1. Data protection privacy statement for employees, bank workers and casual staff
During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about our staff or other people who work for or on behalf of us and we recognise the need to store and use it in an appropriate and lawful manner, in accordance with UK data protection law. The purpose of this statement is to make you aware of how we will handle your personal data.
2. The basis for using your personal data
2.1 "Personal data" means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you. Some of this data, such as medical details and details of gender, race and ethnic origin, will be regarded as sensitive personal data.
2.2 The Society may occasionally ask you for your consent to use your personal data. However, on a day-to-day basis it will usually process personal data because it is necessary to do so:
- to enter into or perform a contract with you (including your contract of employment);
- for the Society to comply with a legal obligation;
- to protect your vital interests or those of another person; or
- for the purposes of the legitimate interests of the Society or a third party, provided these interests are not overridden by your interests or fundamental rights or freedoms in relation to your personal data.
2.3 The Society only processes your personal data on these grounds because it needs to. Without your personal data, it would not be able to employ you or perform its obligations under your employment contract.
2.4 When processing data on the basis of its or a third party’s legitimate interests, these interests will typically relate to the operation and administration of the Society’s business, including the safety of the people and property involved in the business. For example, the Society monitors staff to ensure compliance with the Society’s IT systems and to protect its networks and systems.
2.5 Whenever the Society processes personal data for a particular purpose, it shall ensure that the processing is adequate, proportionate and not excessive for that purpose.
3. Sensitive personal data
3.1 The personal data processed by the Society will include special categories of personal data (also known as “sensitive personal data”) such as:
- information about your physical or mental health or condition in order to monitor sick leave and take decisions as to fitness for work;
- information about your sexual orientation;
- information about trade union membership or political opinions; and
- your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation.
Sensitive personal data will typically be processed because:
- the Society needs to in order to carry out its duties or exercise its rights as an employer;
- you have given your free, informed and explicit consent to it being processed by the Society;
- the information has been made public by you;
- the Society is required to process the information by law; or
- the processing is necessary in order for the Society to conduct, defend or exercise a legal claim.
4. Disclosure, transfer and storage of personal data
4.1 The Society may make your personal data available to any person within the Society and to persons who provide products or services to the Society (such as advisers and payroll administrators), regulatory authorities, potential purchasers/investors and as may be required by law.
4.2 Your personal data may be transferred to business contacts outside the European Economic Area where necessary in order for the Society to carry out its business (for example, if the Society uses a supplier such as a cloud storage provider outside the European Economic Area). However, the Society shall not transfer personal data outside of the European Economic Area unless there are appropriate safeguards in accordance with applicable data protection law (or an exception applies where the law allows such transfers, for example it is necessary in order to establish, pursue or defend a legal claim). Where the transfer is made on the basis of there being appropriate safeguards, these will either involve the use of contracts approved by the European Union, or result from a European Union decision (such as a decision that a country provides adequate protection for your rights, or the use of an approved data transfer scheme or code of conduct).
4.3 Data will not be disclosed to anyone else other than our authorised employees, agents, contractors or advisors (except as required by law) unless you expressly authorise disclosure.
4.4 Every effort will be made to ensure that data about you is not retained for longer than is necessary for the purpose(s) for which it is obtained and that the data held is accurate and up-to-date. It is in your own interest to tell your line manager if your personal circumstances change, for example, if you move house.
5. Your rights in relation to your personal data
5.1 Under applicable data protection law you have certain rights in relation to your personal data. These include:
- the right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal data;
- (from the 25th May 2018) where technically feasible, the right to have certain information provided to you in a portable electronic format or have it transmitted to another controller;
- the right to have inaccurate data rectified;
- the right to object to your data being used for marketing or on legitimate interests grounds (including for profiling where applicable);
- where your data is processed on the basis of consent, the right to withdraw that consent;
- the right to restrict how your personal data is used; and
- the right to have your data erased in certain circumstances (though this may not apply if it is necessary for us to continue to use the data for a lawful reason).
5.2 If you would like further information on your rights or wish to exercise them, please contact firstname.lastname@example.org.
5.3 Please keep in mind that there are exceptions to the rights above and, though the Society will always try to respond to your satisfaction, there may be situations where we are unable to do so. If you believe that your data protection or privacy rights have been infringed, you should raise the matter in the first instance with your line manager. If you are not happy with our response, you should contact the UK Information Commissioner's Office, which oversees data protection compliance in the UK. Details of how to do this can be found at www.ico.org.uk.
5.4 References in this part to “processing” means: obtaining, recording, holding or carrying out any operation on information and data it holds about you, including the organisation, adaptation or alteration of such information or data, retrieval, consultation or use of information or data, the disclosure of such information or data by transmission, dissemination or otherwise making it available to a third party, or the alignment, combination, blocking, erasure or destruction of any such information or data.
6. Breaches of this policy
Any breach of this statement will be taken seriously and may result in disciplinary action.