- Other Services
- Worcester Accredited Installer
This policy applies to the processing of personal data in manual and electronic records kept by the Company in connection with its human resources function as described below. It also covers the Company’s response to any data breach and other rights under the General Data Protection Regulation.
This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as relevant individuals.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Company’s commitment to protecting data. In line with GDPR, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within the Company’s HR systems. The following types of data may be held by the Company, as appropriate, on relevant individuals:
• name, address, phone numbers - for individual and next of kin
• CVs and other information gathered during recruitment
• references from former employers
• National Insurance numbers
• job title, job descriptions and pay grades
• conduct issues such as letters of concern, disciplinary proceedings
• holiday records
• internal performance information
• medical or health information
• sickness absence records
• tax codes
• terms and conditions of employment
• training details.
Relevant individuals should refer to the Company’s privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.
Data protection principles
All personal data obtained and held by the Company will:
• be processed fairly, lawfully and in a transparent manner
• be collected for specific, explicit, and legitimate purposes
• be adequate, relevant and limited to what is necessary for the purposes of processing
• be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
• not be kept for longer than is necessary for its given purpose
• be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
• comply with the relevant GDPR procedures for international transferring of personal data.
In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:
• the right to be informed
• the right of access
• the right for any inaccuracies to be corrected (rectification)
• the right to have information deleted (erasure)
• the right to restrict the processing of the data
• the right to portability
• the right to object to the inclusion of any information
• the right to regulate any automated decision-making and profiling of personal data.
The Company has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:
• it appoints or employs employees with specific responsibilities for:
a. the processing and controlling of data
b. the comprehensive reviewing and auditing of its data protection systems and procedures
c. overviewing the effectiveness and integrity of all the data that must be protected.
There are clear lines of responsibility and accountability for these different roles.
• it provides information to its employees on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
• it provides its employees with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
• it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
• it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the Company
• it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Company understands that consent must be freely given, specific, informed and unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time
• it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
• it is aware of the implications international transfer of personal data internationally.
Access to data
Relevant individuals have a right to be informed whether the Company processes personal data relating to them and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
• a form on which to make a subject access request is available from Leigh Sackett. The request should be made to Leigh Sackett.
• the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
• the Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.
Relevant individuals must inform the Company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information.
For further information on making a subject access request, employees should refer to our subject access request policy, available from Leigh Sackett.
The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
• any employee benefits operated by third parties
• disabled individuals - whether any reasonable adjustments are required to assist them at work
• individuals’ health data - to comply with health and safety or occupational health obligations towards the employee
• for Statutory Sick Pay purposes
• HR management and administration - to consider how an individual’s health affects his or her ability to do their job
• the smooth operation of any employee insurance policies or pension plans.
These kinds of disclosures will only be made when strictly necessary for the purpose.
The Company adopts procedures designed to maintain the security of data when it is stored and transported.
In addition, employees must:
• ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
• ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
• check regularly on the accuracy of data being entered into computers
• always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them
• use computer screen blanking to ensure that personal data is not left on screen when not in use.
Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by Leigh Sackett. Where personal data is recorded on any such device it should be protected by:
• ensuring that data is recorded on such devices only where absolutely necessary
• using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
• ensuring that laptops or USB drives are not left lying around where they can be stolen.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.
New employees must read and understand the policies on data protection as part of their induction.
All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR.
All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.
Data protection compliance
Leigh Sackett is the Company’s appointed compliance officer in respect of its data protection activities.
Oxyplumb Ltd is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal information about you before, during and after your working relationship with us, in accordance with the General Data Protection Regulation (‘GDPR’) and any applicable national laws which implement the GDPR (together the ’Data Protection Legislation’).
Leigh Sackett is the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you and we are required under Data Protection Legislation to notify you of the information contained in this privacy notice.
This notice applies to current and former employees, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do, we will provide you with an updated copy as soon as reasonably practical. It is important that you read and retain this notice so that you are aware of how and why we are using such information and what your rights are under the Data Protection Legislation.
The kind of information we hold about you:
‘Personal data’ means any information about an individual from which that person can be identified. We may collect, store, and use the following categories of personal data about you:
Personal details such as name, address(es), telephone number(s), personal email address(es), date of birth, gender, marital status and dependants, next of kin and emergency contact information, National Insurance number, bank account details, and tax status information.
