Employee data privacy notice Factsheet number: 7.17 Last Updated: 25 May 2018 Overview General Data Protection Regulation (GDPR) becoming enforceable from 25 May 2018. I hold personal data on all of my employees to meet legal obligations and to perform vital internal functions. This notice details the personal data I may retain, process and share with third parties relating to your employment. Introduction I have issued this notice to describe how I handle personal information that I hold about my staff and job applicants (collectively referred to as "you"). For the purposes of this notice, the term "employee" is used. I respect the privacy rights of individuals and am committed to handling personal information responsibly and in accordance with applicable law. This notice sets out the personal data that I collect and process about you, the purposes of the processing and the rights that you have in connection with it. If you are in any doubt regarding this notice, please contact me. Types of personal data we collect During your employment with me, or when making an application for employment, I may process personal data about you. The types of personal information I may process include, but are not limited to: Identification data – such as your name, and date of birth. Contact details – such as home and business address, telephone/email addresses, emergency contact details. Employment details – such as job title/position, office location, employment contract, performance and disciplinary records, grievance procedures, sickness/holiday records. Background information – such as academic/professional qualifications, education, CV, criminal records data (for vetting purposes, where permissible and in accordance with applicable law). References relating to previous roles and employment conduct may be undertaken prior to commencement of employment. We will only gather references from referees provided to us by the employee, or prospective employee. Sensitive personal data (‘special categories of personal data’ under the General Data Protection Regulation) includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life. Generally, I try not to collect or process any sensitive personal information about you, unless authorised by law or where necessary to comply with applicable laws. In some circumstances, I may need to collect some sensitive personal information for legitimate employment-related purposes: for example: Data relating to your racial/ethnic origin, gender and disabilities to comply with anti-discrimination laws Data relating to your physical or mental health to manage absences from work, and risk assessments. Purposes for processing personal data Recruitment If you are applying for a role with me then we collect and use this personal data for recruitment purposes – in particular, to determine your suitability for a specific role. This includes assessing your skills, qualifications and verifying your information, carrying out reference checks and to generally manage the hiring process and communicate with you about it. If you are accepted for a role with me, the data collected during the recruitment process will form part of your ongoing employee record. Employment I collect and process personal data relating to my employees to meet my obligations under the employment contract and to comply with my legal obligations as your employer. I take the security of your data seriously and am committed to being transparent about how I collect and use that data and to meeting my data protection obligations. Once you become an employee, I collect and use this personal information for managing my employment or working relationship with you – for example, your employment records and contract information (so I can manage our employment relationship with you), your bank account and salary details (so I can pay you), and details of your spouse and dependents (for emergency contact). I have controls in place to try to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed without authorisation and only accessed or used for specific legal purposes. For example your paper records are kept in a locked drawer, and any electronic information is kept on a computer which is password protected. You have some obligations under your employment contract to provide me with data. You may also have to provide me with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide this data may mean that you are unable to exercise your statutory rights. Legal purposes We may also use your personal data where we consider it necessary for complying with laws and regulations, including collecting and disclosing employee personal information as required by law (e.g., for tax, health and safety, anti-discrimination laws), under judicial authorisation, or to exercise or defend our legal rights. Legal basis for processing personal data Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the way we collect it. We will normally collect personal data from you only where we need it to perform a contract with you (i.e. to manage the employer/employee relationship), where we have your freely given consent to do so (i.e. when signing your employment contract), or where the processing is in our legitimate interests and only where this interest is not overridden by your own interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person. Any processing based on consent will be made clear to you at the time of collection or use – consent can be withdrawn at any time by contacting me. Who we share your personal data with We take care to allow access to personal data only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the data is used in a manner consistent with this notice and that the security and confidentiality of the data is maintained. Transfers to third-party service providers In addition, we make certain personal data available to third parties who provide services to us (for example to a payroll company to pay you and when seeking information and advice on employment law). We do so on a "need to know basis" and in accordance with applicable data protection and data privacy laws. Data retention Personal data will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this notice or as otherwise required by law. Generally, this means your personal information will be retained until the end or your employment, employment application, or work relationship with us plus a reasonable period of time thereafter to respond to employment or work-related inquiries or to deal with any legal matters (e.g. judicial or disciplinary actions), document the proper termination of your employment or work relationship (e.g. to tax authorities), or to provide you with ongoing pensions or other benefits. Your rights You may exercise the rights available to you under data protection law as follows: The right to be informed. The right of access. The right to rectification. The right to erasure. The right to restrict processing. The right to data portability. The right to object. Rights in relation to automated decision making and profiling. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/ To exercise any of these rights, please contact me. Issues and complaints I try to meet the highest standards when collecting and using personal information. For this reason, I take any complaints I receive about this very seriously. I encourage you to bring it to my attention if they think that my collection or use of information is unfair, misleading, or inappropriate.