3. DATA PROTECTION PRINCIPLES
3.1 Anyone processing personal data must comply with the principles of processing personal data. We set out these principles below along with our procedures for complying with such principles:
- Lawfulness, fairness and transparency – data must be processed lawfully, fairlyand in a transparent manner.
- Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy – data must be accurate and, where necessary, kept up to date.
- Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
4. WHAT INFORMATION WE COLLECT
4.1 We collect the personal data of our Employees, Workers and Contractors to operate our business and manage them, to monitor performance and to comply with our legal and regulatory obligations as employers.
4.2 We collect personal data from our candidates to assist with our recruitment processes and to monitor recruitment statistics.
4.3 We set out below a list of the categories of information we may collect from Employees, Workers, Contractors and candidates. We aim to make this list as comprehensive as possible but it is not exhaustive. The information that we collect includes, but is not limited to, the following:
- personal contact details such as name, title, home address, telephone number and email address;
- date of birth;
- marital status and dependents;
- next of kin and emergency contact information;
- copies of passport, driving licence and similar documents;
- education history, training and professional experience;
- current and past employment details;
- immigration status and work permits;
- languages spoken and level of proficiency;
- other information given in your CV;
- right to work documentation;
- performance records and appraisals;
- holiday records;
- appraisals and relevant disciplinary and grievance records;
- remuneration and payroll information, including National Insurance number or similar; and bank account details;
- exit questionnaire;
- pension and benefits information; and
- data from building access controls including images from CCTV operating in and around our offices.
4.4 We also collect data derived from our IT and communications monitoring in relation to our Employees, Workers and Contractors including:
- recording Employees, Workers and Contractors’ telephone lines;
- blocking emails to clients when there is a legitimate concern regarding information being sent;
- monitoring Employees, Workers and Contractors website browsing, use of the instant messaging service and employee access to electronic files and systems.
4.5 Further detailed information about IT and communications monitoring, and the purposes for such monitoring, can be found in our policies and procedures.
5. INFORMATION PROVIDED BY THIRD PARTIES
5.1 Some of the personal data we collect (as described in section 4), and additional information, may be provided to us by recruitment agencies with whom you have registered an interest. Such recruitment agencies support our recruitment processes under a duty of confidentiality.
5.2 During the recruitment process we may also research information regarding your skills, experience or qualifications and comments and opinions made public on social networking sites such as LinkedIn, Facebook and Twitter.
5.3 We also receive other information about you from organisations such as credit reference agencies, fraud prevention agencies and referees.
6. SPECIAL CATEGORIES OF (“SENSITIVE”) PERSONAL DATA
6.1 You may also supply us with, or we may receive, sensitive personal data relating to your racial or ethnic origin, genetic and biometric data, political opinions, religious or philosophical beliefs, trade union membership or data concerning your health or data concerning your sex life or sexual orientation.
6.2 We will use this information for the purposes of defending and bringing legal claims, either performing our contractual obligations or exercising obligations or rights which are imposed or conferred on us by law in connection with our obligations as an employer including:
- monitoring of equality of opportunity or treatment;
- considering whether adjustments may need to be made to accommodate Employees, Workers, Contractors or candidates with a disability;
- reporting and maintaining a record of any accidents at work.
6.3 In relation to Workers, Contractors and Employees, we may also collect sensitive personal data about your physical or mental health (including contained in sickness records) and information about your physical or mental health or condition in order to monitor sick leave and take decisions as to your working capacity and for occupational health purposes.
6.4 We may also collect genetic and biometric data to enable us to allow you to access our building(s) to enable you to undertake your specific duties under the contract of employment or contract for services.
6.5 We may also process data which has been made manifestly made public by you or with your explicit consent.
7. DATA RELATING TO CRIMINAL CONVICTIONS & OFFENCES
7.1 We also collect, store and otherwise process personal data relating to criminal convictions and offences (including the alleged commission of offences).
7.2 This data is only processed where it is necessary for the purposes of:
- the prevention or detection of an unlawful act; or
- in connection with any legal proceedings (including prospective legal proceedings); or
- obtaining legal advice; or
- establishing, exercising or defending legal rights.
8. WHAT WE DO WITH YOUR INFORMATION
8.1 The information about you which is obtained by us during the application process and during the course of your employment or contract for services (whether obtained directly from you or from third parties) may be used by us for the following purposes:
- to consider your suitability for employment or contractor services;
- to take up your references;
- to conduct appropriate checks;
- to negotiate and communicate with you in relation to your application;
- to manage and operate our business and our Workers and Employees and for administrative purposes (including inserting personal data about you in newsletters and updates sent across the Jonas business);
- to undertake business analysis activities;
- to monitor the performance of our Employees and Workers;
- to manage tax, pensions and National Insurance payments;
- to confer benefits in connection with your employment or contract for services;
- to comply with our legal and regulatory obligations and for other legal purposes.
