1. Introduction
As the ‘controller’ of the information (‘personal data’) that we collect and hold about you – our ‘data subjects’ – we are responsible for how that data is processed. The word ‘process’ covers the things that can be done with personal data, including collection, storage, use and destruction of data.
This privacy notice explains why and how we process your personal data, and explains the rights you have, including amongst others, the right to request access to your data, and to object to the way it is processed.
We process your data so we can manage and support our relationship with you, comply with legal obligations, improve our services, and achieve our legitimate business aims.
If you have any queries about this notice or anything related to data protection, you can contact our Financial Director on 01454 318000.
Although we are not required by law to appoint a data protection officer, our Financial Director takes the lead on data protection matters.
We are registered with the Information Commissioner’s Office ICO with registration no. Z1280569
2. Personal data
‘Personal data’ is any information that relates to a living, identifiable person. This will usually include your name, address, contact details, and other information we collect as part of our relationship with you, whether you are a client, supplier, colleague, or anyone else we come into contact with through our work.
We may collect some especially sensitive information which is known as ‘special categories’ of data relating to you – namely, race or ethnic origin, religious, or other beliefs, physical or mental health and trade union membership.
We do so on the basis that the data is necessary for:
- the purposes of carrying out our obligations and exercising specific rights of ourselves or you, in the field of employment law, social security law and social protection law
- protecting the vital interests of an individual where the person whose data is being processed is physically or legally incapable of giving consent
- reasons of substantial public interest, on the basis of the Data Protection Act 2018, which includes safeguarding, crime prevention, and regulatory work, amongst others
The use of this type of data, and of information about criminal convictions and offences, is subject to strict legal controls.
We only process data if we need to for a specific purpose, as explained below. Most often, we collect your personal data directly from you, through our contact with you.
3. Your data, how and why we process it
qualifications, references, other work-related information, as well as information to confirm your ID and your right to work, if appropriate.
If you decline to provide data that we require for the above purposes, we may not be able to continue to assess your application.
The information will be securely deleted/destroyed six months after we no longer need it for an application.
3.2 Current and former colleagues
When you work with us, as an employee, worker or contractor, we process your:
- name
- contact details
- qualifications
- work related information
- performance related information
- disciplinary/grievance information
- compensation and financial information including pension and benefits information
- next of kin/emergency contact and dependents’ information
- photographs and CCTV/film footage
- Entry fob data
- other information from our interactions, including health/disability related information where necessary
Most of this data is processed on the basis that it is necessary:
- to manage our employment relationship and contract
- to fulfil our legal obligations as an employer
- to allow you and us to exercise rights and comply with obligations under employment law, equality law and health and safety law
If you decline to provide data that we require for the above purposes, we may not be able to continue to employ you.
Apart from photographs needed for business ID purposes and CCTV footage, we will take photographs and films of various work-related events and occasions, and photos and films for use in internal and external communications. We will be transparent when we take photographs or films, and seek consent when necessary. Where we are not relying on consent, photographs and films are taken on the basis of our legitimate interests.
In the case of an emergency, we will process your data in order to protect your vital interests.
If we are approached and asked to share data about you for the purposes of criminal, tax-related, or other legal matters, we will share data only as necessary.
If we ask you for feedback on working with us, we will process that data on the basis that it is necessary for our and your legitimate interests of improving our employee experiences.
Where we ask you for any of the following information, it is optional for you to provide this information. We may ask about your race/ethnicity, health information, sexuality and religion. This is for the purposes of monitoring and improving our equality and fairness, on the basis of it being to protect yours and others health, safety and wellbeing. It is also in the substantial public interest for maintaining and improving opportunity and equality.
3.3 Clients
We process your name, contact details, and other information that we collect through our interactions with you, on the basis of our business’s legitimate interests of providing and improving our services.
If we send hard copy or electronic marketing messages to you, this is for the purposes of our legitimate interests to increase awareness of our business, and you can opt-out at any time.
