any time);
- in connection with safeguarding or disciplinary functions, processes, and/or investigations.
As noted above, the organisation may process criminal records data to assess your suitability for employment both when you are recruited (through appropriate criminal records checks) and, where necessary and so permitted by law, in the course of your employment.
If you do not wish your data to be used in any of the ways listed above, or have any questions, please contact us on data.protection@rhodeshouse.ox.ac.uk. However, please be aware that we may need to continue processing your data in any event.
4. When and how we share your data
Your information will be shared internally, including with members of the HR and Finance team (including payroll), your line manager, senior managers in the business and IT or estates staff if access to the data is necessary for performance of their roles.
The Rhodes Trust shares your data with third parties to obtain pre-employment references from other employers, obtain employment background checks from third-party providers, obtain necessary criminal records checks, or report suspected offences to the appropriate authorities. The Trust may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to appropriate confidentiality arrangements.
We also share your data with third parties that process data on our behalf in connection with payroll, the provision of benefits, delivery of equipment, furniture or gifts and the provision of occupational health services. Where your work for us is carried out in the context of a programme in partnership with third parties, it may be necessary to share your data with such parties in connection with your role.
Whenever your information is shared, we will always seek to share the minimum amount of information necessary to fulfil the purpose.
International transfers
The Rhodes Trust operates internationally. Most of the personal data we process for our current workforce stays in the UK although some users from the Rhodes Trust, including Rhodes Trust staff within our international offices or in connection with our international programs, may access your personal data held in our IT systems and platforms, including those from outside the European Economic Area (EEA). We may also share data with recognised service providers and others working on our behalf outside the EEA. Sometimes this will be done is necessary for the performance of a contract with you or to implement pre-contractual measures following a request by you. In all cases we will make sure transfers are made securely, and subject to any appropriate safeguards as required by law.
If you work for us in a country outside the UK, we will transfer personal data between that country and the UK. Depending on the country, the use of personal data may also be subject to additional rules and regulations.
If your work for us (whether as an employee or volunteer, contractor, selector etc.) is carried out in connection with one of our international programmes or fellowships – such as The Atlantic Institute, Schmidt Science Fellows or Rise – your personal data may also need to be shared with our partner organisations internationally, either as part of the governance and/or selection process for those programmes or as part of shared IT systems. Again, we will make sure transfers are made securely, and subject to appropriate safeguards.
5. Our legal basis for processing your data
We will only process your personal data where the law allows us to do so. Most commonly we rely on the following legal bases for processing your personal data:
- Where it is necessary to perform a contract, we have entered into with you (the legal basis of “performance of a contract”), for example to pay you;
- Where we need to comply with a legal obligation (the legal basis of “compliance with a legal obligation”), for example to check that you are legally entitled to work in the UK and to provide you with your legal employment rights;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (the legal basis of “legitimate interests”), for example to review and better understand employee retention and attrition rates.
- where it is needed in the public interest (the legal basis of “public interest” or “substantial public interest”), such as for equal opportunities monitoring and reporting or for safeguarding purposes;
- where it is needed in relation to legal claims (the legal basis of “the establishment, exercise or defence of legal claims”), for example at an employment tribunal.
- Where we are required to comply with our legal and regulatory obligations for example with respect to The Charity Commission or the Information Commissioner’s Office in relation to audits or official investigations
- There may be limited circumstances where your consent is required, including in certain cases where sensitive personal data is recorded or in respect of marketing uses. For any processing that requires your prior consent, you can withdraw your consent at any time and the Trust will cease the activity.
We retain your personal data including any Special Category Data while you work for the Rhodes Trust and, after you cease working for the Rhodes Trust, for as long as is necessary to fulfil our contractual obligations to you, for applicable legal, accounting, or reporting requirements and to providing you with information at your request (such as references).
6. Data security
The Rhodes Trust takes the security of your data very seriously and we have appropriate security measures in place to prevent your personal data from being accidentally lost or misused. Access to your personal data is limited to those employees and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
7. How long we keep your data
We will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the HR retention periods. When, we no longer need to retain personal information, we ensure it is securely disposed of. We will also keep anonymised statistical data indefinitely. Please contact the HR department for further information on our retention policy (hr@rhodeshouse.ox.ac.uk).
8. Your legal rights
Under certain circumstances, you have the right to:
- Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- Request erasure of your data. This enables you to ask us to delete or remove your data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- Object to processing of your data where we are processing it to meet our legitimate interests (or those of a third party). You also have the right to object where we are processing your data for direct marketing purposes.
- Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want to establish its accuracy or the reason for processing it.
- Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a contractual, legal or statutory requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop.
However, where you have consented to the processing, you can withdraw your consent at any time by emailing hr@rhodeshouse.ox.ac.uk
In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing.
If you have any concerns about how we are processing your personal data, and for further information about your rights, please see the Information Commissioner’s website at https://ico.org.uk/.
9. Contact us
If you have any questions about this privacy notice or about your personal data, or if you want to provide updates to your data or exercise any of your rights as outlined above, please use the details below, and quote your name and, if you are an employee, your employee identifier:
The Rhodes Trust
Rhodes House, South Parks Road
Oxford, OX1 3RG, United Kingdom
Email: data.protection@rhodeshouse.ox.ac.uk
We reserve the right to update this privacy notice at any time. Any changes to this privacy notice will be posted to this page.