Skip to main content
Chapter:
4 - Information Technology
Contact:
Data Privacy and Compliance Officer
Approved Date:
January 23, 2019
Effective Date:
January 23, 2019

This Staff Privacy Notice explains how UCEAP (“we” or “us”) collects and processes your Personal Data in connection with your work with us; how we use, store, transfer and protect this Personal Data; and your rights in relation to this Personal Data.

The term “Personal Data” is defined in this policy as any information that enables us to identify you, directly or indirectly, by reference to an identifier such as your name, identification number, location data, online identifier, or one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.

This Privacy Notice applies to all Personal Data we collect or process about you in the context of your relationship as a current or former employee, worker, contractor, secondee from another organization, volunteer, or intern at one of our locations abroad. This notice will inform you of:

Who We Are

For the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”), The Regents of the University of California (“University” or “UC”) of 1111 Franklin Street, Oakland, California 94607, is the data controller for all Personal Data that it holds and processes, except where it is done in the capacity of a data processor on behalf of another data controller.

For the avoidance of doubt, references to “employees” and “your employment” in this Privacy Notice are for the purpose of this Notice only and nothing in this Notice shall constitute an agreement between UCEAP and any consultant, independent contractor, or agent that they are or were an employee or worker of UCEAP or the University of California, to the extent permitted by applicable local law.

How We Collect Personal Data

UCEAP obtains Personal Data about you in the following ways:

  • Collected from you directly, from your application and the recruitment process; we will also request information from you as part of the onboarding process and throughout your engagement with the organization;
  • Generated by us about you, such as information we create in the context of your employment, or other interactions with UCEAP; and
  • Obtained by us from third party sources, such as employment agencies, references, and background check service providers as permitted by law.

Categories of Personal Data That We May Collect Directly From You

  • Personal details, such as your name and date of birth.
  • Contact information, such as your home address, email address, and phone numbers.
  • Demographic details, such as your age, gender, marital status, dependents, national origin, and current nationality.
  • Immigration and Identification information, such as your visa, work permit, social security or tax identification number, passport number, or other government-issued identification number.
  • Emergency contact details, such as you may provide (e.g. spouse, sibling, etc.).
  • Financial information, such as bank account names and numbers.
  • Job application information, such as CV/resume, employment history and references.
  • Travel Information, such as location and dates of travel.

Categories of Personal Data That We May Generate About You

  • Contract and employment records, such as service dates, job title, job description, work hours/schedule, work location, employee ID number, compensation, leave entitlements and use records, time and attendance records, job performance information, benefits entitlements and enrollments, training and professional development records, and disciplinary and grievance procedures.
  • Images of you, including your likeness, image, or appearance in any images, photographs, digital, video, or audio recordings that may be captured during the course of your work and used in internal publications and program promotional materials.
  • IT login and email address, such as may be assigned to you by us.

Categories of Personal Data That We May Obtain from Third Parties About You

  • Employment information, such as prior employment information and references.
  • Information relating to unlawful activity, such as may be collected and processed as part of the recruitment process (and where permitted by local law).
  • Health Information, such as may be provided to accommodate disability and other health needs.

Special Categories and Other Sensitive Types of Personal Data That We May Collect and Use

Some of the categories of Personal Data that we collect are considered “special categories” of Personal Data under European Union law. In particular, we may process the following special categories of Personal Data:

  • Information about works councils and trade union memberships, such as information processed in the context of collective agreements and related negotiations.
  • Health Data, including information regarding health conditions, mobility disabilities, and special needs accommodations.
  • Information about an individual’s sex life, such as may be collected in certain investigations of unlawful activity in accordance with university policies.
  • Information relating to unlawful activity, such as data relating to arrests or criminal offenses.

How We Use Personal Data

UCEAP uses your personal information for a range of contractual, statutory or legitimate interest purposes, including the following:

  • To enable UCEAP to enter into and administer your contract of employment or other contractual document relating to your engagement with UCEAP. Specific use includes, but is not limited to, to support HR administration and processes (payment of salary and administration of benefits, time and attendance, leaves etc.); to provide training and development; to allow you access to University of California/UCEAP systems; and related processes associated with your relationship with UCEAP. Our basis for doing so is the performance of the contract we have with you.
  • To comply with legal obligations and exercise our rights. Specific use includes, but is not limited to, verification of your legal right to work, eligibility determination and administration of statutory leave and/or pay you may be entitled to under relevant regulations or local policies, disability accommodation, processing of payroll tax, administration of mandatory benefits, and for equal employment opportunities monitoring where required. This processing is necessary to allow UCEAP to carry out its legal and contractual obligations.
  • To process and deal with any complaints or inquiries made by you or legally on your behalf. This processing is necessary for defense of legal claims.
  • To meet UCEAP’s legitimate interests. Specific use includes, but is not limited to, strategic planning; policy development; management of staffing budgets; benchmarking; administration of health, safety and security; to support decision-making about your role, position and compensation; to maintain records of employment; to evaluate job performance and identify training opportunities; to manage and document disciplinary actions; to communicate with you on a daily basis; to operate and maintain IT and other communications systems; to enable reporting systems and statistical analysis; to promote your work and/or UCEAP through the use photographs, video or other digital images; and to engage your participation in events and other activities organized in support of the UCEAP’s programs and development objectives. This processing is necessary to serve our legitimate interests relating to the governance, management and operation of UCEAP. In some contexts we may rely on your express consent to process such data.

