Company Name: Bespoke IT Solutions Ltd
Company Address: Suite 1A Westmead House, Westmead, Farnborough GU14 7LP
Person Managing GDPR Compliance: Stephen Newton – Business Manager
Contact Details: Email: firstname.lastname@example.org Telephone: 01252 984 430
The Company collects and processes personal data relating to job applicants (in so far as any sections of this privacy notice apply), current and former employees, workers, volunteers, apprentices, interns and consultants to manage the employment or contractor relationship.
The Company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. This Privacy Notice summaries your rights and our responsibilities to you. Further details can be found in the Data Protection Policy for Employees, Workers and Contractors.
1. What Information Does The Company Collect?
The Company collects and processes a range of information about you which is likely to include (as it applies to either an employment worker or contractor relationship) but is not limited to
- recruitment information such as your application form and CV, references, skills, experience, qualifications, employment history, membership of any professional bodies and details of any pre-employment
- your address contact details and date of birth;
- information about your marital status, next of kin, dependants and the contact details for your emergency contacts;
- your gender;
- your marital status and family details;
- information about your contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement;
- your bank details and information in relation to your tax status including your national insurance number;
- your identification documents including passport and driving licence and information in relation to your nationality, immigration status and right to work for us;
- your work schedule, flexible working arrangements, attendance at work, holiday, sickness and other absence records;
- information relating to disciplinary or grievance investigations and proceedings involving you (whether or not you were the main subject of those proceedings);
- details of loans and repayment agreements, training fees repayment agreements and similar arrangements;
- details relating to your driving licence, car MOT and insurance;
- information relating to your performance and behaviour at work, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- training records;
- electronic information in relation to your use of IT systems/swipe cards/telephone systems, finger prints (in relation to data centre access);
- your images (whether captured on CCTV, by photograph or video or uploaded by you);
- information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments;
- equal opportunities monitoring information
- any other category of personal data which we may notify you of from time to
The Company may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment or contract; from correspondence with you; or through interviews, meetings or other assessments.
In some cases, with your consent, the Company may collect personal data about you from third parties, such as references supplied by former employers and information from criminal records checks or credit reference agencies as permitted by law. The Company will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.
Data will be stored in a range of different places (as it applies to either an employment worker or contractor relationship), including in your application record, personnel or contractor file, in the Company’s HR manual,
2. Why Does The Company Process Personal Data?
The Company needs to process data to enter into or to be in a contract with you and to meet its obligations under your employment or worker contract or your contract for services.
For example, it needs to process your data in order to receive your application for employment or a contract, and assess your suitability for the role, to provide you with the contract, to pay you in accordance with your contract and to administer benefits, pension and insurance entitlements where these are applicable.
In some cases, the Company needs to process data to ensure that it is complying with its legal obligations and to defend against legal claims. For example, it is required to check an individual’s entitlement to work in the UK, to deduct tax, to make reasonable workplace adjustments in the case of disability, to comply with health and safety laws and to enable employees or workers to take periods of leave to which they are entitled.
In other cases, the Company has a legitimate interest in processing personal data before, during and after the end of the employment, worker or contractor relationship. Processing data allows the Company to (as it applies to either an employment worker or contractor relationship):
- operate and keep a record of recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the Company complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate systems for and keep a record of pay, pension and benefits including PAYE or other required deductions
- operate and keep a record of necessary Health and Safety provisions and arrangements;
- ensure effective general HR and business administration;
- provide references on request for current or former employees;
- respond to and defend against legal
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out legal obligations, such as those in relation to individuals with disabilities.
We may process sensitive data relating to your criminal record (and driving offences) where the nature of our work requires it in order to comply with a legal or statutory obligation, where our insurers require it, or where we believe it is in our legitimate best interests to have made a criminal records check. Rarely, we may use your personal data relating to criminal convictions where necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Where the Company processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. Individuals are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so. Equal opportunities monitoring data is usually anonymised at which point it ceases to be personal data as no specific living individual can be identified from it.
We do not take automated decisions about you using your personal data or use profiling in relation to you.
3. Who Has Access To The Data?
Data may be shared internally, with HR (including payroll), your line manager, managers in the business area in which you work, those involved in the recruitment activity, and other personnel as necessary for them to carry out their role or for the conduct of our business.
The Company shares your data with third parties in order to obtain references from other employers, to obtain background and credit checks from third-party providers and to obtain necessary criminal records checks from the Disclosure and Barring Service.
We are also required by law to share personal data with statutory bodies such as, but not limited to, the HMRC, the Pensions Regulator, and when applicable the HSE and the local authority for RIDDOR reporting, and when requested to do so the police, court services and similar bodies.
The Company may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
The Company also shares your data with third parties (as it applies to either an employment worker or contractor relationship) that process data on its behalf, in connection with HR services, payroll, the provision of benefits and the provision of occupational health services as required.
These may include but are not limited to:
- VivoHR & Training (UK) Ltd to manage employment matters
- Whiteley’s Accountants to administer your pay and HMRC submissions.
