Information to be provided by Waterman Aspen Ltd, Pickfords Wharf, Clink Street, London, SE1 9DG (”we, us, our” or ”Employer”) where personal data relating to employees and workers is processed by the Employer
What is the purpose of this document?
We are a “Data Controller” and we collect, store, hold, process, use, record, consult, disclose, erase, make decisions based upon, destroy and, in some instances, transmit personal data about you (together these activities are referred to as “Process”, “Processed” or “Processing”).
This Privacy Notice sets out the information that must be provided by us to you (the “Data Subject”) at the time your personal data is obtained. It is drafted in compliance with UK data protection laws. The person responsible for overseeing data protection compliance issues within the Employer is Mark Nuckey, Data Protection Manager. Email address: firstname.lastname@example.org
This Privacy Notice concerns your personal data and special categories of data, together referred to as “Data” in the Privacy Notice. This Privacy Notice describes how we collect and use Data about you both during and after your working relationship with us and gives examples of the types of Data we hold, Processing activities and the justifications for that Processing.
This Privacy Notice applies to current and former employees, workers and contractors. This Privacy Notice does not form part of any contract of employment or other contract to provide services. We have a separate Privacy Notice in respect of candidates for employment or work.
It is important that you read this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Data about you, so that you are aware of how and why we are using such information. This Privacy Notice should also be read in conjunction with the Employer’s Data Protection Policy.
The Data Protection Principles
We will comply with UK data protection laws which state that the Data we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Adequate and relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as necessary for the purposes we have told you about
- Kept securely
The types of Data we hold about you
Data means any personal data or special categories of data about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data). “Special categories” of more sensitive personal data require a higher level of protection.
We may collect, store, use and Process the following personal data or categories of personal data about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Marital status and dependants
- Next of kin and emergency contact information
- National Insurance number
- Bank account details, payroll records and tax status information
- Salary, annual leave, pension and benefits information
- Start date
- Location of employment or workplace
- Copy of driving licence, MOT and insurance documents
- Recruitment information (including copies of right to work documentation, references, and other information included in a CV or cover letter or as part of the application process)
- Employment records (including job titles, work history, working hours, training records and professional memberships)
- Compensation history
- Performance information
- Disciplinary and grievance information
- CCTV footage and other information obtained through electronic means such as door card records
- Information about your use of our information and communications systems (including internet, email, social media and telephones)
- Photographs and profiles
- Mobile phone tracking information
We may also Process or collect Data which is more sensitive and falls within the definition of special categories of data. The types of special categories of data we might collect or Process may include (but are not limited to):
- Information about your sex, race, ethnic or national origin, religious or philosophical beliefs, sexual orientation and political opinions
- Information about your health, including any physical or mental condition or disability, health and sickness records and GP Fit Notes including medical reports
- Personal social media profiles or use
- Information about criminal convictions and offences
These lists of Data (personal data and special categories of data) and the examples of Processing are not exhaustive.
