Privacy Notice for Applicants

Your Personal Data

The University of Glasgow will be what’s known as the ‘Data Controller’ of your personal data processed in relation to your employment relationship.  This privacy notice will explain how The University of Glasgow will process your personal data.

Why we need it

As part of any (potential) recruitment process the University will collect personal data relating to applicants or those who register an interest in potential vacancies at the University.

This section of the Privacy Notice provides you with the privacy information that you should be aware of before you provide personal data to the University as part of any recruitment process.

This notice does not form any part of any contract of employment or other contract to provide services.

If you have registered for a job alert/to be informed of forthcoming vacancies we will collect your name and email address and details of the roles which you may be interested in.  The information we collate will be what you have submitted to us via our recruitment website or via any direct contact, which you make with the University.

The University collects a range of information about you:

Your name, address and contact details, including email address and telephone number;

details of your qualifications, skills, experience and employment history;

information about your current level of remuneration, including benefit entitlements;

whether or not you have a disability for which the University needs to make reasonable adjustments during the recruitment process;

information about your entitlement to work in the UK; and

equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

The University may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including any tests.

The University may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. The University will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems including email.

Legal basis for processing your data

We must have a legal basis for processing all personal data. In this instance, the legal basis is contract. 

The University needs to process data to take steps at your request prior to, and in the course of, entering into a contract with you.

In some cases, the University needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The University has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the University to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The University may also need to process data from job applicants to respond to and defend against legal claims.

The University may process information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. This is to carry out its obligations and enable applicants to exercise their specific rights in relation to employment.

The University processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the University is obliged to seek information about criminal convictions and offences. Where the University seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

The University will not use your data for any purpose other than the recruitment exercise for which you have applied.

What we do with it and who we share it with

Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

The University will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. The University will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

The University will not transfer your data outside the European Economic Area but in circumstances where referees identified by you are outside the EEA, we will collect this information.

Some HR processes are administered through automated means.

How does the University protect data?

The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties e.g. IT security policy, encryption policy, all HR policies etc.


Data Sharing with Third Parties

On occasion the University may engage with a third party provider to facilitate some parts of a recruitment process such as the administration of applications and obtaining references.  Should the University be engaging with a third party, this will be made clear to candidates as part of the application process.

We require third parties to respect the security of your data and to treat it in accordance with the law.  The University and must demonstrate that they have appropriate security, safeguards and policies in place to process your data.  

The University will require that any third party storing your data does so securely with access limited to staff who have a requirement to access the data for proper and legitimate purposes to administer the recruitment process.   

To enhance the security of our systems and protect against cyber threats, we may share your data with a trusted third-party cyber security provider.

How long do we keep it for?


Information from potential candidates who have registered/expressed interest in being alerted to job vacancies For 12 months from the date the interest is registered
Applications from unsuccessful candidates For 6 months from the date of appointment of the successful candidate or for 6 months from the conclusion of the recruitment process should no candidate be appointed (save for otherwise required for Home Office Visas and Immigration (UKVI) purposes.)
Applications for successful candidates For 6 years from the date of termination of employment (basic record kept indefinitely for historic purposes)
Equality data which is used for monitoring For 12 months from date of unsuccessful application then anonymised data retained.
Contract of employment  For 6 years from the date of termination of employment (basic record kept indefinitely for historic purposes)  

If you fail to provide personal information

If you fail to provide certain information as part of the recruitment process when requested, depending on the nature of the information which has been withheld, the University may not be able to progress your application.

How we use particularly sensitive personal information

Special categories of sensitive personal information require higher levels of protection.  We may process such data in the following circumstances:

  1. In limited circumstances, with your explicit written consent;
  2. Where processing is necessary for carrying out our obligations and exercising our or your rights in relation to employment;
  3. Where we need to carry out any legal obligations;
  4. Where it is needed in the substantial public interest or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, e.g. for equal opportunities monitoring;
  5. Where processing is necessary for preventive or occupational medicine or for the assessment of the working capacity of the employee

Less commonly, we may process this information where it is needed in relation to legal claims, or where it is needed to protect your interests (and you are not capable of giving your consent) or where you have already made the information public.

What are your rights?

As a data subject, you have a number of rights. You can:

  1. access and obtain a copy of your data on request;
  2. require the University to change incorrect or incomplete data;
  3. require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
  4. object to the processing of your data where the University is relying on our legitimate interests as the legal ground for processing.

If you would like to exercise any of these rights, please contact the Data Protection & Freedom of Information Office at email:

If you believe that the University has not complied with your data protection rights, you can complain to the Information Commissioner.

If you wish to exercise any of these rights, please submit your request via the webform or contact

*Please note that the ability to exercise these rights will vary and depend on the legal basis on which the processing is being carried out. 


If you wish to raise a complaint on how we have handled your personal data, you can contact the University Data Protection Officer who will investigate the matter.

Our Data Protection Officer can be contacted at

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO)