In accordance with the UK GDPR, personal data is any data from which a living individual can be identified – either from the information itself, or when combined with other separate pieces of information. This includes data held electronically and in manual records (e.g. paper files and other media).

The ICO list the following as ‘Special Category Personal Data’:

racial or ethnic origin;
political opinions or religious/philosophical beliefs;
physical or mental health or condition;
sexual life;
criminal convictions or the alleged commission of an offence; and
trade union membership.

Explicit, informed consent will usually be required to hold any of the above SCD, and special care must be taken around the confidentiality, integrity and availability of this data. Where we process or store any of the above data, we will ensure the appropriate level of security are in place to prevent the disclosure to any party outside of our organisation, unless if this is required by law.

In order to perform our organisational objectives efficiently and effectively, we may handle many types of personal data, for commercial contacts, we may store the name, job title, business address, email address, and any other associated commercial data. In this instance, only the data associated directly with a data subject may be considered personally identifiable information.

In line with our legal obligations as an employer and as a recruiter, we may process and store the following the personal data:

Name, Address, Date of Birth, gender, NI number, personal email address, bank details, HMRC records, performance review records, incidents and accidents records, attendance records, disciplinary records, user access and system access records, etc.

The UK General Data Protection Regulation sets out seven key principles which lie at the heart of the general data protection regime and should be followed in all handling of personal data. It applies to all ‘processing’ of personal data: processing is very widely defined and includes obtaining, retaining, using, disclosing, allowing access to destroying and even simply holding, personal data.

(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fair-ness and transparency’)

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Processing of all staff personal data will be in line with our contractual and legal obligations (UK GDPR Article 6 (1)(a), (b) & (c), under the Special Category Data condition, (DPA 2018 Schedule 1 Part 1 (1)).

Data will only be kept in line with the UK GDPR principles and in reference to our Data Retention Schedule. All financial records will be kept for 6 years (plus current financial year) in line with the requirement of the Financial Act.  Employees data will be kept for the duration of the employment and 3 years post end of contract in line with the Limitation Act and the Companies Act. Unsuccessful job applicants’ data will be kept for 6 months.

We may, where appropriate and permitted by law, delete your data in advance of the retention period where you exercise your right to be forgotten.

The UK GDPR gives individuals eight data subject rights as listed below:

Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.

Right of access: individuals have the right to request a copy of the information that an organisation holds on them.

Right of rectification: individuals can correct inaccurate or incomplete data.

Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data stored on them.

Right of portability: in some circumstances, individuals can request that an organisation transfer any data that it holds on them to another company.

Right to restrict processing: in some circumstances, individuals can request that an organisation limits its use of personal data.

Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.

Rights related to automated decision making, including profiling: under most circumstances, individuals have the right to object to having decisions made about them by automated processes or profiling.