This procedure sets out how the company uses and protects any personal information that is given to the company before, during and after any employment, engagement or a contract. It outlines how and why we use the personal data, ensuring you remain informed and in control of your information.

The company is committed to ensuring that the privacy of employees, sub-contractors, suppliers, clients and clients’ tenants is protected. Any information which can be identified as relating to you will only be used in accordance with the company’s privacy statements.

The company reserves the right to amend the privacy statements, or this procedure, at any time by updating these documents. You should check these documents from time to time to ensure that you are happy with any changes. This policy is effective from 25th May 2018 and is in line with the General Data Protection Regulations (GDPR).

The Company will personally notify employees of any amendments to the policy. Sub-contractors, suppliers, clients and clients’ tenants will be required to check the privacy statement on the website for any changes.

The Data Controller for the Company is the Managing Director, who can be contacted on 01914186880.

Each employee who handles personal data has an obligation to comply with the legal requirements when processing other people’s personal data.

Each new employee will receive instruction and training on GDPR during their induction.

To comply with the new regulations, The Company is required to tell you what personal information we hold, how we keep this data, who we share the data with and what we use the data for.

A Data Controller is a body which, alone or jointly with others, determines the purposes and means of the processing of personal data. As an employer, the company will be a data controller in respect of your employees’ personal data.

A Data Processor is a body which processes personal data on behalf of the controller. An organisation that processes personal data only on your instructions, such as a payroll provider, will be a data processor. The company will be a data processor of information obtained from clients and regarding clients’ tenants, the client is the data controller.

A Data Subject is an identified or identifiable natural person (i.e. the individual to whom personal data relates).

Personal Data is information relating to and identifying the data subject.

Personal data that we hold that you have supplied, if you are an employee or sub-contractor

• CV information, if supplied during the interview process
• Name, address, DOB, NI number
• Telephone and email contact details
• Marital status and number of children, or other dependants
• Bank account details
• Tax code
• Next of kin and/or contact details in the event of an emergency
• Beneficiaries under any life assurance policies
• Details of qualifications or skills
• References

The above information is held for the purpose of engaging employment, engaging sub-contractors, raising contracts, processing payroll, pension contributions, and emergency contacts and for legal obligation.

Personal data that we hold that you have supplied, been sent, or received from Third Parties if you are an employee or sub-contractor

• Grievances and disciplinary matters
• Appraisal forms
• Holiday records
• Documentation relating to, or authorising, deductions from pay
• Consent forms
• Contract of employment
• Terms of conditions of employment
• Correspondence about and/or with you
• Contact details
• Training records
• Disciplinary records
• Driving license and vehicles allowed to be driven
• Trackers
• CCTV
• Tax codes
• Attachments to earning

The above information is held for the purpose of work performance, holiday entitlement, holiday pay, deductions from your wages, terms of your employment, contract for service, training and competence, vehicles you can drive, tracking the mileage and CCTV is for your safety and to deter intruders. We also hold this information under legal obligation, performance of contract.

Special Category Data we hold that you have supplied, been sent, or received from third parties if you are an employee or a sub-contractor

1. Racial or ethnic origin

2. Health details

3. Criminal convictions

4. Pension contribution details

5. Accident records (both motor and personal)

6. Self-certification sickness forms and doctors’ fit notes

7. Medical reports

8. Information for payroll

9. Equality and diversity information

10. Pension payments

11. Medical questionnaires

The above information is held for the purpose of ensuring a diverse workforce, for sickness records and SSP, pay rates, for processing pay and for contractual reasons for contracts and legal obligations.

Personal Data that we hold that you have supplied, been sent, or received from third parties if you are a client or a client’s tenant.

1. Name, address, telephone number

2. Any information we require to enable us to carry out our duty under the contract, which may include information on vulnerable tenants, tenants with health conditions or impairments or use mobility aids.

Children’s Privacy

Our services do not address anyone under the age of 16. We do not knowingly collect personal identifiable information from children under 16. In the case we discover that a child under 16 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to take all necessary actions.

Security

All the information for employees or sub-contractors is held by HR in a secure locked cupboard and only people in the HR department have access to this data.

The following items are also held electronically on the company server, this information is only accessed by HR personnel and Senior Managers, this is password protected and the backup system is encrypted.

• Name, address, DOB and NI number
• Telephone and contact details, including email
• Grievances and disciplinary matters, letters and minutes
• Holiday records
• Contract of employment
• Terms of conditions of employment
• Correspondence about and/or with you
• Training records
• Disciplinary records
• Driving license checks
• CCTV
• Accident records (both motor and personal)
• Information for payroll

The following items are available with full access to all supervisors and contract managers.

• Telephone number
• Trackers

Information received from clients

The information received from clients regarding their tenants is held electronically and only assessed by the person running the contracts. This information is only shared with employees or sub-contractors for the sole purpose of completing the contract as instructed by the client.

Controlling your personal information

We want to ensure you remain in control of your personal data.

Your legal rights are as follows:

• The right to be informed on what data we hold about you
• The right to access personal data held about you
• The right to know how the data is being used
• The right to object to the way your data is being used
• The right to rectification if any information is incorrect
• The right to erase information
• The right to restrict processing
• The right to data portability
• Have consented to the use of their personal data

Consent

All written consents are stored in paper form securely in the HR office

Subject Access Requests

You can make Subject Access Requests (SAR’s) in writing to 2 Monument Park, Pattinson Industrial Estate, Washington, Tyne & Wear or email [email protected]. Before any information is released, the identity of the person must be confirmed. If the person does not provide confirmation of their identity then the SAR will not take place.

The Company is required to respond to a request within one month by confirming that their personal data is being processed, the categories of the personal data being processed, the purpose for processing the data, which personal data is disclosed to third parties, who the third parties are, how long the personal data is stored for and the criteria for determining that period, the source of the data, whether any personal data was withheld and why, explanation of the data subject’s additional rights, the right to complain and a copy of all the data we hold. If the SAR is made electronically, copies must be provided in electronic form unless the person requests otherwise.

As the requirement to search for and identify all the personal data that is held is time consuming, a SAR can be extended by up to a further two months.

When responding to a SAR, we do not have to disclose information about a third party or provide information that identifies a particular third party as the source of the information, unless the third party has given consent to the disclosure. Examples where there are exemptions from disclosing personal data are confidential references, prejudices to the business, prejudices to any individual negotiation, or items covered by legal professional privilege.

You may request details of personal information which we hold about you under the General Data Protection Regulations (GDPR). The Company is required to supply this information within 40 days of a request.

You can object to the way your data is used. If you object, then the Company is required to respond within 21 days of the request, the company can refuse the objection if the data is being used for legal purposes. Requests should be submitted in writing.

You have the right to restrict processing or freeze it if you believe the data or any information we are holding on you is incorrect or incomplete. We will promptly correct any information found to be incorrect.

You can request for certain data to be erased (sometimes referred to as the right to be forgotten), stating what you would like to have removed in writing. We cannot remove any data that is used for legal purposes or to establish, exercise or defend any legal claims.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting, but only if you tell us that you wish this to happen.

When you leave employment with the company, your personal data is moved to a secure electronic server where the access is limited to senior members of HR and only accessed by a password. You can request in writing to the above address or email for the erasure of this data. We have a legal responsibility to store this data as far as is reasonable and practical to cover any industrial cases, but in the case of parental leave, these records must be kept until the child in question reaches 18 years of age.

Processing Data

Personal data is processed in accordance with GDPR, fairly, lawfully and transparently, for legitimate purposes only and with written consent. All information is kept securely in line with our privacy notice.

Breach Reporting

The Company is required to inform the ICO of any data breach without undue delay and within 72 hours of becoming aware of a breach. The notification must be in line with Article 29.

The Company is also required to inform any individuals of the breach if it is likely to result in a high risk to the rights and freedoms of the individuals.

The Article 29 working party guidance on breach reporting requirements, the ICO must be informed of the type of breach, nature, volume and sensitivity of the data, ease with which individuals can be identified, severity of the consequences for individuals, any special characteristics, number of affected individuals, if the breach indicates a high risk to the rights and freedoms of individuals, if the breach includes discrimination, identity theft or fraud and what procedures have been put in place to stop further breaches.

The company keeps an internal record of all breaches, which includes when the ICO was notified.

It is the responsibility of the HR department to report breaches when instructed by the Managing Director.

Complaints

You can complain to the company by contacting HR as follows:

Customer Care at James Ingleford Ltd, 2 Monument Park, Pattinson Industrial Estate, Washington, Tyne & Wear, NE38 8QU or [email protected]

If you are not happy with our response, or you believe your data protection or privacy rights have been infringed, you can complain to the UK information commissioner’s office, which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk.

The company is compliant, which means that the personal data is stored securely, password protected, encrypted and we have registered with ICO.