- Workplace Pensions Direct to administer your Group Personal Pension Plan
- Reward Gateway to administer employee reward scheme
- Vitality Health to administer health insurance, if applicable
- Canada Life to administer Life insurance and other specialist insurances, if applicable
- Denplan (as an appointed representative of Simply Health) to administer Dental insurance, if
- AMS Services to obtain Occupational Health reports or advice
- Bamboo HR website to manage staff sickness absences, holidays, expenses, disciplinary matters and all other staff related
- SAS in relation to BITS staff access to the Datacentre, if applicable
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for one of the third parties we contract with and may be engaged in, among other things, processing of HR-related data.
If your personal data is transferred outside of the EEA, we do our best to ensure a similar degree of protection in respect of your personal information as we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with the provisions set out in the Data Protection Policy for Employees, Workers and Contractors.
4 How Does The Company Protect The Data?
The Company takes the security of personal data seriously. The Company has internal policies, procedures, technologies and controls in place, from the point of collection to the point of destruction, to protect personal data against loss, malicious or accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by individuals in the proper performance of their duties.
Further details of how we manage data security and handle data breaches can be found in the Data Protection Policy for Employees, Workers and Contractors.
5. How Long Does The Company Keep Data For?
If your application for employment is unsuccessful, the Company will hold your data on file for six months after the end of the relevant recruitment process.
If you agree to allow the Company to keep your personal data on file, the Company may hold your data on file for a further six months for consideration for future employment opportunities. At the end of that period, or if you withdraw your consent earlier, your data will be deleted or destroyed.
The company will hold your personal data for the duration of your employment or contract and thereafter data for as long as necessary for the purposes for which we collected it and in accordance with the data retention periods set out in Data Protection Policy for Employees, Workers and Contractors.
6. Data Retention
The Company shall not retain any personal data for any longer than is necessary considering the purpose(s) for which that data is collected, held, and processed.
When establishing and/or reviewing retention periods, the following shall be considered:
- The objectives and requirements of the Company;
- The type of personal data in question;
- The purpose(s) for which the data in question is collected, held, and processed;
- The Company’s legal basis for collecting, holding, and processing that data;
- The category or categories of data subject to whom the data relates.
We are required to keep some personal data for specified time periods in order to comply with legal obligations or in order to protect the business; it is therefore our intention to retain your personal data as follows:
- Contracts – while employment (or contract) continues and for a period of 6 years after this terminates
- Financial data which we might be required to produce for audits or to the HMRC – while employment (or contract) continues and for a period of 6 years after the end of the last financial year after this terminates
- Records establishing your identity for AML– while employment (or contract) continues and for a period of 6 years after this terminates
- Personnel and training records – while employment (or contract) continues and for a period of 6 years after this terminates
- Consent for the processing of sensitive data – while employment (or contract) continues and for a period of 6 years after this terminates
- Accident and Injury records while employment (or contract) continues and for a period of 3 years after this terminates or longer if any such records may or could be required in any ongoing claims for personal injury
- Records establishing your identity for Eligibility to Work in the UK purposes– while employment (or contract) continues and for a period of 3 years after this terminates
- Working Time Opt Out Forms (Employees & Workers) – a minimum of 2 years from the dates to which they were applicable
- Details of unsuccessful applicants for job roles or contract positions – 6 months after the post is filled
- DBS checks – document to be held by the employee, worker or contractor and a copy of the DBS number only to be held by the Company – record be deleted 4 months after employment (or contract) is terminated
- Bank details – 4 months after all final payments have been made
- Consent to being furloughed in writing – 5 years
Upon the expiry of the appropriate data retention periods, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as appropriate to the format in which it was stored.
If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined and the data in question regularly reviewed against those criteria.
7. What Are Your Rights?
As a data subject, you have a number of rights – you can:
- Know what data we hold about you;
- access and obtain a copy of your data on request, and to request a transfer of data to another data controller;
- require the Company to change incorrect or incomplete data;
- require the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing;
- not to be subject to automated decision making (with some exceptions);
- to be notified of a data security breach;
- to withdraw consent processing where this was the legal basis relied upon for any such processing;
- to complain to the Information Commissioner Office https://ico.org.uk/concerns/.
8. What Happens If You Do Not Provide Personal Data?
Applicants for employment or a contract are under no statutory or contractual obligation to provide data to the Company during the recruitment process. However, if you do not provide the information, the Company may not be able to process your application properly or at all.
Once offered a position you have some obligations under your employment contract or contract for services to provide the Company with data. You are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. Failing to do so may breach the terms of your contract with the Company.
Where applicable, you may also have to provide the Company with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Company to enter a contract with you and for us to meet our legal obligations. If you do not provide this information, and update it as necessary, this will hinder the Company’s ability to administer the rights and obligations arising as a result of the employment or contractor relationship efficiently.
I have read and understood the Applicant Employee Worker Contractor Privacy Notice above and confirm I have had the opportunity to read the Applicant Employee Worker Contractor Data Protection Policy.