This page explains how Cancer Research UK uses personal information about current members of staff, contractors, and secondees.
We may collect, store and use the following categories of personal information about you.
Personal contact details such as name, title, addresses, telephone numbers and personal email addresses
Date of birth
Gender
Marital status and dependents
Other protected characteristics as discussed below
Next of kin and emergency contact information
National insurance number
Bank account details, payroll records and tax status information
Salary, annual leave, pension and benefits information
Location of employment or workplace
Name of employer
Recruitment information (including copies of right to work documentation, references and other information included as part of the application process)
Employment records (including job titles, work history, working hours, training records and professional membership)
Compensation history
Performance information and career development
Disciplinary and grievance information
CCTV footage and other information obtained through electronic means (including swipe card records)
Information about your use of our information and communication systems
Photographs
We process information we hold on our staff, the staff of organisations we may provide services to, volunteers and contractors for recruitment, onboarding and training, day-to-day management (including performance management) and communication, pay, disciplinaries, remuneration, workforce planning and all other personnel matters which necessarily involve personal information. The legal basis for us to do so will either be to enable us to perform our employment or services contract with you, monitoring diversity of opportunity or, in some cases, to allow us to pursue our legitimate interests in running CRUK and providing services to other organisations. Where we are collecting information from you for the purposes of performing your employment contract, we may be legally obliged to obtain certain information, and if you refuse to provide us with certain personal information, this may affect your employment. We will always seek to use your information in full compliance with applicable data protection laws. If we were to ever sell or transfer any part of our business or operations, or transfer service provision to another provider your personal information may also be processed (and disclosed to third parties) in connection with this.
Yes, this type of personal information is shared with other companies who provide IT infrastructure and/or HR-related services so that they can process this on our behalf. These include businesses which provide our cloud-based business application and e-mail systems, businesses running payroll systems or those providing a secure facility for the storage of HR records, and the provider of CRUK’s pension scheme. CRUK has carried out security checks on all third parties it uses and has contracts in place requiring these data processors to adopt appropriate security measures. CRUK only permits third-party service providers to process your personal data for specified purposes and in accordance with CRUK's instructions. Some of these companies are located outside the EEA, for example in the United States. Where this is the case, we use approved methods to ensure that your data is protected to the standard required by current UK/EU data protection laws. With your consent, we may also provide limited information upon request for a reference. These may come from prospective employers, further education institutions, mortgage providers or other bodies. (Please refer to the References Policy for further information). Other than the above, we will not generally share your personal information outside of CRUK. However, in some situations, we may be required to do so by law. If we determine that this is the case, then, where possible, you will be informed. Where practicable, you will then have 10 working days from receipt of this notification to ask for a review. The most common sources of requests we may be legally required to comply with come from:
HMRC;
the Child Support Agency;
the Police and other law enforcement agencies;
Job Centre Plus;
the Department for Work and Pensions;
the Financial Conduct Authority
Yes, we carry out a range of monitoring activities which are detailed in our Employee monitoring privacy notice.
As you will be aware, some types of HR data are sensitive. Some of these have special protected status under data protection and other laws. These are referred to as "special categories" of data. We are allowed to use this type of information for administering your employment provided that we provide you with a policy document (this document) explaining:
the reasons why we need to do so and how this information is protected; and
letting you know how long we keep this information.
We have set out the relevant types of information in the table below, in each case with an explanation of what we use these for specifically. All such information will be stored securely. How long we keep this information for will depend on the context in which we’re using this information – please see the “Retention” section below for further details. We may or may not use this information for other purposes where you chose to disclose this.
Type of information | What we use this for |
Race including ethnicity and nationality | We will request this information as part of the recruitment process and hold it as part of your record of employment. You do not have to provide us with this information if you would prefer not to. We process this information for equalities monitoring purposes, but will not use this information for anything else unless we have your consent to do so. |
Religious/philosophical beliefs | We will request this information as part of the recruitment process and hold it as part of your record of employment. You do not have to provide us with this information if you would prefer not to. We process this information for equalities monitoring purposes, but will not use this information for anything else unless we have your consent to do so. |
Health information | We collect this information in order to manage sickness absence at an individual and organisational level, to provide occupational health services and any other circumstance where information on the personal health of an employee is disclosed. If you would prefer not to provide us with this information, please discuss this with your line manager and/or HR business partner as in some circumstances there may be a legal or Health and Safety requirement to do so. We may also collect this information as part of the recruitment process and on an ongoing basis for equalities monitoring purposes. |
Sexual orientation/gender identity | We will request this information as part of the recruitment process and hold it as part of your record of employment. You do not have to provide us with this information if you would prefer not to. We process this information for equalities monitoring purposes and trend analysis, but will not use this information for anything else unless we have your consent to do so. |
Criminal history/convictions | We may collect this information as part of the recruitment and onboarding process where appropriate given the nature of your role and where we are legally able to do so, to ensure CRUK makes safe recruitment decisions. |
CRUK does not set out to obtain or use special categories data not listed above. However, if you choose to provide this information to CRUK (for instance by including it in your CRUK e-mails or other business systems), you should be aware that CRUK will store this information in line with its retention policies for that system and with this notice. CRUK will treat types of personal information which are sensitive but not special categories of data (such as your financial details) with a level of care and security appropriate to the information concerned.
CRUK has a number of EDI networks which are working together to improve the inclusivity of our employment practices. As these networks are based around protected characteristics it is likely that if you engage with them, they will collect information about you which is related to these characteristics. In addition, some staff volunteer as traditional or mental health first aiders, and you may provide them with information relating to your health in order for them to provide you with support. The networks and volunteers are expected to ensure that this information, and anything else you share with them is treated appropriately.
We keep HR data for the following periods, unless we have a specific legal reason to keep it for a different period:
Type of information | Length of retention |
Employment record/personnel file on Workday | 6 years from employment/engagement ceasing |
Employee health records | 6 years from employment ceasing |
Records of employees under Health Surveillance | 40 years from the date of last entry |
CVs, covering letters, application forms and interview notes for unsuccessful candidates | 1 year from date of interview |
CVs, covering letters, application forms and interview notes for successful candidates | 6 years from employment/engagement ceasing |
