The categories of your information that we collect, process, hold and share include:
- personal information (such as name, telephone number)
- special categories of data including characteristics information such as gender, age, ethnic group
- work absence information (such as wages, number of absences and reasons)
Why we collect and use this information
We use your personal data to:
- enable us to provide our services to you under the terms of our contract with you.
- inform our own marketing, risk and diversity policies
- comply with our legal obligations, for example to prevent fraud
We do not use your personal data to make automated decisions or for profiling.
The lawful basis on which we process this information
Processing is necessary for either:
- the performance of our contract with you or for us to take steps for us to enter into a contract or
- the legitimate interests of ourselves or a third party, except where such interests are overridden by your interests, rights or freedoms. Such as to enable us to run our business, make marketing and risk decisions or to enable us to comply with our compliance obligations or
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller such our duty to identify fraud.
Collecting this information
The information you provide to us is on a voluntary basis. We may obtain data from you or form third parties such as your medical records. This data may be both personal and special personal data (such as personal data about your health or religion). We may obtain personal data from publicly accessible sources (such as social media). We cannot provide our services to you without processing and disclosing your personal data.
Storing this information
We hold your data;
- In the case of data processed in pursuance of a contract with you or due to our legal obligations, seven years following the last date we communicated with you;
- In the case of data processed with your consent for marketing purposes, 1 year after you first gave us consent or earlier if you withdraw consent;
- after which time it is securely disposed of and/or deleted.
- In the case of data processed in respect of our legitimate interests after considering your own, we review this every year and we will delete the data as soon it is no longer necessary for our purpose or earlier if you object.
Who we share this information with
We routinely share this information with:
- People in connection with the work we do for you with such as data lawyers and IT and marketing companies.
- People in connection with the operation of our business such as, accountants, lawyers and regulatory bodies.
- People to whom we have a legal duty, such as the police.
Why we share your information
We do not share information about you with anyone without consent unless the law and our policies allow us to do so.
We only share your data if it is:
- Necessary for the purpose of our contract with you
- Necessary due to a legal obligation
- Necessary for a legitimate interest we have, after considering your own interests.
We have robust processes in place to ensure that the confidentiality of your personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether we release your personal data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested; and
- the arrangements in place to securely store and handle the data
To be granted access to your personal data, organisations must comply with its strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
Sharing Your Data Outside the EU or EEA
Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or;
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe, or;
- Where we use providers based in the US, we may transfer data to them if they are part of Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information, please contact us.
You also have the right to
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/