Privacy Notice for employees, workers, board, panel members and volunteers
Last updated 6 September 2018
Personal data we collect
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data, and other types of sensitive personal data, such as criminal records and offence data, which require a higher level of protection.
Types of personal data we process
We collect and process your personal data because of our employment, contractor, volunteer or equivalent relationship. We collect it from you during the recruitment and onboarding process. We also collect your personal data from third parties including recruitment agencies, providers of agency workers, former employers (for reference purposes) and background screening providers. We also collect and generate additional personal data throughout the period you work for or with us. We don’t collect anything you wouldn’t expect us to collect and we will not collect any personal data we do not need.
The categories of personal data we collect and process depend on whether you are an employee, bank worker, agency worker, contractor, volunteer, board member or panel member but may include:
- Personal contact details
- Emergency contact information
- Date of birth
- Marital status
- National insurance number
- Bank account details
- Payroll records and tax status information
- Start date, salary
- Place of work
- Annual leave, pension and benefits information
- Copies of your driving licence and/or your passport
- Photographs of you
- Employment record including job titles, work/volunteering history, working/volunteering hours, training records and professional memberships
- Compensation history
- Performance information
- Sickness, disciplinary, capability, grievance information
- Information about your use of our information systems and IT assets
- Images collected from CCTV footage
- Sensitive personal data
We may also collect, store and use sensitive personal data about you. This includes “special categories of data” covering information about your physical or mental health, your disability status, and your racial or ethnic origin. It also includes information about criminal convictions or offences.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where it is necessary for the purposes of the employment contract, volunteer agreement or other contract for services we have entered in to with you
- Where we need to comply with a legal obligation
- Where it is in our legitimate interests (or those of a third party) to do so
- We may also use your personal data in the following situations, which will be less common:
- With your consent
- Where we need to protect your interests (or someone else’s interests)
- Where it is needed in the public interest
- Necessary for contract or legal obligations
We primarily use your personal data to manage, administer and maintain our relationship with you in line with our contract of employment, volunteer agreement or contract for services with you or your agency or to meet our legal obligations. This includes paying you, reimbursing you, providing you with employment benefits, performance reviews and management, managing disciplinary, capability and grievance processes, ensuring your health and safety in the workplace, managing sickness, determining training and development requirements and making decisions about promotions or ending our working/volunteering relationship and ensuring your eligibility to work in the UK.
Our legitimate interests
We also use your personal data where it is in our legitimate interests to do so. This includes for purposes of business management and planning, including accounting and auditing and dealing with legal disputes involving you or other employees, volunteers, workers and contractors.
It is also in our legitimate interests to use monitoring technologies to protect our employees, workers and volunteers; to safeguard our physical and information assets; to enforce our policies; and to help protect against unauthorised access or data leakage. The technologies we use include CCTV, lone worker protection systems, computer log analysis, data loss prevention, mobile device management, email archiving and other information security tools.
Conditions for processing sensitive personal data
We will only process the “special categories” personal data or information about criminal convictions or offences where we meet one of the conditions required by law for doing so. This includes complying with legal obligations or exercising specific rights in the field of employment law or where processing is substantially in the public interests or where we have your consent.
We process the “special categories” of personal data when we collect or process information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits. Also, when we collect information about your racial or ethnic origin, for the purposes of equality and diversity monitoring. We process information about criminal convictions or offences in order to assess your suitability for working/volunteering for or with us, especially if your role involves working/volunteering with vulnerable people on our behalf.
Sharing your data
Third-parties we might share your personal data with
We share your personal data with third parties where required by law, where it is necessary to administer the working/volunteering relationship with you, where we have another legitimate interest in doing so or where we have your consent to do so. This includes our third-party service providers for reasons including payroll and expenses, pension administration, benefits provision and administration, and IT services. In some cases, we may share your information with services providers who will also be data controllers, such as providers of agency workers if you are working with us through an agency. They will provide their own privacy notice for how they use your personal data and we encourage you to review this.
Obligations on third-parties we share with
All third-party service providers to Origin Housing (our data processors) with whom we share your personal data are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Transferring personal data outside the EEA
We do not transfer your personal data out of the UK, but our IT and cloud service providers may transfer the personal data we store on their systems outside the European Union, to data centres located in other countries, such as the USA. Where this happens, we will ensure that appropriate safeguards are in place that ensure your personal data is protected to the standard expected in the European Union. These safeguards typically include standard contractual clauses approved by the European Commission for international transfers or (in the case of processors located in the USA) participation in the EU-US Privacy Shield Framework.
How long we keep your data
We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Our Data Retention Policy sets out the retention periods for the different types of information we collect and hold. Please contact us is you would like to know the retention period applicable to your personal data.
How we protect your personal data
We have implemented appropriate technical and organisational measures to prevent the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data.
We apply information governance and security best practice. We have implemented appropriate policies and procedures and provide all employees with information security and data protection awareness training. We restrict access to personal data to only those employees who need to know it for the purposes of their role. We have implemented technical security controls, and have back-up and disaster recovery systems in place.
Data subject rights
You have the following rights in respect of your personal data:
You have the right of access to your personal data (commonly known as a “subject access request”) and can request copies of it and information about our processing of it
If the personal data we hold about you in incorrect or incomplete, you can ask us to rectify or add to it
Where we are using your personal data with your consent, you can withdraw your consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law
Where we are using your personal because it is in our legitimate interests (or those of a third party) to do so, you can object to us using it this way
You can ask us to restrict the use of your personal data if:
- It is not accurate
- It has been used unlawfully but you do not want us to delete it
- We do not need it any-more, but you want us to keep it for use in legal claims
- if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request
- In some circumstances you can compel us to erase your personal data or request a machine-readable copy of your personal data to be transferred to another service provider.
- How to exercise your rights
If you wish to exercise your rights, please contact us using the information provided below.
While you will not have to pay a fee to access your personal data (or to exercise any of the other rights), we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Lodging a complaint with the Information Commissioner’s Office (ICO)
You can also lodge a complaint with the ICO. They can be contacted using the information provided at: https://ico.org.uk/concerns/.
Your duty to update us
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working/volunteering relationship with us.
If you have any questions, or wish to exercise any of your rights, then you can:
Call us on 0300 323 0325
Email us at email@example.com
Use the enquiry form on our Contact Us page of our website
Write to us at:
St Richards House
110 Eversholt St
You can also contact our data protection officer by emailing firstname.lastname@example.org.
Origin Housing reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. When changes are made, we will update the ‘Last Updated’ date at the top of this page. We may also notify you in other ways from time to time about the processing of your personal information.