Data Protection Policy
1 Overview
1.1 The Company (HR Solutions (South) Ltd takes the security and privacy of our client data seriously. We need to use information or ‘data’ about your business and employee’s to manage our relationship with you and advise you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
1.2 This policy applies to client companies and the information obtained as part of that relationship. The term Employee’s includes your workforce, employee’s, previous employee’s, workers and people who sub-contract to you.
1.3 We will only hold data for as long as necessary for the purposes for which we collected it.
1.4 This policy explains how HR Solutions (South) Ltd will hold information. It explains your rights as a client and your employees as data subjects.
1.5 This policy does not form part of your contract for services and can be amended by the Company at any time. It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, the Company intends to comply with the 2018 Act and the GDPR.
1.6 HR Solutions (South) Ltd undertakes limited processing of data, and rather information is solely used to provide advice and HR consultancy to client companies.
2 Data Protection Principles
2.1 Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
· be processed fairly, lawfully and transparently;
· be collected and processed only for specified, explicit and legitimate purposes;
· be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
· be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
· not be kept for longer than is necessary for the purposes for which it is processed; and
· be processed securely.
We are accountable for these principles for your employee’s data and can show that we are compliant.
3 How we define personal data
3.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
3.3 This personal data for your workforce might be provided to us by you, or someone else (such as a former employer, a doctor, etc), or it could be created by us.
3.4 We may hold any data about your employee’s which you choose to share with us, such as :
· recruitment information such as employee’s application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments;
· employee’s contact details and date of birth;
· your employee’s gender;
· your employee’s marital status and family details;
· information about contracts of employment (or services) with your employee’s including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement;
· your employee’s identification documents including passport and driving licence and information in relation to their immigration status and right to work for you;
· information relating to disciplinary or grievance investigations and proceedings involving employee’s (whether or not they were the main subject of those proceedings);
· information relating to your employee’s performance and behaviour at work;
· employee training records;
· electronic information in relation to your and your employee’s use of IT systems/swipe cards/telephone systems;
· your images (whether captured on CCTV, by photograph or video); and
· any other category of personal data for your employee’s which we may notify you of from time to time.
4 How we define special categories of personal data
4.1 ‘Special categories of personal data’ are types of personal data consisting of information as to:
· your employee’s racial or ethnic origin;
· your employee’s political opinions;
· your employee’s religious or philosophical beliefs;
· your employee’s trade union membership;
· your employee’s health;
· your employee’s sex life and sexual orientation; and
· any of your employee’s criminal convictions and offences.
We may hold and use any of these special categories of your personal data in accordance with the law.
5 How we define processing
5.1 ‘Processing’means any operation which is performed on personal data such as:
· collection, recording, organisation, structuring or storage;
· adaption or alteration;
· retrieval, consultation or use;
· disclosure by transmission, dissemination or otherwise making available;
· alignment or combination; and
· restriction, destruction or erasure.
This includes processing personal data which forms part of a filing system and any automated processing.
6 How will we process your employee’s personal data?
6.1 The Company will process your employee’s personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
6.2 We will use your employee’s personal data for:
· performing the contract of services between us;
· complying with any legal obligation; or
· if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if your employee’s interests and rights do not override ours. You and your employee’s have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights in section 12 below.
7 Examples of when we might process your employee’s personal data
7.1 We have to process your employee’s personal data in providing advice on all areas of the employment relationship
7.2 For example (and see section 7.4 below for the meaning of the asterisks):
· to decide whether to employ (or engage) your employee’s;
· to decide how much to pay your employee’s, and the other terms of contract;
· to carry out the contract between us including where relevant, its termination;
· training and reviewing your employee’s performance*;
· to decide whether to promote your employee’s;
· to decide whether and how to manage your employee’s performance, absence or conduct*;
· to carry out a disciplinary or grievance investigation or procedure in relation to your employee’s;
· to advise whether you need to make reasonable adjustments to your workplace or role because of your employee’s disability*;
· to help you monitor diversity and equal opportunities*;
· to help you monitor and protect the security (including network security) of the Company, of you, your employee’s and customers;
· to help you monitor and protect the health and safety of your employee’s, customers and third parties*;
· to help you pay and provide pension and other benefits to your employee’s;
· to help you provide a reference upon request from another employer;
· to help you comply with employment law, immigration law, health and safety law, tax law and other laws which affect us*;
· to help you with the running our business and planning for the future;
· to help you prevent and detect fraud or other criminal offences;
· to help you defend the Company in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure*;and
· for any other reason which we may notify you of from time to time.
7.3 We do not need your employee’s consent to process special categories of your employee’s personal data when we are processing it for the following purposes, which we may do:
· where it is necessary for carrying out rights and obligations under employment law;
· where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
· where your employee’s have made the data public;
· where processing is necessary for the establishment, exercise or defence of legal claims; and
· where processing is necessary for the purposes of occupational medicine or for the assessment of your employee’s working capacity.
7.4 We might process special categories of your employee’s personal data for the purposes in paragraph 7.2 above which have an asterisk beside them. In particular, we will use information in relation to:
· your employee’s race, ethnic origin, religion, sexual orientation or gender to monitor equal opportunities;
· your employee’s sickness absence, health and medical conditions to monitor their absence, assess their fitness for work, to pay benefits, to comply with e legal obligations under employment law including to make reasonable adjustments and to look after your employee’s health and safety; and
· your employee’s trade union membership, to pay any subscriptions and to comply with your legal obligations in respect of trade union members.
7.5 We do not take automated decisions about your employee’s personal data or use profiling in relation to your employee’s data.
8 Sharing your personal data
8.1 We do not send your employee’s personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your employee’s data will be explained.
9 Processing personal data
9.1 Everyone who works for, or on behalf of HR Solutions (South) Ltd, has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy.
9.2 Data will only be used for the specified lawful purpose for which it was obtained and will be kept secure and not shared with unauthorised people.
9.3 Where possible notes on individuals will be anonymised or separated by the use of keys/codes so that the data subject cannot be identified.
9.4 Personal data will be shredded and disposed of securely when it is not longer required.
10 Data breaches
10.1 We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of your employee’s or someone else’s) then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we will also notify the Information Commissioner’s Office within 72 hours.
11 Subject access requests
11.1 Your employees as Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information HR Solutions (South) Ltd hold about them. This request must be made in writing. To avoid duplication any emails, correspondence and documentation between you as the Client Company and HR Solutions (South) Ltd will be referred back to you to provide. Any other information which you as the Employer and Client identifies your employee’s as individual data subjects and is not covered by restrictions will be sent directly to the individual making the SAR request.
12 Your employee’s data subject rights
12.1 Your employee’s have a number of rights as listed in the client companies Data Protection Policy.
12.2 In most situations we will not rely on your employee’s consent as a lawful ground to process your employee’s data. If we do however request your employee’s consent to the processing of your employee’s personal data for a specific purpose, you employees have the right not to consent or to withdraw their consent later.
12.3 Your employees have the right to complain to the Information Commissioner. They can do this by contacting the Information Commissioner’s Office directly.