8.2 Information we obtain from our IT and communications monitoring in relation to Employees, Workers and Contractors is used for compliance with our legal and regulatory obligations, for quality assurance and training purposes and for prevention or detection of any unlawful acts, and for establishing, exercising or defending legal rights.
8.3 Your information will not be used for other purposes without your permission, save as required by applicable law.
9. THE LEGAL BASIS FOR OUR PROCESSING
9.1 The legal basis for our processing of your personal data is based on the fact that you are an Employee, Worker, Contractor or a candidate and it is necessary for us to process your information as follows:
|Purposes for which we will process the information
| Legal Basis for the processing
|• to consider your application in line with our recruitment purposes;
|• It is in our legitimate interest to recruit Employees, Workers and
Contractors and to select the best candidates. We consider this to be
necessary for our legitimate interests and will not be prejudicial or
detrimental to you.
|• to carry out background and reference checks, where applicable;
|• It is in our legitimate interests to assess the suitability of candidates and
Employees, Workers and Contractors. We consider this to be proportionate and
will not be detrimental to you.
|• for administrative purposes in connection with your employment contract or contract for services;
|• It is necessary to comply with our legal obligations as an employer. In addition, it is
necessary to comply with our contractual obligations to our Workers and Contractors.
It is also in our legitimate interests and will not be prejudicial or detrimental to you.
|• to undertake business analysis activities;
|• It is in our legitimate interests to manage and monitor our human resources function.
We consider this to be necessary for our legitimate interests and will not be prejudicial or detrimental
|• to monitor Employees and Workers’ performance; and
|• It is in our legitimate interests to monitor our Employees and Workers and performance levels. We
consider this to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.
|• to comply with our legal and regulatory obligations.
|• It is necessary to comply with our legal and statutory obligations as an employer and service provider.
9.2 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our Employees, Contractors and Workers).
9.3 The legal basis for our processing of any special categories of (sensitive) personal data is based on the fact that you are an Employee, Worker or Contractor or a candidate and it is necessary for us to process such information to comply with our legal obligations, namely:
- for carrying out our obligations as an employer; and
- where relevant in relation to health data, for the assessment of the working capacity of Employees and Workers.
9.4 We also process special categories of (sensitive) personal data where necessary for the establishment, exercise or defence of legal claims.
10. SHARING YOUR INFORMATION WITH THIRD PARTIES
10.1 For the purposes set out in section 8 above, we share information concerning our Employees, Workers and Contractors with:
- other authorised Employees;
- our professional advisors (including lawyers, accountants and auditors);
- where appropriate to do so, other companies in the Jonas group (“Group”);
- third party hosting services as part of our business continuity plan;
- our payroll provider, and reference checking agency;
- child care voucher provider.
- Our medical health insurer and broker;
- Our Group life cover and broker;
- Our travel insurer and broker;
- Our income protection provider and broker;
- Our company credit card providers;
- Our pensions provider and pensions broker;
- If you have opted for voluntary gym membership, your personal data may be transferred to the gym;
- Our cycle to work scheme provider.
You have been notified of the identity of the relevant benefit providers and any changes or additions will be communicated to you by email or other appropriate method.
10.3 For the purposes set out in section 8 above, we may share information concerning candidates with other authorised Employees.
10.4 We will also disclose personal information concerning Employees, Workers and Contractors and candidates to other third parties where there is a legitimate reason to do so including for the following reasons:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
- if all or substantially all of our assets are acquired by a third party, in which case personal information held by it about its employees will be one of the transferred assets.
10.5 We will also disclose your personal information to the extent we are under a duty to disclose or share your personal information in order to comply with any legal obligation.
10.6 We will also disclose your personal information to third parties who have made a request for a reference either during or following the end of your contract for services or contract of services. As it is not reasonable for us to contact you to ask for consent on every occasion that we receive a reference request please let us know if you object to our processing your data for the purposes of providing a reference.
11. INFORMATION ABOUT DATA SUBJECTS CONNECTED TO EMPLOYEES AND WORKERS
11.1 In connection with the administration of your medical health insurance, child care voucher scheme, pension scheme and group life cover we may collect your family members’ (such as a parent, grandparent, great-grandparent, child or sibling) personal data and data concerning the health of your family members. We may also collect family members’ personal data for administrative purposes in connection with the operation of your employment contract or contract for services using “next of kin” forms.
11.2 As it is not reasonable for us to contact and obtain consent from such family members to the processing of their data, please let us know if any such family member objects to us processing their data for the purposes of sharing it with the relevant insurer or third party or us. In the case of children under the age of 13, consent should be given by someone with parental responsibility for them. You are requested to ensure that you notify human resources of any changes to such information without undue delay.