You have the right to object to any of this processing and we will assess any objection.
3.4 Suppliers and any other business contacts
We process your name, contact details, and other information produced through our interactions, to enable us to manage our working relationship with you, on the basis of our business’s legitimate interests to be able to provide our services to those who need them, in the most effective way.
You have the right to object to any of this processing and we will assess any objection.
4.Why we share your data
We share the data we process with other organisations, only when we have a lawful basis to do so, or when we are engaging a supplier who will act as a ‘Data Processor’ on our behalf. ‘Processors’ are businesses who handle, or could potentially handle, personal data as part of providing a service to us, and include our IT system providers, our email providers, our website hosts, consultants, training providers, auditors, clients, accommodation and travel providers, external insurers, occupational healthcare professionals, and other benefit providers. This list is not exhaustive.
Other organisations we share data with include the HMRC and banks for processing tax and payments, and we will co-operate with police, HSE and other authorities if we are asked to, in order to investigate Health and Safety incidents, prevent crime, including fraud, and other unwanted behaviours such as incompetence in public roles.
5.How we store your data
Your personal data is held in both hard copy and electronic formats. Where we store or transfer your data outside of the UK we do so only where we have assessed the risk, and judged there to be appropriate measures in place to control the protection of your data, including the data being in a country that has been assessed as ‘adequate’ or we have entered into an appropriate IDTA (International Data Transfer Agreement), or lawful exceptions apply.
6.How long we keep your data
Your data is only kept for as long as there is a lawful reason to retain it. Some of our retention periods are based on legal requirements, and others are based on the practical reasons we need to keep the data for a certain period of time. Retention timescales are in our PSUK-GDPR-013 Record of Processing (Data Retention) Form, held by our GDPR team.
Once we reach the retention period, we will securely delete the relevant data, unless we are legally required to keep it longer, or there are legal reasons why we should keep it longer.
6.1 Your rights as a data subject
As a data subject, you have the following rights in relation to your personal data:
- To be informed about how and why your data is handled, which we do in a large part through this Privacy Notice
- To gain access to copies of your personal data (sometimes known as making a Data Subject Access Request or DSAR (PSUK-GDPR-005)).
- To have errors or inaccuracies in your data changed
- To have your personal data erased, in limited circumstances (sometimes known as the ‘right to be forgotten’)
- To object to the processing of your personal data for marketing purposes or when the processing is based on the public interest or other legitimate interests
- To restrict the processing of your personal data, in limited circumstances
- To obtain a copy of some of your data in a commonly used electronic form, in limited circumstances (known as the right to data portability)
- Rights that ensure you are not unfairly affected by any profiling or automated decisions
- To withdraw your consent if we are relying on your consent for our lawful processing of your data
- To raise a complaint if you are not satisfied with the way we are processing your data
To make a Data Subject Access Request or exercise any of the other rights, please contact us. We will respond to you as soon as possible, and within one month for a request to access, rectify, erase, restrict or object to processing of, your data, or a request for data portability.
For more information about these rights, please see the ICO’s website https://ico.org.uk/ or contact us.
6.2 Withdrawing consent
If we are relying on your consent to process your data, you may withdraw your consent at any time by contacting us in your preferred way.
6.3 Complaints to the Information Commissioner
You have a right to complain to the ICO about the way in which we process your personal data, although please allow us the opportunity to sort out the issue first. You can make a complaint on the ICO’s website https://ico.org.uk/.
7.Website cookies and similar technology
Our website uses essential cookies which are necessary for the proper operation of the website, as well as non-essential cookies including from Google Analytics and Zoho, which can identify your IP address and some of your interaction with the website.
Our Cookies banner on the website allows you to choose whether to accept the non-essential cookies.
If you prefer to turn off essential cookies as well as non-essential cookies, you can turn them off in your browser, but please be aware that the website will not operate as intended.