May 2018

Introduction

The HR Division is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.

This policy outlines the rules, behaviours and standards required of The HR Division, its employees, workers, clients and third parties working on behalf of The HR Division in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of The HR Division.

Personal Data and Sensitive Personal Data

There are two types of personal data that fall under the GDPR and for which The HR Division, its employees, workers and third parties are responsible for. These are:

• Personal Data: This is defined as any information relating to an identified or identifiable natural person. Identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This will include IP addresses and cookie strings.
• Sensitive Personal Data: Sensitive personal data includes data relating to genetic and biometric data as well as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or a person’s sex life, sexual orientation or criminal offences.

Data Protection Principles

The HR Division is committed to adhering to the Data Protection Principles which state:

1. Data must be processed lawfully, fairly and in a transparent manner.
2. Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data processed must be adequate, relevant and limited to what is necessary.
4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
5. Data must not be kept for longer than is necessary for the purposes for which the data are processed.
6. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. The HR Division is aware that in order to process personal data, or sensitive personal data, The HR Division must rely on the data being:

• necessary for the performance of a contract, or;
• in preparation for a contract, or;
• to comply with our legal obligations, or;
• for our legitimate business interests or;
• to perform a task carried out in the public interest or in the exercise of an official authority.

If The HR Division wishes to hold and process data which does not fall within conditions listed above, then it will seek to obtain the consent of the individual.

If it is necessary to obtain consent then The HR Division will write to the individual to ask for consent, ensuring that the consent is:

• Freely given, specific, informed and unambiguous.
• Separate from other terms.
• Clear and in plain language.
• As easy to give as to withdraw.
• ‘Explicit’ for sensitive data.
• Given in a way that can be evidenced.
• Unless consent to processing data is critical to the performance of a contract, the performance of a contract will not be made conditional on the basis that consent is given.

Personal Data

The HR Division collects and processes the following personal data:

• Personal contact details such as name, title, addresses, telephone numbers, personal email addresses; date of birth; gender; marital status and dependents
• Next of kin and emergency contact information
• National Insurance number
• Bank account details, payroll records and tax status information
• Salary, annual leave, pension and benefits information
• Start date
• Copy of driving license
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
• Employment records (including terms and conditions of employment, work history, working hours, training records and professional memberships)
• Compensation history
• Performance information including appraisals and performance improvement plans
• Details of any disciplinary and grievance proceedings you have been involved in
• Details of any leave you have taken including holidays; sickness; family and parental leave.
• CCTV footage
• Information obtained through electronic means such as swipe card records and biometric means of identification
• Information about your use of our information and communications systems
• Photographs
• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
• Trade union membership
• Information about your health, including any medical condition, health and sickness records and details of any disability for which we may need to make reasonable adjustments
• Genetic information and biometric data
• Information about criminal convictions and offences

Our purposes for processing your data

• Making a decision about your recruitment or appointment
• Determining the terms on which you work for us
• Checking you are legally entitled to work in the UK
• Paying you and, if you are an employee, deducting tax and National Insurance contributions
• Liaising with your pension provider
• Administering the contract, we have entered into with you
• Business management and planning, including accounting and auditing
• Conducting performance reviews, managing performance and determining performance requirements
• Making decisions about salary reviews and compensation
• Assessing qualifications for a particular job or task, including decisions about promotions
• Gathering evidence for possible grievance or disciplinary hearings
• Making decisions about your continued employment or engagement
• Making arrangements for the termination of our working relationship.
• Education, training and development requirements.
• Dealing with possible legal disputes involving you, or other employees, workers and contractors, including accidents at work
• Ascertaining your fitness to work
• Managing sickness absence
• Complying with health and safety obligations
• To prevent fraud
• To monitor your use of our information and communication systems to ensure compliance with our IT policies
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
• To conduct data analytics studies to review and better understand employee retention and attrition rates
• Equal opportunities monitoring
• Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information

Rights of Data Subjects

The HR Division will recognise that individuals have the following rights under data protection legislation:

1. the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
2. the right of access;
3. the right to rectification of data that is inaccurate or incomplete;
4. the right to be forgotten under certain circumstances;
5. the right to block or suppress processing of personal data; and
6. the new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.

Right of Access

Individuals have the right to access the information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically, in writing, using the Subject Access Request Form which can be given to you by your manager. The HR Division has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.

In complex cases, or where there are numerous related requests, The HR Division will liaise with the individual to inform them of progress of their request(s), and if it is not possible to complete this within 1 month, The HR Division will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.

