Harnham Search and Selection Limited
Privacy Notice – Employees, Contractors and Workers
1. This Notice
1.1 We take the privacy and security of our staff’s personal information seriously. This notice explains our practices regarding the collection, use and disclosure of personal information we hold about employees, contractors and workers and applicants for roles with us.
1.2 This notice applies to all current and former employees, contractors and workers (“you”) of Harnham Search and Selection Limited (“we” or “us”).
1.3 This privacy notice does not apply to information we hold in relation to our candidates for roles with our clients, clients or third parties which is covered by a separate privacy notice available on our website.
1.4 This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.
1.5 This notice is governed by the EU General Data Protection Regulation (the “GDPR”) from 25 May 2018.
1.6 This notice applies to personal data we hold about you. “personal data” means information that relates to you as an identified or identifiable person.
2. Legal basis on which we process personal data
2.1 Personal data we hold about you will be lawfully processed based on one of the following legal reasons (known as a “legal basis”):
2.1.1 Because you have consented to the processing;
2.1.2 Because the processing is necessary in order for us to comply with our obligations under a contract between you and us; or
2.1.3 Because the processing is necessary for a “legitimate interest”, a legitimate interest in this context means a valid interest we have as your employer which is not overridden by your interests in data privacy and security.
3. Data which we collect
3.1 We may collect and process the following personal data about you:
3.1.1 Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
3.1.2 Date of birth
3.1.4 Marital status and dependants
3.1.5 Next of kin and emergency contact information
3.1.6 National Insurance number
3.1.7 Bank account details, payroll records and tax status information
3.1.8 Salary, annual leave, pension and benefits information
3.1.9 Start date
3.1.10 Location of employment or workplace
3.1.11 Copy of your passport
3.1.12 Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
3.1.13 Employment records (including job titles, work history, working hours, training records and professional memberships)
3.1.14 Compensation history
3.1.15 Performance information
3.1.16 Disciplinary and grievance information
3.1.17 CCTV footage, and other information obtained through electronic means such as swipecard records
3.1.18 Information about your use of our information and communications systems
3.2 We may also collect, store and use the following "special categories" of more sensitive personal information:
3.2.1 Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
3.2.2 Information about your health, including any medical condition, health and sickness records.
3.2.3 Information about criminal convictions and offences.
4. How we collect your data
4.1 We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.
4.2 We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies
4.3 We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
4.4 From time to time we may collect sensitive data via a hard copy or online diversity monitoring form if we do so then we will seek to obtain your consent for processing this data.
5. How we use your personal data
5.1 We may use your information to:
5.1.1 Making a decision about your recruitment or appointment
5.1.2 Determining the terms on which you work for us
5.1.3 Checking you are legally entitled to work in the UK
5.1.4 Paying you and, if you are an employee, deducting tax and National Insurance contributions
5.1.5 Providing employment benefits to you
5.1.6 Liaising with your pension provider if necessary
5.1.7 Administering the contract we have entered into with you
5.1.8 Business management and planning, including accounting and auditing
5.1.9 Conducting performance reviews, managing performance and determining performance requirements
5.1.10 Making decisions about salary reviews and compensation
5.1.11 Assessing qualifications for a particular job or task, including decisions about promotions
5.1.12 Gathering evidence for possible grievance or disciplinary hearings
5.1.13 Making decisions about your continued employment or engagement
5.1.14 Making arrangements for the termination of our working relationship
5.1.15 Education, training and development requirements
5.1.16 Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
5.1.17 Ascertaining your fitness to work
5.1.18 Managing sickness absence
5.1.19 Complying with health and safety obligations
5.1.20 To prevent fraud
5.1.21 To monitor your use of our information and communication systems to ensure compliance with our IT policies
5.1.22 To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
5.1.23 To conduct data analytics studies to review and better understand employee retention and attrition rates
5.1.24 Equal opportunities monitoring
5.2 Each type of processing listed above is based on our legitimate interest and the performance of our contract with you. These grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
5.3 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
6. Sensitive Data
6.1 Under the GDPR certain "special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
6.1.1 In limited circumstances, with your explicit written consent.
6.1.2 Where we need to carry out our legal obligations and in line with our data protection policy.
6.1.3 Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to a pension scheme, and in line with our data protection policy.
6.1.4 Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
6.1.5 We may collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.
6.2 Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
6.3 We will use your particularly sensitive personal information in the following ways:
6.3.1 We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
6.3.2 We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
6.3.3 We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your gender identification or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
6.4 We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.
6.5 In some circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data (for instance for diversity monitoring purposes). If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
7. Sharing your information
7.1 We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
7.2 We may share your information with certain suppliers or other group companies who are assisting us with human resources, the management of employee benefits or payroll services. We may also share your information with other group companies for general management purposes.
7.3 All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
7.4 We may also share your information:
7.4.1 if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
7.4.2 we may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;
7.4.3 to protect our rights, property and safety, or the rights, property and safety of our users or any other third parties.
7.5 Other than as set out above, we will not disclose any of your personal information unless you give us permission to do so. If we do supply your personal information to a third party we will take steps to ensure that your privacy rights are protected and that third party complies with the terms of this notice.
