Data Policy

Data Protection Policy and Procedure

The General Data Protection Regulations 2018 (GDPR) regulate the way in which certain information is held and used. This policy gives details about the type of information that the Organisation collects and maintains and the purposes for which it keeps them. It applies to all current and former employees, workers, volunteers, directors and contractors.

Employee Data

Record Control and Processing

The Organisation will need to keep information for purposes connected with your employment.

These records may include:

  • Information gathered during recruitment
  • Details of terms of employment
  • Payroll, tax and National Insurance information
  • Performance information
  • Absence records, including holiday records and self-certification forms
  • Details of any disciplinary investigations and proceedings
  • Training records
  • Contact names and addresses
  • Correspondence with the Organisation and other information provided to the Organisation.

This list is not exhaustive. 

The information held will be for our management and administrative use only, but from time to time, we may need to disclose some information we hold about you to relevant external data processors. These may include external consultants or service providers, clients/customers or sub-contractors.

The organisation maintains a Data Processor Register, which outlines in more detail who these providers are, what kinds of data they receive from us and for what purpose. You may request access to view this register. It is the responsibility of the organisation to establish that any external data processors understand the implications of the GDPR and that they have adopted appropriate systems and procedures to ensure the secure, safe and lawful processing of data.

It should also be noted that the Organisation might hold the following sensitive information about you, for which disclosure to any person will be made only when strictly necessary for the purposes set out below:

  • Your health, for the purposes of compliance with our health and safety and our occupational health obligations, or the administration of insurance, pension, sick pay and any other related benefits.
  • Unspent convictions to enable us to assess your suitability for employment.
  • Details regarding any protected characteristics under the Equality Act 2010 for the purpose of considering reasonable adjustments.

All employment records will be retained for the duration of employment and 7 years thereafter. Records relating to occupational health issues, accidents or incidents may be retained for up to 25 years in accordance with our insurance requirements. In addition, health records for employee’s subject to health surveillance will be kept for 40 years in accordance with regulatory requirements. Following this retention period, records will be securely destroyed.

Individual Rights

You have the right to:

  • Give, withhold or withdraw consent if the organisation intends to share any of your data with a data processor outside of their core business activities.
  • Request for personal data to be erased, as long as the erasure does not affect the employer’s business activities or legislative obligations.
  • Receive training and/or guidance on the implication of data breaches and good data practice.
  • Report any data breaches in line with the company’s whistle blowing policy.

Company, Customer and Supplier Data

You may be privy to confidential or personal data relating to the organisation’s strategic development or its customers, suppliers or service providers.

Examples of such information are:

  • Contact names, phone numbers and email addresses
  • Personal data relating to individuals within the organisation
  • Credit information
  • Bank details
  • Financial information

This list is not exhaustive.

If you have access to such data, you are expected to control it in line with the guidance
provided by GDPR 2018.

This means that any information shall be:

  • Processed for limited purposes and only after obtaining informed consent
  • Stored securely
  • Regarded as confidential and not disclosed to any unauthorised third party
  • Accurate and current
  • Archived and/or destroyed when no longer required

The Organisation requires you to comply with the GDPR. Failure to do so will be regarded as
serious misconduct and will be dealt with in accordance with the Organisation’s disciplinary
policy and procedure.

If you are in a position to deal with personal information about other employees, you will be
given separate guidance on your obligations, and you must ask for help if you are unsure.
The person with overall responsibility for compliance with the GDPR is Jessica Yates.