GDPR Privacy Notice and Retention Policy: Non Exec Directors, Consultants and Contractors
This notice meets the requirements under GDPR for organisations to be transparent with consultants about the data they process, their reason for processing and retention policy.
PCI Pal is committed to protecting the privacy and security of your personal information that we collect as a "data controller". As a controller we are responsible for deciding how we hold and use personal information about you. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). It also provides information about how long your personal information will be held for.
This notice applies to all job applicants, employees, and workers. It does not form part of your contract with us. It is important that you read this notice, together with any updates or other privacy notices. In particular, all current personnel must comply with our "Data Protection Policy" which explains your obligations in respect of personal data when working for us.
The kind of information we hold about you
We may collect, store, and use the following categories of personal information about you:
· Personal details such as name, title, addresses, date of birth, gender, dependants, photographs, car registration plate (if providing car parking) telephone numbers, personal email addresses, next of kin and dependants’ information, and emergency contact information.
· Financial details such as your National Insurance number, bank account details, payroll records, tax information, salary, annual leave, pension and benefits information.
· Recruitment information (including official forms of ID, copies of right to work documentation, references, verification of address and qualifications, and other information included in a CV or cover letter or as part of the application process).
· Employment records (including your contract, work history, training records, performance, disciplinary, and grievance records (including expired sanctions), and time/attendance records).
· CCTV footage (within and around the Ipswich Office) and other information obtained through electronic means such as swipecard records.
· Information about criminal convictions and offences.
· Information about your use of our information and communications systems.
· Details of your use of business-related social media, such as LinkedIn and your use of public social media (only in very limited circumstances, to check specific risks for specific functions within our organisation; you will be notified separately if this is to occur).
· Details of any work related travel.
· Any other information relating to you that you may provide to us.
We may also collect, store and use "special categories" of more sensitive personal information (which requires a higher level of protection), including information about any trade union membership and activities, your race or ethnicity, naionality, religious beliefs, political opinions, sexual orientation, any information about gender re-assignment and transitioning, marital/civil partnership status, pregnancy and maternity and about your health. We may also hold information about criminal convictions as explained under section 6 "Information about criminal convictions" below.
How is your personal information collected?
We typically collect personal information from you through the recruitment process, either directly from you or sometimes from third parties such as employment agencies or your former employers. We will also collect personal information in the course of you working for us. Sometimes we will proactively collect data. In other cases this information will be less formally provided to us by you, other employees, or third parties.
Overview: How we will use information about you
Personal information
We will only use your personal information when the law allows us to. Most commonly:
· Where we need to perform the contract we have entered into with you, or to comply with a legal or regulatory obligation.
· Where it is necessary for our legitimate interests (or those of a third party such as a benefits provider) and your interests and fundamental rights do not override those interests.
We may also use your personal information where we need to protect your interests (or someone else's) or where it is needed in the public interest.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Special category information
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. The main reason we would need to hold and process these categories of information is to carry out our obligations as your employer.
We may process special categories of personal information in the following circumstances:
· Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy.
· Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
· Where it is necessary for the purposes of exercising the employment law rights or obligations of us or you.
· Where the processing meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 relating to preventing or detecting unlawful acts.
· In limited circumstances, we may also process on the basis of your explicit written consent.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent (such as in the case of a medical emergency), or where you have already made the information public. We may also process such information about employees or former employees in the course of legitimate business activities with the appropriate safeguards.
Examples: How we will use information about you
Personal information
The following are examples of situations in which we will use your personal information:
· Making a decision about your recruitment or appointment, determining the terms on which you work for us and checking you are legally entitled to work in the UK.
· Paying you and providing you with benefits (including liaising with your pension provider) and, if you are an employee, deducting tax and National Insurance contributions.
· Business management and planning, including accounting, auditing, equal opportunities monitoring, and to conduct employment data analytics studies.
· Managing, gathering evidence and making decisions in respect of:
Performance, salary reviews and compensation decisions, assessing training and development requirements, and making promotion/change in role decisions;
Possible whistleblowing, grievance, disciplinary or complaint investigations and hearings;
Restructures and possible redundancy situations should they arise; and
Legal disputes involving you, or other employees, workers, contractors, customers and other third parties including members of the public.
