PRIVACY NOTICE FOR EMPLOYEES, BANK/CASUAL WORKERS AND VOLUNTEERS
YMCA Thames Gateway (YMCATG) collects and processes your personal information in accordance with this privacy notice and in compliance with the relevant data protection Regulation and law to manage the employment relationship. YMCATG is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. This notice provides you with the necessary information regarding your rights and obligations, and explains how, why and when we collect and process your personal data.
What is YMCATG‘s role regarding data?
YMCATG are registered on the Information Commissioner’s Office Register of Data Controllers under registration number Z5593674, and act as the data controller and a data processor. YMCATG’s registered office is at 29 Rush Green Road, Romford Essex RM7 0PH and we are a company registered in England and Wales under company number 06102037.
Our designated Data Protection Appointed Person for the organisation is our Director of Quality & Compliance and can be contacted at:-
- Address: 29 Rush Green Road, Romford, Essex RM7 0PH
- Tel: 01708 770435
- Email: email@example.com
YMCATG processes your personal information for its legitimate interests and to meet our legal, statutory and contractual obligations which includes managing the employment contract, bank/casual agreement or voluntary relationship we have with you. In some circumstances you may also provide consent to us to allow us to process your data. We will never collect any unnecessary personal data from you and do not process your information in any way, other than specified in this notice.
What Information Do We Collect From You and Why?
Our lawful basis for processing your data is to fulfil contractual obligations, for statutory purposes or for our legitimate interests to provide our services. As an employee YMCATG needs to collect and process information about you for employment purposes and to manage the contractual relationship. As a bank/casual worker or volunteer the information YMCATG needs to collect and process is also to manage the relationship and for our legitimate interests in providing our services. Information is collected and processed effectively, lawfully and appropriately during recruitment, whilst you are working or volunteering for us, and for a period when your employment, bank/casual services or volunteer activities end and you leave.
As an example we collect and process the following where necessary:-
- Personal information, such as full name, address, phone numbers, email address, date of birth, marital status, bank details, photograph, National Insurance number, passport, birth certificate, criminal convictions and offences.
- Special Category Information i.e. race, ethnic origin, religion, health and/or medical information, sexual orientation, disability to carry out equal opportunities monitoring, where we have your explicit consent or to meet our legal obligations.
- Images and CCTV footage collected in the course of normal business activity (please see our CCTV policy and notices for further information on CCTV). Where images are intended to be used on social media or public display we will make every effort to confirm your explicit consent.
- Information including application form and references; contract of employment or voluntary arrangements; correspondence with or about you; information needed for payments, benefits (such as life assurance scheme) and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; information needed for equal opportunities monitoring; and records relating to your career or voluntary history, such as training records, performance and, where appropriate, conduct and complaints records.
- You will be referred to in many Association documents and records that are produced by you and your colleagues in the course of carrying out your role. For more information you should refer to the Data Protection Policy which is available on the shared server or in paper format
- To enable us to carry out Disclosure and Barring Service or other regulatory checks as appropriate
- In addition and where necessary, we retain information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your role and whether any adjustments to your role might be appropriate. We will also need this data to administer and manage statutory and company sick pay if you are an employee.
Much of the information we hold will have been provided directly by you, but some may come from other internal sources, such as your manager, supervisor or in some cases, external sources, such as referees.
Who Might We Share Your Information With?
Your data will be shared with your managers, supervisors, colleagues and other volunteers within the Association only where it is necessary for them to undertake their roles. This includes, for example, your line manager or supervisor, the HR department for maintaining personnel and volunteer records, and the payroll or accounts department for administering any payments or expenses.
Where YMCATG engages third parties to process personal data on its behalf, they only do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. We do not share or process your data with bodies outside of the European Economic Area.
We do share your data with third parties in order to obtain references as part of the recruitment process.
We use Moorepay system to process payroll and record personal data, as well as using external consultants for advice on employment, contractual or voluntary service issues. More information can be found at: www.moorepay.co.uk/privacy-policy/ and rradar.com/privacy-policy
Rradar are used for management liability insurance purposes. Rradar’s advisory service is covered by AXA Management Liability (via Gallagher Insurance). We also share your data with Omni Life who administrates our life assurance scheme. More information can be found at: www.Omnilife.co.uk/privacy-policy/
Gallagher’s are used for insurance purposes including life assurance schemes. More information can be found at: www.ajginternational.com/privacy-policy/
We share your data with Walk the Walk Solutions (Trading as Bcarm) and Educare in order for you to be able to access the e-leaning system. More information can be found at www.bcarm.co.uk/website/ImageLibrary/WTWS%20Privacy%20Statement.doc.pdf and www.educare.co.uk/privacy and in order to produce staff identification badges we share data with CPS Ltd. http://www.cardps.com/privacy-notice-cps
Inform: Our case management software which we use in order to keep records of customer feedback, accidents, incidents and safeguarding report information. For more information please go to https://www.salesforce.com/uk/company/privacy/
We may also share your data with third parties to comply with a legal or statutory obligation upon us e.g. TUPE (Transfer of undertakings) or HMRC in which case the duties of confidentiality are strictly adhered to.
How Do We Store Your Data?
Information is stored by us on computers and servers located in the UK. We may transfer your information to other offices and to other reputable third party organisations as explained above. We may also store information in paper files and will keep those securely locked in a filing cabinet with restricted access.
YMCATG takes your privacy seriously and take every reasonable measure and precaution to protect and secure your personal data under our control from accidental loss, misuse or disclosure. For example, only authorised personnel are permitted to access information and we use secure server software (SSL) to encrypt financial and personal information you input before it is sent to us.
Whilst we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst under our control, we use our best efforts to try to prevent this by carrying out robust checks on systems and security and having adequate policies, procedures and staff training in place to help protect your data.
Personal information that YMCATG holds may in some circumstances be transferred to locations outside of the European Union/European Economic Area (EU/EEA). Where we do, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information, for instance:
- The country to which we send the personal information may be approved by the European Commission
- The recipient may have signed a contract based on “contractual clauses” approved by the European Commission, obliging them to protect the personal information, or
- Where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme.
How Long Do We Keep Hold Of Your Information?
We will keep your information only for as long as we need it to administer the relationship with us and to comply with the legislation and our statutory duty. When we no longer need information we will always dispose of it securely as outlined in our Data Protection Policy.
Retention record periods can vary depending on the lawful basis to keep data e.g. recruitment paperwork for unsuccessful candidates is to be destroyed after 12 months; however employment records will be retained for 10 years after leaving our employment, and volunteer records are retained on the same basis. For full details of our retention policy see the Data Protection, Retention & Breach Policy and Procedures which can be found here:- N:\How To Guidance\How to Manage Data Protection
How Can You Access Information we Hold About You?
You have the right to request access to personal information that YMCATG processes about you and to information about: –
- What personal data we hold about you.
- Why we collect this information.
- Who might we share your information with.
- How long we hold your information for.
If you wish to access your information, please request a Subject Access Request Form from:-
Human Resources Department
29 Rush Green Road, Romford, Essex RM7 0PH
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right (in certain circumstances) to request erasure of your personal data, and the right to prevent your data from being used for direct marketing.
If you wish to raise a complaint regarding how we process your personal data please contact our data controller:-
Director of People
29 Rush Green Road, Romford, Essex RM7 0PH
Alternatively, if you are unsatisfied with how we have handled your information, you have the right to make a complaint direct to the supervisory authority:-
Information Commissioners Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Date issued: August 2019