In the event that data is retained with third parties, The HR Division will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or if it would require disproportionate effort.

The HR Division reserves the right to charge a fee or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, The HR Division reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.

Rectification of Data

The HR Division is committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.

Where an individual identifies that their personal data is incorrect or incomplete, or where they are aware that their personal data has changed, they must inform The HR Division as soon as possible.  The HR Division will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.

In complex cases, or where there are numerous cases, The HR Division will liaise with the individual to inform them of progress of their request, and if it is not possible to complete this within 1 month, The HR Division will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.

In the event that data has been disclosed to third parties, The HR Division will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or if it would involve disproportionate effort. 

The Right to be Forgotten

Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When the individual withdraws consent.
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed.
• The personal data has to be erased in order to comply with a legal obligation.
• The personal data is processed in relation to the offer of information society services to a child.

If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please contact us at consultant@thehrdivision.co.uk with full details of your request. The HR Division has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where The HR Division may be unable to comply include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.

In complex cases, or where there are numerous related requests, The HR Division will liaise with you to inform you of progress of the request, and if it is not possible to respond to this within 1 month, The HR Division will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.

In the event that data is retained with third parties, The HR Division will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above. 

Security of Data

The HR Division is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.

Any data breaches will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure. 

Data Retention

The HR Division is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes.  As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data for some other legitimate reason.

The HR Division does not intentionally keep data longer than necessary and when data is no longer required, The HR Division is committed to securely deleting it as soon as possible.

Data Breaches

All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to consultant@thehrdivision.co.uk or to your manager as soon as possible and within 24 hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email.

Transferring Personal Data to a Country Outside the EEA

The HR Division does not transfer your personal data outside the European Economic Area (EEA) if you yourself are based within the EEA.

If you are based outside of the EEA, in order for The HR Division to provide its services, it shall be obliged to send your personal data outside of the EEA, in order to reach you.

Whenever The HR Division transfers your personal data out of the EEA, in accordance with the above limited exception, The HR Division shall act strictly in accordance with the instructions of the Data Controller, where applicable.

Data Portability

On occasion you may wish to allow your data to be transferred to another organisation either by you receiving the data and transferring it, or by the data being transferred directly.

This right to data portability only applies to data that you have provided to The HR Division, where the data processing is based either on your consent or the performance of the contract and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.

If you wish to make a request for your data to be transferred, you must contact us consultant@thehrdivision.co.uk and we will respond to you within 1 month. If the requests are numerous or complex we reserve the right to extend this timescale by a further 2 months.  If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).

Objections to Personal Data Processing

You have the right to object to data processing where The HR Division is:

• processing information based on its legitimate business interests, or the performance of a task in the public interest/exercise of official authority (including profiling)
• direct marketing
• processing for the purposes of scientific/historical research and statistics.

If you wish to object to processing, you should contact us at consultant@thehrdivision.co.uk outlining the grounds relating to your particular situation and we will stop the processing unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.

Organisational Data Protection Measures

The HR Division is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, The HR Division will:

• Ensure that all staff are aware of their responsibilities and The HR Division’s obligations and responsibilities in relation to data protection.
• Ensure that all staff and individuals/organisations who handle data on behalf of The HR Division are appropriately trained and receive refresher training on a regular basis.
• Ensure that all staff and individuals/organisations who handle data on behalf of The HR Division are regularly monitored, assessed and reviewed.
• Ensure that all organisations who handle data on behalf of The HR Division are carrying out data processing in line with the Data Protection rules.
• Regularly review The HR Division’s methods of data collection, handling, processing and storage.
• You could choose to add in far more detail covering the detail in data protection e.g. passwords, storage, encryption, locking screens etc – or you could choose to detail that separately e.g. in training/code of practice etc.

Privacy Impact Assessments

As part of The HR Division ongoing commitment to ensuring maximum protection for personal data, The HR Division will undertake Privacy Impact Assessments where appropriate.  Privacy Impact Assessments will help The HR Division consider the processing that is being undertaken, the risk to data subjects and most importantly the measures that need to be taken to minimise the risks. and will be reviewed on a 3- yearly cycle, unless it is deemed that a more frequent review is necessary.

Data Protection Officer

The HR Division has appointed a Data Protection Officer, who will support the organisation to manage Data Protection and will work with the Executive Board in this respect. Any queries or concerns can be addressed directly to the Data Protection Officer admin@thehrdivision.co.uk

Monitoring

The HR Division is committed to monitoring this policy and will update it as appropriate, on an annual basis.