Employment details such as salary, annual leave, pension and benefits information, start date, leaving date, your reason for leaving, location of employment or workplace, recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process) employment records (including job titles, work history, working hours, holidays, training records and professional memberships), performance information, and disciplinary and grievance information.
Security Information such as CCTV footage and other information obtained through electronic means such as swipe card records, photographs, information about your use of our information and communications systems, and copies of your driving licence, passport or other identity documents.
Special category personal data. There are ‘special categories’ of more sensitive personal data which require a higher level of protection, which we may collect, store and use. Special category personal data includes information about your race or ethnicity, religious beliefs, sexual orientation and political opinions, trade union membership, information about your health and any medical conditions you have, health and sickness records such as details of any absences (other than holidays) from work including time on statutory parental leave and sick leave, occupational health reports and, if you leave, and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision.
How is your personal data collected?
We collect personal information about employees, workers and contractors through the application and recruitment processes, either directly from individuals or sometimes from an employment agency. We will collect additional personal information in the course of job-related activities throughout the period of your employment.
How we will use your personal data
We will only use your personal data when the law allows or requires us to. Most commonly, we will use your personal information where we need to in order to perform the contract between us, or to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. The legitimate interests we have in processing your personal data are the efficient and effective running of the business and ensuring the safety and wellbeing of employees, customers and suppliers. Less often, we may also use your personal information where we need to in order to protect your vital interests (or someone else’s vital interests), where it is needed in the public interest, or where you have given explicit consent.
Situations in which we will use your personal data
We need all the categories of information to perform our contract with you and to enable us to comply with our legal obligations (for example the obligations on us as an employer under health and safety legislation or the legal duties we have to provide information to the national tax authorities). In some cases we may use your personal information to pursue our legitimate interests (as stated above) or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we may process your personal data are listed below.
• Making a decision about your recruitment or appointment.
• Determining the terms on which you work for us.
• Checking you are legally entitled to work in the country in which you are employed
• Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and other similar statutory deductions (e.g. National Insurance contributions (NICs) in the UK).
• Enrolling you in a pension arrangement
• Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of employee benefits.
• Administering the contract we have entered into with you.
• Business management and planning, including accounting and auditing.
• Conducting performance reviews, managing performance and determining performance requirements.
• Making decisions about salary reviews and compensation.
• Assessing qualifications for a particular job or task, including decisions about promotions.
• Gathering evidence for possible grievance or disciplinary hearings.
• Making decisions about your continued employment or engagement.
• Making arrangements for the termination of our working relationship.
• Education, training and development requirements.
• Notifying you about business information relevant to your position where it is appropriate to do so
• Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
• Ascertaining your fitness to work.
• Managing sickness absence.
• Complying with health and safety obligations.
• To prevent fraud.
• Equal opportunities monitoring.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
If you fail to provide personal data when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
Change of purpose
We will only use your personal data for the purposes for which we collected it, or for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated/incompatible purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use special category personal data
We may process special categories of personal data with your explicit written consent, where we need to in order to comply with employment law, or where it is needed in the public interest, such as for equal opportunities monitoring, or in relation to our occupational pension scheme. Less commonly, we may also process this type of information where it is needed in relation to legal claims or to protect an individual’s vital interests (and you are not capable of giving your consent), or where you have already made the information public (e.g. by posting it on social media).
Our obligations as an employer
We may use your special category personal data in the following ways:
• We may use information relating to leaves of absence, which may include sickness absence or family-related absence, to comply with employment or other applicable laws.
• We may use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay and pensions
• We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Do we need your consent?
We do not need your consent to use special category personal data about you to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may ask for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
Information about criminal convictions
We will only seek information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so, which will usually be because you have given explicit consent.
We may share your data with third parties for the reasons, and under the conditions, set out below.
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so which is not overridden by your rights or interests.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Rights of access, correction, erasure and restriction
Under certain circumstances, by law you have the right to:
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party.
• Withdraw consent. Where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
• Complain to the supervisory authority if you are unhappy about the way we have handled your personal data.