8.1 We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage. These measures may include (as necessary):
8.1.1 protecting our servers by both hardware and software firewalls;
8.1.2 locating our data processing storage facilities in secure locations;
8.1.3 encrypting all data stored on our server with an industry standard encryption method that encrypts the data between your computer and our server so that in the event of your network being insecure no data is passed in a format that could easily be deciphered;
8.1.4 when necessary, disposing of or deleting your data so it is done so securely;
8.1.5 regularly backing up and encrypting all data we hold.
8.2 We will ensure that our staff are aware of their privacy and data security obligations. We will take reasonable steps to ensure that the employees of third parties working on our behalf are aware of their privacy and data security obligations.
8.3 This notice and our procedures for handling personal data will be reviewed as necessary.
9. Data Retention
9.1 Our current data retention policy is to delete or destroy (to the extent we are able to) the personal data we hold about you in accordance with the following:
Category of personal data
Length of retention
Health and safety records (e.g. an accident book) being held at our premises
10 years from the date on which the relevant information was collected.
Records relevant for tax purposes including records of pay and benefits
8 years from the end of the financial year to which the records relate.
Applicant records (where no employment or engagement has resulted)
2 years from the date of your interview with us
Records relating to human resources
7 years from the end of your employment with us
Records relating to pensions
7 years from the end of your employment with us in the case of personal pension records 80 years from the end of your employment with us in the case of occupational pension records
9.2 For any category of personal data not specifically defined in this Notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data.
9.3 The retention periods stated in this Notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
9.4 We review the personal data (and the categories of personal data) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.
9.5 If you wish to request that data we hold about you is amended or deleted, please refer to clause 10 below, which explains your privacy rights.
10. Your privacy rights
10.1 The GDPR gives you the following rights in respect of personal data we hold about you:
The right to be informed
You have a right to know about our personal data protection and data processing activities, details of which are contained in this notice.
The right of access
You can make what is known as a Subject Access Request (“SAR”) to request information about the personal data we hold about you (free of charge, save for reasonable expenses for repeat requests). If you wish to make a SAR please contact us as described below.
The right to correction
Please inform us if information we hold about you is incomplete or inaccurate in any way and we will update our records as soon as possible, but in any event within one month.
We will take reasonable steps to communicate the change to any third parties to whom we have passed the same information.
The right to erasure (the ‘right to be forgotten’)
You may ask us to delete or remove personal data if there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), if we may have processed your information unlawfully or if we are required to delete your personal data to comply with local law.
The data may continue to exist in backup form, but we will take steps to ensure that it will not be accessible.
We will communicate the erasure to any third parties to whom we have passed the same information.
We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to restrict processing
You can request that we no longer process your personal data in certain ways, whilst not requiring us to the delete the same data.
The right to data portability
You have right to receive copies of personal data we hold about you in a commonly used and easily storable format (please let us know a format which suits you). You may also request that we transfer your personal data directly to third party (where technically possible).
The right to object
Unless we have overriding legitimate grounds for such processing, you may object to us using your personal data if you feel your fundamental rights and freedoms are impacted. You may also object if we use your personal data for direct marketing purposes (including profiling) or for research or statistical purposes. Please notify your objection to us and we will gladly cease such processing, unless we have overriding legitimate grounds.
Rights with respect to automated decision-making and profiling
You have a right not to be subject to automated decision-making (including profiling) when those decisions have a legal (or similarly significant effect) on you. You are not entitled to this right when the automated processing is necessary for us to perform our obligations under a contract with you, it is permitted by law, or if you have given your explicit consent.
Right to withdraw consent
If we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time. Even if you have not expressly given your consent to our processing, you also have the right to object (see above).
10.2 All SARs and other requests or notifications in respect of your above rights must be sent to us in writing to Marion van Vlierden, Harnham Search and Selection Limited, 3rd Floor, Melbury House, 51 Wimbledon Hill Road, Wimbledon, London, England, SW19 7QW, firstname.lastname@example.org.
10.3 We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
11. Data Breaches
11.1 If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and/or our Legal and Compliance Manager.
11.2 If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
12. Transferring your information outside Europe
12.1 We do not expect to transfer your personal data outside of the EEA. However there may be circumstances in which we need to do so (for instance if our servers are based outside of the EEA or if your work is international in nature).
12.2 We may transfer your personal data to group companies who are outside of the EEA but if we do so we will ensure that the group companies have entered into a binding agreement with us to secure your rights in relation to the data.
12.3 If we transfer your information outside of the EEA, and the third country or international organisation in question has not been deemed by the EU Commission to have adequate data protection laws, we will provide appropriate safeguards and your privacy rights will continue to be enforceable against us as outlined in this notice.
13. Contact us
13.1 If at any time you would like to contact us with your views about our privacy practices, or with any enquiry or complaint relating to your personal information or how it is handled, you can do so via the following email address Marion van Vlierden, email@example.com.
If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the Information Commissioner’s Office by visiting http://www.ico.org.uk/ for further assistance.