Data protection policy (staff data)


We are committed to being transparent about how we collect and use the personal data of our workforce, and to meeting our data protection obligations. This policy sets out our commitment to data protection, and explains your individual rights and our obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, contractors, interns, work experience students, apprentices and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

We have appointed our Technical Director as the Data Protection Officer (DPO) or person with responsibility for data protection compliance and any questions about this policy, or requests for further information, should be directed to them.


"Personal data" is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" are:

Data protection principles

We process HR-related personal data in accordance with the following data protection principles:

We inform you of the reasons for processing your personal data, how we use such data and the legal basis for processing in our privacy notice. We will not process your personal data for other reasons. HR-related data will not be shared with third parties, except as set out in the privacy notice. Where we rely on our legitimate interests as the basis for processing data, we will carry out an assessment to ensure that those interests are not overridden by your rights and freedom.

Where we process special categories of personal data to meet our obligations or to exercise our rights in employment law, this is done in accordance with a policy on processing special categories of data.

We will update HR-related personal data promptly if you advise us that your information has changed or is inaccurate.

Personal data gathered during our relationship with you is held in your personnel file in electronic format, in online HR folders. The periods for which we hold HR-related personal data are contained in our privacy notice.

We keep a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Individual rights

As a data subject, you have a number of rights in relation to your personal data:

Please bear in mind that these rights take into account the wide variety of organisations who collect your personal data, and not just to the HR related personal data outlined above.

Subject access requests

You have the right to make a subject access request (SAR) to request all, or some, of the information we hold on you. You can also ask for information on:

Your request must be sent to the DPO who will co-ordinate a response. We will normally respond to your request within a period of one month from the date it is received. In some cases, such as where the request is complex, we may need additional time (up to an additional two months) and if this is the case, we will write to you to let you know.

Data security

We take the security of HR-related personal data very seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by those in the proper performance of their duties.

Where we engage third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Data breaches

If we discover that there has been a breach of HR-related personal data that poses a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. We will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk, we will inform affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures that have been taken.

International data transfers

We may transfer the personal data we collect about you to the USA in order to pursue our legitimate business interests and to fulfil client contracts. To ensure that your personal data receives an adequate level of protection we have put in place appropriate measures to ensure that your personal data is treated in a way that is consistent with, and which respects, the UK laws on data protection; this includes binding Company rules on data protection and signed agreements with third parties to ensure that they are signed up to the Privacy Shield and provide adequate protection of your data.

We will not transfer HR-related personal data to countries not covered by the UK ‘adequacy regulations’.

Your individual responsibilities

You are responsible for helping us keep your personal data up to date and must let us know if data provided to us changes, for example if you move house or change bank.

You may have access to the personal data of other individuals and of our clients in the course of your work. Where this is the case, we rely on you to help meet our data protection obligations.

If you have access to personal data you are required:


We will provide training to you about your data protection responsibilities as part of the induction process.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.