This policy is for your information. It outlines what information will be collected from employees, why it is required and how the information will be used under the General Data Protection Regulations (GDPR). GDPR imposes strict guidelines to secure an employee’s right to privacy with regard to their personal information. The current Data Protection Act 1998 (DPA) will be amended in line with the new rules of GDPR and introduce additional changes to create the Data Protection Act 2018.
The GDPR’s data protection principles are similar to those under the Data Protection Act, except there are 6 instead of 8. Under the principles, organisations must be able to demonstrate that any personal data they handle is:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary where data subjects are identifiable
- Processed securely and protected against accidental loss, destruction or damage
Who this policy applies to
Definitions under GDPR
- Data Subject – means an individual who is the subject of personal data.
- Data Controller – A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is, or is to be, processed.
- Data Processor – In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
How your information will be used
The Company needs to keep and process information about you for normal employment purposes. The information that we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are employed by us and at the time your employment ends. This includes information to enable us to comply with the employment contract, any legal requirements, and for the Company to protect our legal position in the event of any legal proceedings. If you do not provide this data, we may in some circumstances be unable to comply with our obligations and we will inform you of the implications of that decision.
The Company may sometimes need to process your data in order to pursue legitimate business interests. We will never process your data where these interests are overridden by your own interests.
The sort of information we hold includes your application form and references, Right to Work evidence such as a copy of a passport and / or birth certificate, your contract of employment and any amendments to it, correspondence with or about you, salary information, contact and emergency contact details, records of holiday, sickness and other absences, information required for equality monitoring policy, training records, appraisals and where appropriate disciplinary, grievances and any other formal action.
Where necessary we may keep information relating to your health, which could include reasons for absence, medical certificates, GP correspondence and GP and Occupational Health reports. These will be used in order to comply with Health and Safety and Occupational Health obligations to consider (if ever required) how your health affects your ability to do your job and whether any adjustments may be required. We also use this information to administer any Company and Statutory Sick Pay for employees, as well as any health and life insurance policies (if applicable).
Where we are required to process special categories of information, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency.
Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
Lawful grounds for processing:
We as a Company may process personal information lawfully for a number of reasons, including in order to:
- Perform an employment contract
- Comply with a legal obligation
- Protect the employees or another individuals vital interests (for example, medical data during a health emergency)
- Carry out a task in the public interest, or in exercising official authority vested in the employer
- Protect the legitimate interests of the employer or a third party, except where this is overridden by the interests or rights of the employee.
Personal and sensitive data
Personal data is any information relating to any person who can be identified either directly or indirectly, such as their name, or an identification number, a location, online data or through factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Under GDPR, it is legitimate to process sensitive personal data where necessary. For example – to carry out an employment contract or collective agreement obligation. What counts as sensitive personal data remains broadly the same as that under the Data Protection Act. It is information on racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data.
Sharing and transferring personal data
We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to an external HR and payroll provider, pension, benefits or health insurance providers. Where we have the requirement to use an intermediary, we will ensure that they are fully GDPR compliant before engaging with them.
We may transfer information about you to other group companies for purposes connected with your employment or the management of the Company’s business.
If there is a requirement in the future to process your data for a purpose other than for which it was collected, we will always provide you with notice and the information on that purpose and any other relevant information.
Record keeping and Data retention periods
We will maintain clear and accessible records of all data processing activities.
Data will only be kept for as long as is necessary to fulfil the purpose identified or as required by law. Where there is a legal requirement to keep the data, we will comply with the statutory retention periods. All personnel and pay records will be retained for a period of 6 years. All employee leaver information will be retained for a period of 6 years unless the data subject requests to be forgotten.
Where the data is required to defend a potential claim, the data will be retained for the required period of time. Any data included on unsuccessful application forms and CV’s will be destroyed and no longer retained.
Under the General Data Protection Regulation (GDPR) you have a number of rights with regards to your personal data. You have the right to request from us access to and rectification of your data as well as for it to be erased and to restrict processing of your data in certain circumstances.
If you have provided consent for the processing of your data you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent has been withdrawn.
You also have the right to lodge a complaint with the information Commissioners Office (ICO) if you feel that we have not complied with GDPR requirements regarding your personal data.
Many of the rights are similar to those set out in the Data Protection Act. However the GDPR expands upon these and introduces new rights. In summary, data subjects, including employees, will have the:
- Right to be informed about the processing of your personal data
- Right to rectification if your personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within 1 month)
- Right of access to your personal data and supplementary information, and the right to confirmation that your personal data is being processed
- Right to be forgotten by having your personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it again (employers will have to respond without undue delay or and within 1 month of the request)
- Right to restrict processing of your personal data, for example, if you consider that processing is unlawful or the data is inaccurate
- Right to data portability of your own personal data for your own purposes (you will be allowed to obtain and reuse your data)
- Right to object to the processing of your personal data for direct marketing, scientific or historical research, or statistical purposes
Under GDPR, the current methods of requesting consent to collect and process your data have been reviewed. In some situations consent is not required – for example to fulfil legal or contractual obligations as employer to provide an employment contract, process salary payment, set up and administer schemes for pension, life cover etc. However, for most other scenarios, employers will need to show that employees give their consent freely to the specific use, purpose, or processing of that data and the consent will need to be clearly connected to the processing. Data will not be collected or processed without your explicit consent.
Should you have any queries regarding this policy or data protection in general, the Company’s Data Protection Officer is Rob Martin (Payroll Manager) and they can be contacted by telephone 01633 284705 or by email firstname.lastname@example.org.