How your Data is Processed and in what situations
The situations in which we will Process your Data (personal data and special categories of data) are listed below:
- Making decisions about your recruitment or appointment
- Determining the terms on which you work for us
- Checking you are legally entitled to work in the UK
- Undertaking employment screening to assess your suitability for a role
- Paying you and, if you are an employee, deducting tax and National Insurance contributions
- Providing and administering benefits to you, which shall include but shall not be limited to: Employee Assistance Programme, Pension, Life Assurance, Corporate Perks, Permanent Health Insurance (PHI), Private Medical Insurance, Cancer Screening, Will Writing, Cash Plan with Hospital Insurance, Dental Insurance, Babylon, Cycle to Work, Car Parking, Fabyouless Card, Childcare Vouchers, Gourmet Society, Leisure Benefit, Health Screening, Kids Pass, Mobile Phones (if selected)
- Liaising with our benefit providers, pension providers, insurers or agents
- Administering the contract we have entered into with you
- Business management and planning, including accounting, auditing and marketing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about salary reviews and compensation
- Assessing qualifications for a particular job or task, including decisions about promotions
- Gathering evidence for possible grievance or disciplinary hearings
- Making decisions about your continued employment or engagement
- Making arrangements for the termination of our working relationship
- Education, training and development requirements
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Ascertaining your fitness to work (including liaising with occupational health, clinicians or other medical professionals) or providing appropriate workplace adjustments
- Monitoring and managing sickness absence and other absences, sick pay and other sickness benefits
- Complying with health and safety obligations
- To prevent fraud, breaches on intellectual property rights, unauthorised access to our IT systems or to detect a crime
- To comply with employment and other laws relating to family-related or other statutory leave and pay entitlements
- To monitor your use of our information and communication systems to ensure compliance with our IT policies, social media policies, email and internet use policies
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- To conduct data analytics studies to review and better understand employee retention and attrition rates
- Equal opportunities monitoring and reporting
- Business sales or acquisitions including due diligence processes
- Providing references (including reference to mortgage companies)
We may Process Data about you in compliance with our Lawful Basis (see below) and/or where this is required or permitted by law. Some of the above grounds for Processing will overlap and there may be several grounds which justify our use of your Data.
How we will use Data about you – the “Lawful Basis”
Under Data Protection laws, Data Controllers have to explain how Data about Data Subjects is used because they can only use Data when they are permitted to do so by law. Data Controllers will be permitted to use Data by law when they can establish a “Lawful Basis”. Below we set out each Lawful Basis relevant to us in relation to your personal data and special categories of data.
Each Lawful Basis for the Employer’s Processing or use of personal data is as follows:
(a) Where we need to perform the contract we have entered into with you
(b) Where we need to comply with a legal obligation
(c) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal data in the following situations, which are likely to be rare:
a) Where we need to protect your interests (or someone else’s interests)
b) Where it is needed in the public interest or for official purposes
Each Lawful Basis for the Employer’s Processing of special categories of data is as follows:
(a) In limited circumstances, with your explicit written consent
(b) Where we need to carry out our legal obligations and in line with our data protection policy or other relevant policy
(c) Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy
(d) Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
Less commonly, we may process special categories of data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.
Our Legitimate Interests
With regards to our ‘legitimate interests’ referred to above, these would include, but are not limited to:
- The furtherance of the Employer’s business operations, services and products
- The furtherance of our HR and Marketing functions and initiatives
- The pursuit or defence of any claims, rights or litigation or detection of a crime
- Our accounting or auditing functions and reporting duties
- The furtherance of the Employer’s commercial development, strategy, planning or growth including any business sales or transactions
- The protection of the Employer’s intellectual property rights, confidential information, security or product development
- Monitoring and ensuring compliance with our policies, processes and procedures such as security, fraud prevention, employee benefits and training.
Consent to Process your Data
We do not need your consent if we use special categories of data to carry out our legal obligations or exercise specific rights in relation to employment law requirements, or as we set out in our Data Protection Policy. In limited circumstances, we may approach you for your specific written consent to allow us to process certain particularly sensitive Data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to give us your consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
Third Party Recipients of Data
From time to time, we may collect and share your Data with third parties, including third party service providers or other entities within our group.
We will share your Data with other entities in our group as part of our regular reporting activities on company performance, in the context of a business or group restructuring exercise, for system maintenance support and hosting of data.
We will share your Data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. For example, the following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, expenses administration, IT services, drivers’ license checks, disclosure and barring service checks and training courses.
We may share your Data with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your Data with a regulator or to otherwise comply with the law.
