Notice
City Electrical Factors Ltd (the Company) collects and uses information about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used - whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this complies with the General Data Protection Regulation 2018.
The Company regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals.
To this end the Company fully endorses and adheres to the Principles of Data Protection (detailed below under Principles), as set out in the General Data Protection Regulation 2018.
Purpose
This notice applies to all Company employees, full or part-time as well as all agency and temporary workers.
The purpose of this notice is to ensure that you are clear about the purpose and principles of Data Protection and to ensure that the Company has guidelines and procedures in place which are consistently followed.
You must comply with this notice. Failure to comply with this notice will be treated seriously and may result in disciplinary action. You must also be aware that any breach by you of this notice may result in personal liability and even criminal prosecution, as well as exposing the Company to regulatory enforcement action, fines and contractual claims as well as claims for compensation from individuals.
Principles
General Data Protection Regulation 2018 regulates the processing of information on data subjects. This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the Regulation. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
If you process or use any personal information in the course of your duties, you must ensure that these principles are followed at all times.
In addition to the six principles there are specific restrictions or additional requirements in certain specific circumstances, such as whenever personal data is transferred outside the European Union and also that the data subject’s rights will be respected.
You should contact the DPO/GDPR Team whenever you are planning to reuse personal data in a new way or set up new systems or processes. They will advise whether a specific privacy risk assessment, known as a Data Protection Impact Assessment (DPIA) is required and ensure that the appropriate security controls are in place.
The Company follows the six Data Protection Principles outlined in the General Data Protection Regulation 2018, which are summarised below:
Fair and lawful processing
Data protection legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, the purpose for which the data is to be processed and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, a separate condition for processing special category data must also be met. In most cases the data subject's explicit consent to the processing of such data will be required.
Processing for limited purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by data protection legislation. This means that personal data must not be collected for one purpose and then used for another incompatible purpose. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose and give their consent before any processing occurs.
Processing should be adequate, relevant and not excessive
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
Data should be accurate
Personal data must be accurate and where necessary kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
Retention times not excessive
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from the Company's systems when it is no longer required.
Personal data should not be transferred to another country without ensuring that there are adequate safeguards in place
Whenever personal data travels across borders, the Company must ensure that that personal data remains secure. Where the data originates in the EEA and is transferred outside of the EEA, the Company is under a specific obligation to ensure that certain conditions relating to the "adequacy" of the measures taken to secure it are complied with. This can be achieved through a variety of methods depending on the type of data transferred and the reasons for the transfer.
Data subject rights
Data must be processed in line with data subjects' rights. Data subjects have a right to:
- Be informed about the collection and use of their personal data
- Request access to any data held about them by a data controller
- Prevent the processing of their data for direct-marketing purposes
- Ask to have inaccurate data amended
- Request personal data is erased
- Prevent processing that is likely to cause damage or distress to themselves or anyone else
- Obtain and reuse their personal data for their own purposes across different services
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you
Data security
The Company must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the Company central computer system instead of individual PCs
The Company has an IT Acceptable Use Policy which you must comply with and you must adhere to the security procedures outlined within it. The Policy is designed to protect against a loss of confidentiality, integrity and/or availability of data.
If you become aware of any data security breach or suspect one may have taken place (for example loss of paperwork, a lost laptop or other electronic device storing personal data or a problem with an IT system) you must report this immediately to the IT Service Desk.
Under no circumstances should live PII data be used for testing purposes. If you require personal data for testing purposes and require advice on this please contact the DPO/GDPR Team or Information Security Team for advice on how to do this without using live PII.
How do we obtain your information?
We get information about you from the following sources:
- Directly from you
- From an employment agency
- From referees, either external or internal
- From GPs and other health professionals
- From Pension administrators and other government departments, for example tax details from HMRC
- From providers of staff benefits
- CCTV images from our CCTV systems and photographs taken for company publication
What personal data do we process and why?
We process the following categories of personal data:
Information related to your employment
We use the following information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes.
- Personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses
- Your date of birth, gender and NI number
- A copy of your passport or similar photographic identification and/or proof of address documents
- Next of kin, emergency contacts and their contact information
- Employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare
- Location of employment
- Any content featuring you produced for use on our website or social media such as images, videos, authored articles and blog posts
- Curriculum Vitae
- Application forms
- Test results
- Interview notes
- Contracts of employment
- Appraisal records
- Performance ratings
- Training notes
- Attendance records
- Disciplinary action or grievance procedures
- Redundancy or redeployment records
- Sales/commission
- Financial reference
- Company car documentation
- Time sheets
- Employer references
- Driving licences
The personal information described above will only be made available to Manager(s) and other employees who are expressly authorised to process employee data and will not be disclosed to anyone else, except where strictly necessary (for example in a disciplinary process or in cases of emergency).
Any other information supplied on application will be kept securely and is not accessed during the day to day running of the Company.
Employee data may also be processed by third parties who have been expressly authorised by the Company to process employee data and who act only on the instructions of the Company in relation to such processing. The Company will ensure that employee data remains secure wherever it is transferred to and has put measures in place to ensure that it complies with the requirements of the General Data Protection Regulation in this regard.
Accuracy
The Company will take reasonable steps to keep your personal data up to date and accurate. Personal data may be stored up to 7 years after you have left the Company. The Manager/Accountant has responsibility for destroying personnel files.
Storage
Your personal data is kept in paper-based systems and on a password-protected computer system. Every effort is made to ensure that paper-based data is stored in organised and secure systems.
Applicant tracking system
CEF employs an Applicant Tracking system (Lever) for the purpose of managing recruitment and candidate information. This system will store and process the personal information of candidates required for the roles that they apply for (listed above). The data will be stored for a year from the end of the recruitment process, after which candidates will be asked whether they consent to continue to store the data for candidates who wish to be considered for future openings. However if candidates would prefer this not to happen their data can be securely erased as they wish.
Use of photographs
Where practicable, the Company will seek your consent before displaying photographs in which you appear. If this is not possible (for example, a large group photo), the Company will remove any photograph if a complaint is received. This notice also applies to photographs published on the Company website or in the newsletter.
Information related to your salary and pension
We process this information for the payment of your salary, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.
- Information about your job role and your employment contract including; your start and leave dates, salary, any changes to your employment contract, working pattern (including any requests for flexible working)
- Details of your time spent working and any overtime, expenses or other payments claimed
- Details of any leave including sick leave, holidays, special leave etc
- Pension details including membership of both state and occupational pension schemes (current and previous)
- Your bank account details, payroll records and tax status information
- Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking
- Company Car user registration numbers, mileage claims and payments
Information relating to your performance and training
We use this information to assess your performance, to conduct pay reviews and to deal with any employer/employee related disputes. We also use it to meet the training and development needs required for your role.
- Information relating to your performance at work e.g. probation reviews, PDRs, promotions
- Grievance matters and investigations to which you may be a party or witness
- Disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued
Information relating to monitoring
The Company monitors electronic communication, information access and other activities of its employees in the following ways:
- E-mail facilities and internet access are provided solely for business purposes and, therefore, the Company reserves the right to review e-mail messages. You should, therefore, not place on the system any message or communicate anything which you regard as personal
- The Company employs CCTV cameras in various staff areas, IT data centres, stores, warehouse areas and car parks. These cameras are installed for the purpose of crime prevention and for your safety, ensuring H&S and company procedures are followed and assisting with identifying unsafe practices. CCTV footage may be reviewed by the appropriate personnel at management discretion. Further information is available in our CCTV policy
- The Company reserves the right to intercept any electronic communications or data exchange (including email) for monitoring purposes, record keeping purposes, preventing or detecting crime, investigating or detecting the unauthorised use of the Company's telecommunication and information system or ascertaining compliance with the Company's policies, practices or procedures
All of our ICT systems and the swipe access system for the entry and exit of our premises are auditable and can be monitored, though we don’t do so routinely. We are committed to respecting individual users’ reasonable expectations of privacy concerning the use of our ICT systems and equipment. However, we reserve the right to log and monitor such use in line with our Acceptable Use Policy. Any targeted monitoring of staff will take place within the context of our disciplinary procedures.
Information relating to your health and wellbeing, equal opportunities monitoring and other special category data
We use the following information to comply with our legal obligations. We also use it to ensure the health, safety and wellbeing of our employees.