Purposes and Legal Basis for Processing Special Categories of Data

  • Information about works councils and trade union memberships, such as information processed in the context of collective agreements and related negotiations. This information is processed for the purpose of ensuring employment terms and conditions and the employment relationship are managed in accordance with the relevant collective agreement.
  • Health data. To the extent we process health data, we do so to provide you with the statutory leave and/or pay you are entitled to under the relevant regulation or policy and manage any related administration. In the case of information relating to disability, we process such data to make reasonable accommodations needed to support you at work. Our basis for doing so is compliance with social obligations laws or where there is a substantial public interest in providing such services or accommodations. In the event of an emergency in which you are incapacitated or otherwise unable to consent, we may share your health data with healthcare providers or emergency contacts to protect your vital interests. Additionally, in some contexts we may rely on your express consent to process such data.
  • Information about an individual’s sex life. To the extent we process sensitive data about the sex lives of individuals, we do so only in the context of investigations of alleged unlawful behavior. Our basis for doing so is that the processing is necessary for the defense of legal claims and that it serves a substantial public interest. To the extent such investigations do not specifically involve special categories of data, our basis for such processing is that it is necessary to serve our legitimate interests in complying with our legal obligations.
  • Information relating to unlawful activity. To the extent we request and process information relating to arrests or criminal offenses, we do so as part of our pre-employment screening in accordance with applicable European Union or local law.

Who Has Access to Personal Data

We treat your Personal Data with care and confidentiality. Your Personal Data will only be available for the purposes mentioned above and only to employees on a need-to-know basis and to the extent reasonably necessary to perform their functions.

We may share your Personal Data with third parties under the following circumstances:

  • University of California in the US. Our international offices work closely with our US-based operations. As a result, your Personal Data will be shared with colleagues within the University of California, but only where it is necessary for them to undertake their duties with regard to administration and activities in the context of your relationship and role with UCEAP.
  • Service providers and business partners. We may share your Personal Data with service providers or business partners including host institutions, payroll providers, accounting firms, benefit service providers, and insurance companies. Other examples include companies assisting us with legal advice, staff surveys, and benchmarking.
  • Law enforcement agencies, courts, regulators, government authorities or other third parties. We may share your Personal Data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. For example, relevant governmental departments or agencies, including those responsible for tax and immigration.
  • Family and Emergency Contacts. We may share your Personal Data with these parties in emergency situations (e.g. evacuations, illness or serious injury).

Because we operate internationally, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). Please refer to the section below on “Transfer of Personal Data outside of the European Economic Area” for more information.

Transfer of Personal Data

Your Personal Data may be transferred to, stored, and processed in a country (such as the United States, where the University of California is located) that is not regarded as ensuring an adequate level of protection for Personal Data under European Union law.

We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us via email at privacy@ueap.universityofcalifornia.edu.

How We Store and Protect Personal Data

We implement technical and organizational measures to ensure a level of security appropriate to the risk to the Personal Data we process. These measures are aimed at ensuring the ongoing integrity and confidentiality of Personal Data. We evaluate these measures on a regular basis to ensure the security of the processing.

We will store your Personal Data, in a form which permits us to identify you, for no longer than is necessary for the purpose for which the Personal Data is processed. Retention timelines will be determined in line with the UC Records Retention Schedule.

How to Exercise Your Rights

Where applicable under local law, you may have certain rights regarding your Personal Data. Where applicable, you have the right to access Personal Data UCEAP holds, and in some situations, you have the right to have that Personal Data corrected or updated, erased, restricted, or delivered to you or a third party in a usable electronic format (the right to data portability). Where applicable, you may also object to how UCEAP uses your Personal Data if the legal basis for processing that information is our legitimate interest.

Where we are using your Personal Data on the basis of your consent, where applicable under local law you have the right to withdraw that consent at any time. You also have the right to register a complaint to the supervisory data protection authority of the country in which you are working, where applicable. If you wish to exercise these rights or to notify us of a change in your personal details, or if you have any questions on the content of this Notice, please contact us at privacy@ueap.universityofcalifornia.edu.

Staff Telecommunications Monitoring

UCEAP may carry out lawful monitoring of its IT systems where this is permitted by law. This is in order to comply with the law and applicable regulations, to ensure appropriate use of UCEAP’s IT systems, and to ensure compliance with other University policies.

UCEAP will not monitor staff without first notifying you of how and why UCEAP intends to undertake monitoring and what the information will be used for, as required by applicable law, except in limited circumstances as provided for in the UC Electronic Communications Policy.

Personal Data obtained through monitoring will only be used for the purpose for which the monitoring was carried out, except where a potential risk to the UCEAP has been identified, such as serious misconduct or a breach of health and safety rules.

Changes to This Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Questions or Concerns?

If you have any data privacy questions or concerns relating to this Privacy Notice, please reach out to us via the contact information listed at the main Policy webpage.