The recipients or categories of recipients of the Data may include:
- Parent, Associated Employers or Group Companies (as defined in the Contract of Employment)
- Legal representatives
- Regulators and professional bodies
- Recruiters or reference checking agencies
- Pensions or other insurance providers (including brokers)
- Government or statutory bodies
- Non-government bodies
- Insurers, insurance brokers
- Occupational health providers
- Medical practitioners, clinicians, doctors, other health providers and consultants
- Payroll providers
- Marketing or PR agencies
- I-cloud service providers
- Clients or customers (for the purposes of assessing suitability for a project or specific piece of work)
- Training providers or other employers
- Industry regulators
- Disclosure and Barring Service
- Consultants or Contractors working on our behalf
- Enquiry agents or investigators
This list may include an employer or third-party recipient(s) outside of the UK. This list is non-exhaustive. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Data in line with our policies. We do not allow our third-party service providers to use your Data for their own purposes. We only permit them to process your Data for specified purposes and in accordance with our instructions.
Transferring information outside the EU
We may transfer the Data we collect about you to the following countries outside the EEA/EU – Japan and Australia – in order to perform our contract with you. Whilst the European Commission has ongoing adequacy discussions with Japan, there is not an adequacy decision by the European Commission in respect of those countries. This means that the countries to which we transfer your Data are not deemed to provide an adequate level of protection for your Data.
However, to ensure that any personal data transferred does receive an adequate level of protection and to ensure that the data is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection, we are currently putting in place Standard Contract Clauses (SCCs) with Japan and Australia.
Information about Criminal Convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy. We may sometimes use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. Also, we will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.
Data Security and Data Breaches
We have put in place appropriate security measures to prevent your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only Process your Data on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from Mark Nuckey, Data Protection Manager.
We have put in place procedures to deal with any suspected Data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
The periods for which Data will be stored and the criteria used to determine retention periods or whether Data can be removed will depend on the information in question, its relevance or sensitivity; however, generally, Data will be removed if it has been superseded by other relevant or up to date information, if it is out of date, irrelevant or no longer necessary. Any removal of Data will be subject to the principles of data protection, compliance with the Lawful Basis for processing as well as other statutory rights and obligations.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of ours we will retain and securely destroy your personal information in accordance with our Data Protection Policy and applicable laws and regulations.
Details and examples are set out in the Data Protection Policy.
Your Rights in Relation to your Data
Under certain circumstances, by law you have the right to:
- Request access to your Data (commonly known as a “data subject access request”). This enables you to receive information about the Data we hold about you.
- Request correction of the Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Data. This enables you to ask us to delete or remove Data where there is no good reason for us continuing to Process it. You also have the right to ask us to delete or remove your Data where you have exercised your right to object to processing (in certain circumstances).
- Object to processing of your Data where we are relying on a legitimate interest for processing (or a legitimate interest of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Data for direct marketing purposes.
- Request the restriction of processing of your Data. This enables you to ask us to suspend the processing of Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your Data to another party.
If you want to review, verify, correct or request erasure of your Data, object to its Processing, or request that we transfer a copy of your Data to another party, please contact the Data Protection Manager in writing.
Further details relating to Data Subject rights are set out in the Data Protection Policy.
You also have the right to lodge a complaint as to our Processing of your Data with the UK’s data supervisory authority, The Information Commissioner’s Office (www.ico.org.uk) and for Ireland, The Data Protection Commissioner for Ireland (www.dataprotection.ie).
Providing us with up-to-date Data
The requirement for you to provide us with Data is a contractual requirement as well as in some cases, a statutory one, necessary to enter into a contract and working relationship. The contract could be an employment contract or in relation to work more generally. If you do not provide us with the Data we request, this may impact upon our ability to proceed with employment or candidacy for employment or work or affect entitlement to pay and benefits, for example, and also impact on our ability to comply with other legal obligations.
Change of Purpose
Where the Employer intends to Process Data for a purpose other than that for which the Data was collected, the Employer shall provide you, before the Processing, with information on that other purpose and with any relevant further information.
Changing this Privacy Notice
The Employer reserves the right to update this Privacy Notice at any time, and it will provide you with a new Privacy Notice when we make substantial changes. We may also notify you in other ways from time-to-time about the processing of your data.
Any questions about this Privacy Notice should be directed to HR.