We collect and process personal data about our employees to manage the employment relationship. We're committed to being transparent about how we collect and use that data and to meeting our data protection obligations. Information you provide will be processed in accordance with the General Data Protection Regulation, Data Protection Act 2018 and subsequent legislation.
Information we collect
- general information about you including name, date of birth and address
- information about medical or health conditions, including whether you have a disability for which the organisation needs to make reasonable adjustments
- details of trade union membership if you pay your subscriptions through payroll
- equalities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
- general information about you, including your opinions, likes and dislikes, and things which are important to you
We collect this information in a variety of ways. For example, data is collected through application forms, obtained from your passport or other identity documents such as your driving licence, from forms completed by you at the start of or during employment (such as pension benefit nomination forms), from correspondence with you, or through interviews, meetings or other assessments.
We will only seek information from third parties with your consent.
Data is stored in a range of different places, including in your personnel file, in our HR management systems and in other IT systems, including our email system.
Why we process personal data
We need to process data to enter into an employment contract with you and to meet our obligations under that contract. For example, we need to process your data to provide you with an employment contract, and to pay you in accordance with that contract.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.
In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:
- run recruitment and appointment processes
- maintain accurate and up-to-date employment records and contact details (including who to contact in an emergency), and records of employee contractual and statutory rights
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
- ensure effective general HR and business administration
- provide references on request for current or former employees
- respond to and defend against legal claims
- maintain and promote equality in the workplace
- conduct employee engagement surveys
Some special categories of personal data, such as information about health or medical conditions, is processed to ensure that our legal obligations as an employer are met including health and safety obligations and making reasonable adjustments where appropriate.
Information about trade union membership is processed to allow the organisation to make deductions from your salary for union subscriptions if you request this.
Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation, or religion or belief, this is done for the purposes of equalities monitoring. Data that we use for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether to provide such data and there are no consequences of failing to do so.
Where we process data or images that you have volunteered to provide, for example surveys or information for use in our material or activities, this is either collected through consent of employees, which can be withdrawn at any time, or legitimate interests. Where consent is used, employees are entirely free to decide whether to provide such data and there are no consequences of failing to do so.
Access to data
Your information will be shared internally, including with HR and the Shared Services Centre, your line manager, managers in the business area in which you work and with employees where it is required for the performance of their role. We share your data with third parties in order to obtain pre-employment references from other employers, where it has a legal obligation to do so, such as HMRC, necessary criminal records checks from the Disclosure and Barring Service.
We will share your data with other third parties only where it is fair, transparent and lawful and in accordance with the General Data Protection Regulation and the Data Protection Act 2018.
We will not transfer your data to countries outside the European Economic Area.
How we protect data
We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
How long we keep data
We will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the HR retention schedule.
The periods for voluntarily provided information held in relation to internal newsletter material or activities are set out in the HR retention schedule.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request
- require the organisation to change incorrect or incomplete data
- in some circumstances require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing
- ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether your interests override the organisation's legitimate grounds for processing data
- withdraw consent, where this was the lawful basis for processing
If you would like to exercise any of these rights, please contact Jane Lakin, data protection officer, email: firstname.lastname@example.org
You can make a request to access your records by completing our subject access request form. You do not have to complete this form to make a request but it may help us locate your data more quickly.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.
If you do not provide personal data
You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.