Ethical Workforce is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.
This policy outlines the rules, behaviours and standards required of Ethical Workforce, its employees, workers, clients and third parties working on behalf of Ethical Workforce in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of Ethical Workforce.
Personal Data and Sensitive Personal Data
There are two types of personal data that fall under the GDPR and for which Ethical Workforce, its employees, workers and third parties are responsible for. These are:
- Personal Data: This is defined as any information relating to an identified or identifiable natural person. Identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This will include IP addresses and cookie strings.
- Sensitive Personal Data: Sensitive personal data includes data relating to genetic and biometric data, as well as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or a person’s sex life, sexual orientation or criminal offences.
Data Protection Principles
Ethical Workforce is committed to adhering to the Data Protection Principles, which state:
- Data must be processed lawfully, fairly and in a transparent manner.
- Data must be obtained for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
- Data processed must be adequate, relevant and limited to what is necessary.
- Data must be accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
- Data must not be kept for longer than is necessary for the purposes for which the data are processed.
- Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. Ethical Workforce is aware that in order to process personal data, or sensitive personal data, Ethical Workforce must rely on the data being:
- necessary for the performance of a contract, or;
- in preparation for a contract, or;
- to comply with our legal obligations, or;
- for our legitimate business interests or;
- to perform a task carried out in the public interest or in the exercise of an official authority.
If Ethical Workforce wishes to hold and process data which does not fall within conditions listed above, then it will seek to obtain the consent of the individual.
If it is necessary to obtain consent, then Ethical Workforce will write to the individual to ask for consent, ensuring that the consent is:
- Freely given, specific, informed and unambiguous.
- Separate from other terms.
- Clear and in plain language.
- As easy to give as to withdraw.
- ‘Explicit’ for sensitive data.
- Given in a way that can be evidenced.
- Unless consent to processing data is critical to the performance of a contract, the performance of a contract will not be made conditional on the basis that consent is given.
Ethical Workforce collects and processes the following personal data:
- Personal contact details such as name, title, addresses, telephone numbers, personal email addresses, date of birth, gender, marital status and dependents.
- Next of kin and emergency contact information.
- National Insurance number.
- Bank account details, payroll records and tax status information.
- Salary, annual leave, pension and benefits information.
- Start date.
- Copy of driving license.
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter, or as part of the application process).
- Employment records (including terms and conditions of employment, work history, working hours, training records and professional memberships).
- Compensation history.
- Performance information, including appraisals and performance improvement plans.
- Details of any disciplinary and grievance proceedings you have been involved in.
- Details of any leave you have taken, including holidays; sickness; family and parental leave.
- CCTV footage.
- Information obtained through electronic means, such as swipe card records and biometric means of identification.
- Information about your use of our information and communications systems.
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Trade union membership.
- Information about your health, including any medical condition, health and sickness records and details of any disability for which we may need to make reasonable adjustments.
- Genetic information and biometric data.
- Information about criminal convictions and offences.
Our purposes for processing your data
- Deciding about your recruitment or appointment.
- Determining the terms on which you work for us.
- Checking you are legally entitled to work in the UK.
- Paying you and, if you are an employee, deducting tax and National Insurance contributions.
- Liaising with your pension provider.
- Administering the contract, we have entered into with you.
- Business management and planning, including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements.
- Making decisions about salary reviews and compensation.
- Assessing qualifications for a particular job or task, including decisions about promotions.
- Gathering evidence for possible grievance or disciplinary hearings.
- Making decisions about your continued employment or engagement.
- Making arrangement for the termination of our working relationship.
- Education, training and development requirements.
- Dealing with possible legal disputes involving you, or other employees, workers and contractors, including accidents at work.
- Ascertaining your fitness to work.
- Managing sickness absence.
- Complying with health and safety obligations.
- To prevent fraud.
- To monitor your use of our information and communication systems to ensure compliance with our IT policies.
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
- To conduct data analytics studies to review and better understand employee retention and attrition rates.
- Equal opportunities monitoring.
- Some of the above grounds for processing will overlap, and there may be several grounds which justify our use of your personal information.
Rights of Data Subjects
Ethical Workforce will recognise that individuals have the following rights under data protection legislation:
- the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
- the right of access;
- the right to rectification of data that is inaccurate or incomplete;
- the right to be forgotten under certain circumstances;
- the right to block or suppress processing of personal data; and
- the new right to data portability, which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
Right of Access
Individuals have the right to access the information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records, should give notice electronically, in writing, using the Subject Access Request Form, which can be given to you by your manager. Ethical Workforce has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
In complex cases, or where there are numerous related requests, Ethical Workforce will liaise with the individual to inform them of progress of their request(s), and if it is not possible to complete this within 1-month, Ethical Workforce will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data is retained with third parties, Ethical Workforce will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible, or if it would require disproportionate effort.