Making arrangements for the termination of our working relationship and in the provision of references.
Ascertaining your fitness to work, managing sickness, and health and safety obligations.
· To ascertain compliance with our policies, and ensure protection of our intellectual property.
· To ensure information security, including preventing unauthorised systems access.
Special category information
The following are examples of situations in which we will use your sensitive personal information:
· We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to support you and to comply with employment and other laws.
· We will use sensitive personal information about various matters including protected characteristics, in order to provide appropriate support to you in the workplace and to make adjustments to your role or our policies and practices that are necessary or helpful in order for us to do so. For example, if you are pregnant we will use information to ensure that we continue to provide a safe working environment for you. If you are transitioning gender, we will use that information to support you in that process. If your religious or philosophical beliefs have an impact on your work, we may use that information in discussion with you to offer appropriate support and to understand and address the impact that this has on your role.
· As a result of your personal circumstances, we may also identify a need for training to be offered to staff or policies to be updated in order to ensure that we provide a safe and supportive working environment for all. For example, we may recognise a need to increase awareness and understanding of a particular protected characteristic. This could be in the form of LGBTI+ training, awareness of certain health conditions (in particular where staff awareness of an issue could help support you and other employees better) or other diversity and inclusion training/policy updates.
· We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace, to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence.
· We may also use your sensitive personal information to the extent appropriate and in accordance with equalities legislation including the Equality Act 2010, in managing, gathering evidence and making decisions in respect of:
performance, salary reviews and compensation decisions, assessing training and development requirements, and making promotion/change in role decisions;
possible whistleblowing, grievance, disciplinary or complaint investigations and hearings;
restructures and possible redundancy situations should they arise; and
legal disputes involving you, or other employees, workers, contractors, customers and other third parties including members of the public.
· We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, gender re-assignment, health, pregnancy and maternity, to ensure meaningful equal opportunity monitoring and reporting.
Every employee is unique and the above are just some examples of times where we may use your sensitive personal information. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you appropriately or at all.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy. Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
We may also process such information about employees or former employees in the course of legitimate business activities with the appropriate safeguards.
We envisage that we may hold information about criminal convictions. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process. We may become aware, or be notified directly by you, of such information in the course of you working for us.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations as an employer or exercise specific employment law rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. You should be aware that it is not a condition of your contract with us that you agree to any such request for consent.
If you have provided your consent in this way for a specific purpose, you have the right to withdraw your consent for that specific processing at any time
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact the data privacy manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Sharing of personal information
We may have to share your data with other members of our group, and third parties, including third-party service providers (such as payroll, pension and benefits administration, occupational health, training providers, IT and legal services), for the purposes of day to day operation of our business and/or staff management.
We may also share your personal information with:
· other third parties, for example in the context of the possible sale or restructuring of the business;
· other entities in the group;
· a regulator, HMRC, the Health and Safety Executive or to otherwise comply with the law;
· prospective future employers in response to reference requests.
We require third parties to respect the security of your data and treat it confidentially and in accordance with the law, including ensuring that they will not use the personal data for their own purposes. We may, in certain circumstances, share your personal data with third parties outside of the UK subject to appropriate safeguards being put in place.
Data security
We have put in place measures to protect the security of your information. Details of these measures are available upon request from the Data Protection Officer.
Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements. In some circumstances we may anonymise your personal information, in which case we may use such information without further notice to you.
Once your working relationship with us is over, we will retain and securely destroy your personal information in accordance with this data retention policy, and applicable laws and regulations. Details of the proposed maximum retention periods for your personal information are outlined in Appendix 1.
Rights of access, correction, erasure, and restriction
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Under certain circumstances, you have the right to:
· Request access to your personal information (known as a "data subject access request").
· Request correction of the personal information that we hold about you.
· Request the erasure of your personal information, or ask us to stop processing it if we are relying on a legitimate interest and you object to processing on this ground.
· Request the suspension or restriction of processing of your personal information.
· Request the transfer of your personal information to another party.
You will not have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee (or refuse your request) if your request for access is unfounded or excessive.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Contact
If you have any questions about this privacy notice, or to exercise any rights under it, please contact the Data Protection Officer.
