Employee Privacy Notice

Privacy Notice for Global Employees, Applicants, and Independent Contractors

The Trustees of Columbia University in the City of New York, of 535 W. 116 Street, New York, NY 10027 (“we”, “us”, or “Columbia”, has prepared this privacy notice (including, where applicable, any country-specific schedules) (the "Notice") to describe its practices regarding the collection, use, storage, transfer and other processing of personal data about Employees (as defined below). Columbia is the controller responsible for the personal data that we collect and process as described in this Notice.  For the purposes of this Notice, "Employee" means:

  • Past and present employees;
  • Past and present consultants, independent contractors, and agents[1];
  • Job applicants;
  • Past and present temporary employees;
  • Retirees; and
  • Past and present directors and officers.

This Notice will provide information about:

  • Personal data we collect and use;
  • How we use your personal data and the basis on which we use it;
  • Special categories of personal data;
  • How we store personal data and who can access it;
  • Your rights over your personal data;
  • Information sharing;
  • Information security;
  • Information transfer;
  • Dependent’s privacy;
  • How to contact us; and
  • Changes to the privacy notice.

[1] - For the avoidance of doubt, references to 'Employee' and 'your terms of employment' in this Notice are for the purpose of this Notice only and nothing in this Notice shall constitute an agreement between Columbia and any consultant, independent contractors or agent that they are or were an employee or worker of Columbia, to the extent permitted by applicable local law.

We may collect your personal data from a variety of sources, including information we collect from you directly (e.g. when you apply for a job, during your employment, following termination of employment, etc.), and information we collect about you from other sources (where permitted by law).

Certain personal data is required as a consequence of the contractual relationship we have with you when we employ you, to enable us to carry out our contractual obligations to you. Failure to provide this information may prevent or delay the fulfilment of these obligations.

1.1 Personal data we collect directly from you

The categories of information that we may collect directly from you include the following:

  • personal details (e.g., name, age, date of birth);
  • contact details (e.g., phone number, email address, postal address);
  • family contact personal details (e.g., emergency contact details);
  • other information about you and your family (e.g., gender, marital status, family status, dietary requirements, hobbies)
  • educational and career background (e.g., your curriculum vitae);
  • other relevant data in respect of your job application or employment with us (e.g., job location, working conditions, special leave, special needs, holidays, etc.);
  • data regarding special agreements (e.g., study allowances, guarantees for mortgage loans, health insurance allowances, etc.)

1.2 Personal data generated by us

In addition, Columbia generates personal data in the following contexts:

  • Relating to employees:
    • employment details (e.g., employee number; career planning reports, annual review reports, performance records, and absence records; payroll records; employee contracts; use of communication systems, devices and IT systems; travel details);
    • employment and salary administration (e.g., salary amount, payroll records, bank details for direct deposits, benefit details, information related to tax withholding, reimbursement records).
  • Relating to applicants:
    • hiring and evaluation details (e.g., internal notes created in relation to your application, interview, or prior work experience or qualifications; referrals; hiring recommendations; information relating to salary negotiations; information about any association you may have with any current or former Columbia employees).
  • Relating to independent contractors:
    • contract and work details (e.g., independent contractor agreement; payment and disbursement records; information relating to performance of the contract).

1.3 Personal data we collect from other sources

We use external sources to collect certain personal data, where permitted by law, such as our onsite healthcare provider, publicly available databases, and such. The following are examples of the categories of information we may collect from other sources:

  • personal details (e.g., name, age, date of birth);
  • contact details (e.g., phone number, email address, postal address);
  • educational and career background (e.g., references from former employers)
  • other information about you and your family (e.g., gender, marital status, family status)
  • employment administration data (e.g., tax payment details)

We use your personal data in relation to your job application and (current or past) employment with us, to:

  • carry out our obligations to you under your employment contract or your independent contractor agreement;
  • exercise our rights under your employment contract or independent contractor agreement;
  • provide any services you request from us;
  • to keep our records accurate and up-to-date;
  • comply with legal obligations to which we are subject;

We must have a legal basis to process your personal data. In most cases the legal basis will be one of the following:

  • to fulfil our contractual obligations to you, for example to ensure that your salary is paid correctly, and for ensuring you have appropriate access to our premises;
  • to meet our legal obligations to you based on our employment or contracting relationship, for example health and safety obligations while you are on our premises; or to a third party (e.g. tax authorities); and,
  • to meet our legitimate interests, for example to ensure that we can provide you with any services, such as HR services from us, and that our records are kept up to date and accurate.

