1. Who we are and how you can contact us
“Health Shield” (referred to in this policy as “we”, “us”, “our”) is:
Health Shield Friendly Society
Electra Way
Crewe Business Park
Crewe
CW1 6HS
PRA Reference Number:205304
ICO Registration Number:Z5477523
2. Our Data Protection Team:
We have appointed a Data Protection Officer (DPO), who can be contacted in the following ways should you have any questions or feedback about the way your data is handled:
Email: dpo@healthshield.co.uk
Mail: Data Protection Officer
Health Shield Friendly Society
Electra Way
Crewe Business Park
Crewe
CW1 6HS
3. Where we collect your personal data:
We collect your personal data in the following ways:
- When you apply for a vacancy either internally or externally;
- When you attend or participate in an interview either in person, on the phone or by video conference.
- When you speak to us on the phone or at our offices;
- When you or other staff members send emails (internally or externally) or letters to us;
- When we collect data through the implementation of any HR Policies e.g. Disciplinary;
- In the course of managing your employment, for example, obtaining relevant references, administering payroll and employee training;
- When we receive your Personal Data from third parties, for example security screening and recruitment agencies;
- Access point fobs controlled by Health Shield; and
- Performance and usage of Health Shield IT systems, (in line with our acceptable usage policy)
4. The Personal Data we collect about you:
We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data – name, title, date of birth.
- Contact data – location, full address, postcode, email address and telephone numbers.
- Next of Kin data – name, telephone number and relationship information.
- Payment data – bank account number, bank sort code.
- Verification data – right to work documentation and other security screening information.
- Education and work history data - details of your qualifications, skills, experience, employment history and references received.
- Performance & usage data - assessments of your performance, appraisals, performance reviews and ratings, training you have participated in, performance improvement plans, details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence. We also collect usage and performance data in relation to Health Shield IT systems.
- Image & location data – images captured by the CCTV and access point fobs data, both controlled by Health Shield.
- Pension data – details and transactions in relation to your pension contributions.
- Payroll data – national insurance number, salary, pension, student loan, benefits, other contributions and tax codes.
5. How we use your personal data
We are only allowed to use personal data about you if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data.
In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.
| What we use your personal data for |
What personal data we collect |
Our legal grounds for processing |
Our legitimate interests (if applicable) |
|
To enter into an employment contract with you and manage and maintain our obligations under that contract |
|
|
To ensure that the employee (prospective or contracted) has the right attributes and experience to hold their respective role. |
|
Ensure you are legally eligible to work in the UK. |
|
|
|
|
Verification your identity as part of pre-employment checks. |
|
|
To verify the identity of the employee. |
|
Provide you with access to training and development. |
|
|
To ensure that staff are trained to the appropriate levels. |
|
Ensure we can get in touch with you if we need to regarding work or employment related matters. |
|
|
|
|
CCTV recordings |
|
|
To ensure your health, safety and security whilst working for us. |
|
Access point fobs |
|
|
To ensure your health, safety and security whilst working for us. To ensure staff are performing in line with their contract of employment. |
|
Monitoring performance at work |
|
|
To ensure staff are performing in line with their contract of employment. |
6. Who we share your personal data with
In order to manage your employment and meet our legal obligations, we only share your data, in the following circumstances:
- To manage and maintain the accuracy of your records;
- To verify your identity;
- To handle Employee/Employer related disputes that may arise;
- To handle complaints;
- To prevent and detect fraud and other crime;
- To meet legal obligations, for example, responding to a valid data subject request, for the purposes of national security, taxation, pensions criminal investigations, and statutory audits;
- For assessment and analysis purposes to help improve the operation of, and manage the performance of, our business;
- To provide references to prospective employers for current and ex-employees and
- For any other purpose for which you give us your consent to use your Personal Data;
We’ll never make your personal data available to anyone outside Health Shield for them to use for their own marketing purposes without your prior consent.
7. Transferring your personal data outside the EEA
The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA we have to tell you.
We do not transfer your data outside of the EEA.
8. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We are ISO 27001 certified and in addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the ICO) of a breach where we are legally required to do so.
9. How long do we keep your personal data?
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:
- Any statutory or legal obligations;
- The requirements of the business;
- The purposes for which we originally collected the personal data;
- The lawful grounds on which we based our processing;
- The types of personal data we have collected;
- The amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
After such time, we will securely delete or destroy your personal data.
10. Your rights
You have certain rights which are set out in the law relating to your personal data. The most important rights are set out below.
Getting a copy of the information we hold
You can ask us for a copy of the personal data which we hold about you, by contacting to the Data Protection Officer (in Section 2). This is known as a data subject access request. You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive. In such circumstances we can charge a reasonable fee or refuse to comply with your request. We will respond to all legitimate requests within one month.
Telling us if information we hold is incorrect
You have the right to question any information we hold about you that you think is wrong or incomplete. Please contact the Data Protection Officer if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it.
Telling us if you want us to stop using your personal data
You have the right to:
- Object to our use of your personal data (known as the right to object); or
- Ask us to delete the personal data (known as the right to erasure); or
- Request the restriction of processing.
There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.
Request a transfer of data
You may ask us to transfer your personal data to a third party. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
11. Not Happy?
Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found in section 2).
You also have a right to complain to the Information Commissioner’s Office. You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.