12. ACCURACY OF DATA
12.1 We will take reasonable steps to try to ensure that your information is kept accurate and up-to-date. However, all Employees, Workers, Contractors and candidates are requested to ensure that human resources are notified of any changes to their personal information without undue delay.
12.2 Where you have notified human resources or we otherwise become aware of an inaccuracy in your personal information, we will take every reasonable step to ensure that the information is either erased or rectified without delay.
13. POLICIES AND PROCEDURES
13.1 We implement a number of additional policies in relation to data privacy and data security. You are referred in particular to the Group Data Protection Policy which sets out your rights and obligations in relation to data protection.
13.2 Please familiarise yourselves with these additional policies. If you have any questions about such policies and procedures you should speak to your line manager. These policies may be updated from time to time. Any new or updated policies or manual will be communicated to you by email or any other appropriate method.
14. YOUR RIGHTS
14.1 You have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you (“subject access request”);
- to require us not to send you marketing communications (if applicable);
- to require us to erase your personal data (the “right to be forgotten”);
- to require us to restrict our data processing activities;
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller (“data portability”); and
- to require us to correct the personal data we hold about you if it is incorrect, or to complete any data which is incomplete including by means of providing a supplementary statement (the “right to rectification”).
14.2 You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. In such event we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests or for the establishment, exercise or defence of legal claims.
14.3 If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing for such marketing.
14.4 Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.
15. EXERCISING YOUR RIGHTS
15.1 You can exercise any of your rights as described in this notice and under data protection laws by contacting your line manager or human resources.
15.2 Save as provided under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee (subject to any limits imposed by applicable law) taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
15.3 Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
16. DATA SECURITY
16.1 We store your personal data in hard copy and electronic format. We use appropriate technical and organisational safeguards to protect personal data both online and offline from unauthorised use, loss or destruction. We use physical and procedural security measures to protect information from the point of collection to the point of destruction. This includes encryption, pseudonymisation, firewalls, access controls, policies and other procedures to protect information from unauthorised access.
16.2 Only authorised personnel and third party service providers are permitted access to personal data, and that access is limited by need. We will only transfer personal data to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
16.3 Despite these precautions, however, Jonas cannot guarantee the security of information transmitted over the Internet or that unauthorised persons will not obtain access to personal data. In the event of a data breach, Jonas have put in place procedures to deal with any suspected breach and will notify you and any applicable regulator of a breach where required to do so.
17. INTERNATIONAL TRANSFERS
17.1 As part of an international Group, it is necessary to transfer and store your personal data to locations outside of the European Economic Area (“EEA”) as follows:
- with our Group companies in Canada, Australia, the United States of America, New Zealand and Malaysia ; and
- where we engage third party service providers whose operations are located outside of the EEA in Canada, Australia and the United States of America.
17.2 Where personal data is transferred to and stored in a country not determined by the European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including:
- by ensuring that the country to which data is transferred has an adequate level of protection (Canada);
- by ensuring that the third party service provider has provided adequate safeguards by way of standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data;
- under the EU-U.S. Privacy Shield Framework (where we transfer personal data to the U.S.), which enables U.S. business to self-certify as a means of complying with EU data protection laws.
17.3 If you want further information on the specific mechanism used by us when transferring your personal data out of the EEA, please contact us using the details set out above.
18. HOW LONG WE KEEP YOUR INFORMATION
18.1 We will retain the information we collect about Workers, Employees and Contractors in your personnel file for the course of your employment or contract for services. Following the end of employment or contract for services we will retain your personnel file for as long as necessary and permitted for legal, regulatory, fraud and other financial crime prevention and legitimate business purposes. After this period, your personal data will be destroyed.
18.2 For candidates, if your application is successful and you subsequently become employed by us, the information will become part of your personnel file in accordance with section 18.1.
18.3 Personal data about unsuccessful candidates will be held for up to 12 months after the recruitment exercise has been completed. It will then be destroyed or deleted. We may retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
19. AUTOMATED DECISIONS
19.1 We do not use automated decision making to make decisions about our candidates, Workers, Employees or Contractors.
20. HR SOFTWARE AND COMMUNICATION SYSTEMS
20.1 We use HR Software and reporting systems (including Workday) to manage employee data and as a method of communication with Employees, Workers and Contractors working for some of the Jonas businesses.
21.1 If you have concerns about our use of your personal data, please send an email with the details of your complaint to your local HR Advisor at UKHRSupport@jonassoftware.co.uk.
21.2 You also have the right to complain to the Information Commissioner’s Office (https://ico.org.uk/).
22. UPDATES TO THIS PRIVACY NOTICE
22.1 This notice will be reviewed and, if appropriate, updated from time to time. We will communicate any updates by email or any other appropriate method.
22.2 This privacy notice was last reviewed and updated on 22nd May 2018.