We collect and process certain special categories of personal data about Employees where necessary and in compliance with applicable local data protection laws.  In particular, Columbia processes health data, trade union membership, information about the sex lives of individuals (in the context of investigations into unlawful activity), and racial and/or ethnic data, as required and to the extent permitted under local laws to carry out our obligations in the field of employment, health and safety, social security and social obligations law and, where necessary, for the establishment or defence of legal claims. In some cases, we may also process special categories of data with your express consent.

Columbia maintains an automated record of each Employee's personal data.  This automated record contains most of the data held in the Employee's personnel file.  Additionally, Columbia maintains personal data in various human resources applications, including applications for payroll, benefits, talent management and performance management.  We may also maintain individual hard-copy personnel files.  The Human Resources Department maintains these files in a secure environment. 

Access to personal data is restricted to those individuals who need such access for the purposes listed above or where required by law, including members of the Human Resources Department, the managers in the Employee's department (including employees responsible for managing work performed by independent contractors), and to authorised representatives of the Columbia's internal control functions such as Compliance and Legal.  Access may also be granted on a strict need-to-know basis to other managers in the university where relevant if the Employee is being considered for an alternative job opportunity, or if a new manager appointed in the line of business needs to review files.  All Employees, including managers, are bound by the requirements of this Notice. 

Where applicable under local law, you may have the following rights regarding your personal data: the right to access personal data Columbia holds, and in some situations, the right to have that personal data corrected or updated, erased, restricted, or delivered to you or a third party in a usable electronic format (the right to data portability). Where applicable, you may also object to how Columbia uses your personal data if the legal basis for processing that information is our legitimate interest.

Where we are using your personal data on the basis of your consent, and where applicable under local law, you have the right to withdraw that consent at any time. Where you have granted consent to receive direct marketing communications from us, and where applicable under local law, you may withdraw that consent at any time. You also have the right to register a complaint to the appropriate data protection authority, where applicable.

If you wish to exercise these rights, or to notify us of a change in your details, or if you have any questions on the content of this Notice, please contact us at [email protected].

In general, we do not share your personal data with third parties (other than service providers acting on our behalf) unless we have a lawful basis for doing so.

We rely on third-party service providers to perform a variety of services on our behalf, which may mean that we have to share your personal data with these third parties. When we share your personal data in this way, we put in place appropriate measures to make sure that our service providers keep your personal data secure.

Other situations in which we may disclose your personal data to a third party are:

  • where permitted by law, to protect and defend our rights and property; and
  • when required by law, and/or public authorities.

We have implemented generally accepted standards of technology and operational security to protect personal data from loss, misuse, alteration or destruction. We require Employees and principals to keep personal data confidential and provide access to this information only to authorised personnel.

We will retain your personal data for the duration of the employment contract, unless a shorter retention period is required by law or the data is no longer necessary for the purposes for which it was obtained. Once our relationship with you has come to an end, we will retain your personal data for a period of time that enables us to:

  • provide you with any continuing benefits, such as pension or insurance benefits;
  • maintain business records for analysis and/or audit purposes;
  • comply with record retention requirements under applicable law;
  • defend or bring any existing or potential legal claims; and
  • deal with any queries or complaints you may have.

We will delete your personal data when it is no longer required for these purposes. If there is any information that we are unable to delete entirely from our systems for technical reasons, we will put in place appropriate measures to prevent any further processing or use of the data.

Your personal data may be transferred to, stored, and processed in a country (such as the United States) that is not regarded as ensuring an adequate level of protection for personal data under European Union law.

We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your personal data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.

We may process personal data of your family members, including your children. When we do so, such processing will be carried out in compliance with data protection laws as they apply to children.

If you have questions or concerns regarding the way in which your personal data has been used, please contact [email protected].

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right (where applicable) to make a complaint to the appropriate data protection authority. Contact information for the EU data protection authorities can be found at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

You may request a copy of this Notice from us using the contact details set out above. We may modify or update this Notice from time to time.

If we change this Notice, we will notify you of the changes. Where changes to this Notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (for example, to object to the processing).