Data protection policy (staff data)

Purpose

We are committed to being transparent about how we collect and use the personal data of our workforce, and to meeting our data protection obligations. This policy sets out our commitment to data protection, and explains your individual rights and our obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, contractors, interns, work experience students, apprentices and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

We have appointed our Technical Director as the Data Protection Officer (DPO) or person with responsibility for data protection compliance and any questions about this policy, or requests for further information, should be directed to them.

Definitions

"Personal data" is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" are:

• Personal data revealing racial or ethnic origin
• Personal data revealing political opinions
• Personal data revealing religious or philosophical beliefs
• Personal data revealing trade union membership
• Biometric data
• Genetic data
• Data concerning health
• Data concerning a person’s sex life
• Data concerning a person’s sexual orientation

Data protection principles

We process HR-related personal data in accordance with the following data protection principles:

• processes personal data lawfully, fairly and in a transparent manner;
• collects personal data only for specified, explicit and legitimate purposes;
• processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of for which they are processed;
• keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
• keeps personal data only for the period necessary for the purposes for which the personal data was processed;
• adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

We inform you of the reasons for processing your personal data, how we use such data and the legal basis for processing in our privacy notice. We will not process your personal data for other reasons. HR-related data will not be shared with third parties, except as set out in the privacy notice. Where we rely on our legitimate interests as the basis for processing data, we will carry out an assessment to ensure that those interests are not overridden by your rights and freedom.

Where we process special categories of personal data to meet our obligations or to exercise our rights in employment law, this is done in accordance with a policy on processing special categories of data.

We will update HR-related personal data promptly if you advise us that your information has changed or is inaccurate.

Personal data gathered during our relationship with you is held in your personnel file in electronic format, in online HR folders. The periods for which we hold HR-related personal data are contained in our privacy notice.

We keep a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Individual rights

As a data subject, you have a number of rights in relation to your personal data:

• The right to be informed about the collection and use of your personal data, including the reasons for processing the data, how long it will be kept for and who it will be shared with.
• The right to access and receive a copy of your personal data and other supplementary information (make a subject access request - more information on this is included below)
• The right to have inaccurate data rectified, or completed if is incomplete.
• The right to have personal data erased.
• The right to restrict how your data is processed.
• The right to data portability.
• The right to object to the processing of your data in certain circumstances.
• The right to know if your data is subject to automated individual decision making and, if it is, to request human intervention or challenge a decision.

Please bear in mind that these rights take into account the wide variety of organisations who collect your personal data, and not just to the HR related personal data outlined above.

Subject access requests

You have the right to make a subject access request (SAR) to request all, or some, of the information we hold on you. You can also ask for information on:

• What personal information we hold about you.
• How we are using it.
• Who we share it with.
• Where the data was obtained from.

Your request must be sent to the DPO who will co-ordinate a response. We will normally respond to your request within a period of one month from the date it is received. In some cases, such as where the request is complex, we may need additional time (up to an additional two months) and if this is the case, we will write to you to let you know.

Data security

We take the security of HR-related personal data very seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by those in the proper performance of their duties.

Where we engage third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Data breaches

If we discover that there has been a breach of HR-related personal data that poses a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. We will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk, we will inform affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures that have been taken.

International data transfers

We may transfer the personal data we collect about you to the USA in order to pursue our legitimate business interests and to fulfil client contracts. To ensure that your personal data receives an adequate level of protection we have put in place appropriate measures to ensure that your personal data is treated in a way that is consistent with, and which respects, the UK laws on data protection; this includes binding Company rules on data protection and signed agreements with third parties to ensure that they are signed up to the Privacy Shield and provide adequate protection of your data.

We will not transfer HR-related personal data to countries not covered by the UK ‘adequacy regulations’.

Your individual responsibilities

You are responsible for helping us keep your personal data up to date and must let us know if data provided to us changes, for example if you move house or change bank.

You may have access to the personal data of other individuals and of our clients in the course of your work. Where this is the case, we rely on you to help meet our data protection obligations.

If you have access to personal data you are required:

• to access only data that you have authority to access and only for authorised purposes;
• not to disclose data except to individuals (whether inside or outside the Company) who have appropriate authorisation;
• to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
• not to remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
• not to store personal data on local drives or on personal devices that are used for work purposes; and
• to report data breaches of which you become aware to the DPO immediately.

Training

We will provide training to you about your data protection responsibilities as part of the induction process.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.