Ethical Workforce reserves the right to charge a fee, or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, Ethical Workforce reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
Ethical Workforce is committed to keeping data that is accurate and up-to-date. Data will be checked for accuracy, where possible, and any data that is inaccurate, out-of-date or unnecessary, will be corrected or erased as appropriate.
Where an individual identifies that their personal data is incorrect or incomplete, or where they are aware that their personal data has changed, they must inform Ethical Workforce as soon as possible. Ethical Workforce will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.
In complex cases, or where there are numerous cases, Ethical Workforce will liaise with the individual to inform them of progress of their request, and if it is not possible to complete this within 1-month, Ethical Workforce will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data has been disclosed to third parties, Ethical Workforce will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible, or if it would involve disproportionate effort.
The Right to be Forgotten
Also known as ‘the right to erasure’, the right to be forgotten does not provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances, i.e.
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing, and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed.
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please contact us at firstname.lastname@example.org with full details of your request. Ethical Workforce has up to 1 month to respond to you, and either delete the data, or explain why it is unable to comply with your request. Circumstances where Ethical Workforce may be unable to comply, include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.
In complex cases, or where there are numerous related requests, Ethical Workforce will liaise with you to inform you of progress of the request, and if it is not possible to respond to this within 1-month, Ethical Workforce will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.
In the event that data is retained with third parties, Ethical Workforce will ensure that the request is communicated and, if appropriate, actioned by the third party in line with the timescales outlined above.
Security of Data
Ethical Workforce is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
Any data breaches will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure.
Ethical Workforce is committed to ensuring that subject data is kept for no longer than necessary, and only kept as long as it is relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data for some other legitimate reason.
Ethical Workforce does not intentionally keep data longer than necessary, and when data is no longer required, Ethical Workforce is committed to securely deleting it as soon as possible.
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to email@example.com or to your manager, as soon as possible, and within 24 hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided, and instead the matter should be reported immediately, either verbally or using electronic means, such as email.
Transferring Personal Data to a Country Outside the EEA
Ethical Workforce does not transfer your personal data outside the European Economic Area (EEA) if you yourself are based within the EEA.
If you are based outside of the EEA, in order for Ethical Workforce to provide its services, it shall be obliged to send your personal data outside of the EEA, in order to reach you.
Whenever Ethical Workforce transfers your personal data out of the EEA, in accordance with the above limited exception, Ethical Workforce shall act strictly in accordance with the instructions of the Data Controller, where applicable.
On occasion, you may wish to allow your data to be transferred to another organisation, either by you receiving the data and transferring it, or by the data being transferred directly.
This right to data portability only applies to data that you have provided to Ethical Workforce, where the data processing is based either on your consent or the performance of the contract, and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.
If you wish to make a request for your data to be transferred, you must contact us at firstname.lastname@example.org and we will respond to you within 1 month. If the requests are numerous or complex, we reserve the right to extend this timescale by a further 2 months. If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).
Objections to Personal Data Processing
You have the right to object to data processing where Ethical Workforce is:
- processing information based on its legitimate business interests, or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing;
- processing for the purposes of scientific/historical research and statistics.
If you wish to object to processing, you should contact us at email@example.com outlining the grounds relating to your particular situation, and we will stop the processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.
Organisational Data Protection Measures
Ethical Workforce is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, Ethical Workforce will:
- Ensure that all staff are aware of their responsibilities and Ethical Workforce’s obligations and responsibilities in relation to data protection.
- Ensure that all staff and individuals/organisations who handle data on behalf of Ethical Workforce are appropriately trained and receive refresher training on a regular basis.
- Ensure that all staff and individuals/organisations who handle data on behalf of Ethical Workforce are regularly monitored, assessed and reviewed.
- Ensure that all organisations who handle data on behalf of Ethical Workforce are carrying out data processing in line with the Data Protection rules.
- Regularly review Ethical Workforce’s methods of data collection, handling, processing and storage.
- You could choose to add in far more detail covering the detail in data protection e.g. passwords, storage, encryption, locking screens etc – or you could choose to detail that separately, e.g. in training/code of practice etc.
Privacy Impact Assessments
As part of Ethical Workforce ongoing commitment to ensuring maximum protection for personal data, Ethical Workforce will undertake Privacy Impact Assessments, where appropriate. Privacy Impact Assessments will help Ethical Workforce consider the processing that is being undertaken, the risk to data subjects and, most importantly, the measures that need to be taken to minimise the risks and will be reviewed on a 3-yearly cycle, unless it is deemed that a more frequent review is necessary.
Data Protection Officer
Ethical Workforce has appointed a Data Protection Officer, who will support the organisation to manage Data Protection, and will work with the Executive Board in this respect. Any queries or concerns can be addressed directly to the Data Protection Officer at firstname.lastname@example.org
Ethical Workforce is committed to monitoring this policy and will update it as appropriate, on an annual basis.