- Health and wellbeing information either declared by you or obtained from eye examinations, sick leave forms, fit notes i.e. Statement of Fitness for Work from your GP or hospital
- Accident records if you have an accident at work or in a car whilst on company business and all accidents occurring in company vehicles
- Details of any desk audits, access needs or reasonable adjustments
- Information you have provided regarding Protected Characteristics as defined by the Equality Act and s.75 of the Northern Ireland Act for the purpose of equal opportunities monitoring. This includes racial or ethnic origin, disability status, and gender identification and may be extended to include other protected characteristics.
The Company recognises that certain types of data are particularly sensitive. This includes, for example, information in relation to such matters as racial or ethnic origin, trade union membership and physical or mental health or condition. Although inevitably there will be a need for the Company to process and transfer sensitive data on occasions, the Company will collect and process as little sensitive information as possible and only where necessary.
Lawful basis for processing your data
Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:
- Article 6(1)(b) which relates to processing necessary for the performance of a contract
- Article 6(1)(c) so we can comply with our legal obligations as your employer
- Article 6(1)(d) in order to protect your vital interests or those of another person
- Article 6(1)(f) for the purposes of our legitimate interest
Special category data
Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:
- Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights
- Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent
- Article 9(2)(f) for the establishment, exercise or defence of legal claims
- Article 9(2)(g) - where processing is necessary for reasons of substantial public interest
In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1 of the DPA 2018. This relates to the processing of special category data for employment purposes.
Criminal convictions and offenses
We process information about staff criminal convictions and offences. The lawful basis we rely on to process this data are:
- Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1
How long do we keep your personal data?
For information about how long we hold your personal data, see our retention schedule.
Data sharing
In some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions.
Do we use any data processors?
As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner as the relevant supervisory authority.
Data processors are third parties who provide certain parts of our staff services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors are listed below.
Data Processor | Purpose | Privacy Notice |
---|---|---|
The People's Pension | For administering CEF's Pension Scheme | The People's Pension |
AEGON | Pension Provider | AEGON |
AVIVA | Pension Provider | AVIVA |
Zellis | Payroll | Zellis |
Ignition Risk Management Ltd | Driver and risk training | Ignition Risk Management Ltd |
Lever | Applicant Tracking System | Service Privacy Notice - Lever Support |
KnowBe4 | Information Security Training Platform | Product Privacy Notice | KnowBe4 |
Microsoft | IT Services Provider | Microsoft Privacy Statement - Microsoft privacy |
Transfers of personal data
We don't routinely transfer staff personal data overseas but when this is necessary we ensure that we have appropriate safeguards in place.
Further information
- Personnel Files - Physical and electronic records are held for each member of staff. Data is held securely on CEF systems and at our premises
- Occupational Health - Where there is a prolonged absence due to sickness we may request a medical report from a GP or specialist
- Requests for References - If you leave, or are thinking of leaving, we may be asked by your new or prospective employers to provide a reference. For example, we may be asked to confirm the dates of your employment or your job role
How you can find out what is held by the company
You have a statutory right to request a copy of the personal data the Company holds about you and to access that personal data, subject to certain exemptions. This is known as a Subject Access Request. If you would like to exercise this right, you must put your request in writing and submit it to [email protected], your request will be responded to within 30 days.
Correction of inaccurate information
The Company recognises that employee data needs to be accurate and, where necessary, kept up to date. If you believe that any personal information held about you is inaccurate you should write to your Accountant identifying the inaccuracy and requesting that it is corrected. Your Accountant will respond in writing within 21 days confirming that the inaccuracy has been rectified or otherwise explaining how the matter has been dealt with.
Monitoring and review of this notice
We will continue to review the effectiveness of this notice to ensure it is achieving its stated objectives.
Definitions
The following definitions will be helpful for you when you are reading this Notice:
- Data is information which is stored electronically, on a computer, or in paper-based filing systems
- Data subjects for the purpose of this notice include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal data
- Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in or likely to come into our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal)
- Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with data protection legislation. The Company is a data controller of personal data used in our business
- Data users include employees whose work involves using personal data. Data users have a duty under this notice to protect the information they handle by following our data protection and security policies at all times
- Data processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers who handle personal data on our behalf
- Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties
- Special Category Data includes information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Special Category Data can only be processed under strict conditions, and will usually require the express consent of the person concerned