Staff privacy notice
This privacy notice tells you what to expect when Protas collects personal information about you. It applies to all employees, ex-employees, agency staff, contractors, secondees, job applicants, non-executive directors and Board Members. The information we will process about you will vary depending on your specific role and personal circumstances.
Protas is the controller for this information unless this notice specifically states otherwise. This notice should be read in conjunction with our other corporate policies and procedures. When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.
How do we get your information
We get your information from the following sources:
- Photographs taken of you at internal and external corporate events
- From an employment agency
- From your employer if you are secondee
- From referees, either external or internal
- From security clearance providers or other third-party providers carrying out HR (Human Resources) or financial services on behalf of Protas
- From external training providers
- From Occupational Health and other health providers
- From pension administrators and other government departments, for example tax details from HMRC
- From providers of staff benefits
- Other publicly available information
How do we store your information
Any electronic information held for individuals covered by this notice is stored securely on either Protas’ systems or by processor organisations detailed below. Any information held in a physical format is stored in accordance with our Information Security Policy.
What personal data we process and why
Information related to your employment, prospective employment or engagement with Protas
We are documenting external and internal events via photography to showcase individuals, increase our profile engagement and convey a sense of corporate branding.
We use the following information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes.
- Personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses.
- Your date of birth, gender, marital status, and NI number.
- A copy of your passport or similar photographic identification and / or proof of address documents.
- Next of kin, emergency contacts and their contact information.
- Employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare.
- Details of any secondary employment, political declarations, conflict of interest declarations or gift declarations.
- Background employment checks such as Disclosure and Barring Service according to your job.
- Your responses to staff surveys if this data is not anonymised.
- Photos of you. We may take photographs of you when you attend internal and external work events. These photos may be used on our corporate website, on other online platforms such as LinkedIn and for internal and external marketing materials. This photography is to document and positively showcase our people and culture to enhance Protas' profile and support corporate branding.
Information related to your salary, pension and loans
We process this information for the payment of your salary, pension, and other employment related benefits, for the administration of statutory and contractual leave entitlements such as holiday, sickness, or parental leave. We also process this information for the purposes of development and delivery of pay policy, financial planning, accounting, and audit.
- Information about your job role and your employment contract including your start and leave dates, salary, any changes to your employment contract, working pattern (including any requests for flexible working).
- Details of your time spent working and any overtime, expenses or other payments claimed.
- Details of any leave including sick leave, holidays, special leave etc.
- Pension details including membership of both state and occupational pension schemes (current and previous).
- Your bank account details, payroll records and tax status information.
- Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking.
Information relating to your performance and training
We use this information to assess your performance, to conduct pay and grading reviews and to deal with any employer / employee related disputes. We also use it to meet the training and development needs required for your role.
- Information relating to your performance at work e.g., probation reviews, Personal Development Reviews, promotions.
- Grievance and dignity at work matters and investigations to which you may be a party or witness.
- Disciplinary records and documentation related to any investigations, hearings and warnings / penalties issued.
- Whistleblowing concerns raised by you, or to which you may be a party or witness.
- Information related to your training history and development needs.
Information relating to monitoring
We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT (Information Technology) systems and employees.
- Information derived from monitoring IT acceptable use standards.
Information relating to your health and wellbeing and other special category data
We use the following information to comply with our legal obligations. We also use it to ensure the health, safety, and wellbeing of our employees.
- Health and wellbeing information either declared by you or obtained from health checks, eye examinations, occupational health referrals and reports, sick leave forms, health management questionnaires, fit notes or reports e.g., Statement of Fitness for Work from your GP or hospital.
- Accident records if you have an accident at work.
- Details of any risk assessment, access needs or reasonable adjustments.
- Information you have provided regarding Protected Characteristics as defined by the Equality Act for the purpose of equal opportunities monitoring.
We may also share your information with an appropriate third party e.g., emergency contact or GP if we have serious concerns about your immediate welfare or safety.
Lawful basis for processing your personal data
Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:
- Article 6(1)(b) which relates to processing necessary for the performance of a contract.
- Article 6(1)(c) so we can comply with our legal obligations as your employer.
- Article 6(1)(d) to protect your vital interests or those of another person.
- Article 6(1)(f) for the purposes of our legitimate interest.
Special category data
Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:
- Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
- Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
- Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
- Article 9(2)(f) for the establishment, exercise, or defence of legal claims.
- Article 9(2)(j) for archiving purposes in the public interest.
In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the DPA (Data Protection Act) 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee.
Criminal convictions and offences
We process information about employees or prospective employees criminal convictions and offences. The lawful basis we rely on to process this data is:
- Article 6(1)(b) for the performance of a contract.
In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1.
How long we keep your personal data
Your personal information will only be retained for as long as we have a need for it. This is determined by either ongoing business need or a legal requirement to retain information for a pre-determined period of time
Data sharing
From time to time, we may need to share your information with third parties including:
- External training providers
- Courts (pursuant to a court order).
- Government agencies e.g. with HMRC for the purpose of collecting tax and national insurance contributions.
- External HR consultants and legal advisors.
- External remuneration consultants (de-identified data only)
Do we use any data processors
Yes – a list of our current processors can be found at the end of this document.
Your rights in relation to this processing
As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner as the relevant supervisory authority. For more information on your rights, please see ‘Your rights as an individual’
Transfers of personal data
We do not routinely transfer staff personal data overseas but when this is necessary, we ensure that we have appropriate safeguards in place.
Further information
Right of Access
You can request access to your personal information by emailing the Head of Human Resources at mandi.harcourt@protas.co.uk or by submitting an access request to the Director of Information Governance and Data Ethics at gaynor.dalton@protas.co.uk You can also make a verbal request for your information. We will consult internally with members of staff who might hold personal data about you.
Workforce development and planning
We will share information about you with our training providers. For example, this will include information such as your name, contact details and job role. When necessary, we will also share information about any dietary or access requirements that you might have when you attend training events.
Occupational health
During your employment you may be referred to occupational health following a request to HR by you or your line manager. This may result in a face-to-face consultation, a telephone appointment with an occupational healthcare professional and/or a medical report from a GP or specialist.
Monitoring of staff
Use of our IT systems is for business purposes only and as such, the following may be accessed and monitored:
- electronic documents held on the network.
- incoming and outgoing e-mails.
Any logging and monitoring will be in line with our Acceptable Use Standard and any targeted monitoring of staff will take place within the context of our disciplinary procedures.
Requests for references
If you leave, or are thinking of leaving, we may be asked by your new or prospective employers to provide a reference. For example, we may be asked to confirm the dates of your employment or your job role.
Data Processors
Data processors are third parties who provide certain parts of our staff services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors are listed below.
Data Processor
Purpose
Buzzacott
HR administration, payroll, benefits, expenses, and other finance administration
RealSense Solutions
Training portal
Team Tailor
Recruitment portal
Sage
HR portal