Personal Data Processing

GDPR Record of Personal Data Processing

Processing RefN/ADate of Review22.05.2018
Nature of ActivityHuman Resources
FunctionHuman Resources
Description of functions carried out

Managing and supporting Human Resource activities for

  1. Current and former workers (including Employees, Agency / Office Holders, Consultants, work experience and volunteers)
  2. Pensioners;
  3. Applicants (current and unsuccessful);
  4. Individuals attending training courses organised by the Company Safeguarding.

Data Controller / Data Processor Details

Data ControllerThe Company
Details of any Joint Data ControllersN/A
Details of any contracts in placeN/A
Details of any Data ProcessorsPension provider, HMRC.
Details of any Data Processor AgreementsAgreement in place with pension provider.

Processing Purpose Details

Description of the purpose (reason) for processing personal data

Administration and maintenance of employee records and the activities required for the support and management of our current and former workers, applicants and Elected members, including:

  1. Recruitment, Selection & Termination,
  2. Police Vetting,
  3. Pay, Allowances, Pensions, Deductions, and Benefits,
  4. Working Arrangements and Leave,
  5. Managing Performance and Conduct,
  6. Managing Attendance and Employee Support,
  7. Managing Change, and
  8. Supervisions and Training.

Administration and maintenance of employee records and the activities required for the support and management of them for our commercial clients, including:

  1. Recruitment, Selection, and Termination,
  2. Police Vetting
  3. Pay, Allowances, Pensions, Deductions, and Benefits,
  4. Working Arrangements and Leave,
  5. Managing Performance and Conduct,
  6. Managing Attendance and Employee Support,
  7. Managing Change,
  8. Supervisions and Training.
Basis for the processing of the personal data

Processing basis 1: Processing is necessary in order to meet our duties as an employer (Article 6 1 c compliance with a legal obligation and Article 9 2 b carrying out obligations and exercising specific rights in relation to employment). The main employment law statutes are:-Equal Pay Act 1970; Health & Safety at Work etc. Act 1974; Rehabilitation of Offenders Act 1974; Trade Union and Labour Relations (Consolidation) Act 1992; Employment Tribunals Act 1996; Employment Rights Act 1996; Public Interest Disclosure Act 1998; National Minimum Wage Act 1998; Employment Relations Act 1999; Employment Act 2002; Employment Relations Act 2004; Disability Discrimination Act 2005; Immigration, Asylum and Nationality Act 2006; and Equalities Act 2010

Payroll information is processed in accordance with HM Revenue and Customs regulations and standards.

In addition, there is a substantial amount of secondary legislation in the form of regulations which contain further provisions and may be supported by Codes of Practice.

Processing basis 2: Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 1 b re contract of employment or for the provision of a service to commercial client.)

Processing basis 3: Processing necessary for compliance with a legal obligation.

Processing basis 4: Processing is necessary for a legitimate interest of the company.

Processing basis 5: Necessary to protect the vital interests of the data subject.

Link to privacy noticeand/or

Link to awareness raising materials

Prospective workers are informed about the processing of their personal data through information included in the recruitment form and process.Workers are informed about the processing of their personal data through information included in the contract of employment / letter of engagement / letter leaving and at the point of collection when appropriate through internal policies.Privacy Notices are in place for the processing of the personal data of workers when this is done as part of a commercial contract.

For the provision of training to individuals not employed by the Company at point of registration it is explained to the individual what personal data is required from them for the purpose of providing the training and levying the appropriate charge.

Details of any Privacy Impact Assessments carried outN/A
Does the processing involve automated decision making, including profilingYes. Automated decision making takes place with regards to Vehicle tracking and employees timesheets.
Is personal data used for direct marketing purposesNo

Details of Personal Data Processing

Categories of data subjects
  1. Current and former workers including Employees, Agency / Supply Workers, Office Holders, Consultants, Interims, Interns, work experience and volunteers;
  2. Pensioners;
  3. Applicants (current and unsuccessful);
  4. Employee’s next of kin;
  5. Individuals requiring Vetting checks;
  6. Individuals attending training courses organised by the Company;
  7. Employment and Personal Referees.
Categories of personal data being processed
  1. Personal details;
  2. Employment details;
  3. Business activities;
  4. Financial details;
  5. Education and training details;

We also process special categories of personal data:

  1. Physical or mental health;
  2. Offences and alleged offences;
  3. Gender;
  4. Trade Union Membership for individuals who have requested deductions from payroll or for recording Trade Union Facility Time.
Source of the personal dataPersonal data will be received from a wide range of sources to support recruitment, ongoing employment, training, leavers and pension activities including the data subject, their representative, next of kin or other family member, other workers, referees, educators and examining bodies, health professionals, partner agencies, Pension Schemes, Police Vetting, Courts and law enforcement bodies, HM Revenue and Customs.
How is the personal data collected?Through established activities linked to the recruitment, employment, training, termination and pension rights of the data subject or commercial contracts.
When is the personal data collected?Through established activities linked to the recruitment, employment, training, termination and pension rights of the data subject or commercial contracts.
Estimate of the number of records heldFewer than 50.
Retention period(s) in place for the personal dataSee Human Resources Retention Schedule which is based on national guidance and business need.

Recipients of Personal Data (in the UK)

Categories of the recipients of the personal data
  1. Data Subject;
  2. Past and prospective workers;
  3. HM Revenue and Customs;
  4. Pension Schemes;
  5. Financial organisations;
  6. Educators and Examining bodies;
  7. Professional Bodies;
  8. the Disclosure and Barring Service;
  9. Police Vetting service;
  10. Law enforcement agencies and bodies;
  11. Courts and Tribunals;
  12. Legal representatives;
  13. Ombudsman and Regulatory bodies;
  14. Partner organisations;
  15. Service providers;
  16. Debt collection and tracing agencies;
  17. Trade Unions;
  18. Licensing authorities;
  19. At the explicit request of the data subject:

At the explicit request of the data subject:

  1. Credit Reference Agencies;
  2. Mortgage Providers, Housing Associations and landlords.

To support TUPE arrangements the minimum necessary personal data and special categories of personal data will be passed to the new employer transferee.

Safeguards in place for the transfer of the personal dataAny disclosure or transfer of personal data / special categories of personal data will be in full compliance with the General Data Protection Regulation and established Company processes.
Details of any Information Sharing Agreements in placeNot Applicable

Recipients of Personal Data (outside of the UK)

Categories of the recipients of the personal dataNot Applicable
Details of any transfers of personal data outside of the UK – to a third country or to an international organisationNot Applicable
Safeguards in place for the transfer of the personal dataNot Applicable
Details of any Information Sharing Agreements in placeNot Applicable

Processing Measures in Place

Technical and organisational measures in place for data security and protectionSecure IT – AVG Internet anti-virus software.
Format information is held inElectronic and paper files.
Systems data is held onTheCompany processes personal data using automated means. This includes electronic drives, Sage payroll, Sage Accounts, HMRC Online, Pensions, Email, DVLA Licencing, Worktops Database,

Any Additional Information

None