Policy Owner: Reward & HR Policy Manager

Last Updated: 28th May 2019

Why do we need this policy?

As your employer we collect, process and hold personal data relating to you and all team members to manage our employment relationship. We are committed to being transparent about how we collect, use and retain that data to meet our data protection obligations.

What information do we collect?

We collect and process a range of information about you. This includes:

• your name, address and contact details, including email address and telephone number, date of birth and gender;
• the terms and conditions of your employment;
• details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with us;
• information about your salary, including entitlement to benefits such as pensions or insurance cover; details of your bank account and national insurance number; information about your marital status, next of kin, dependants and emergency contacts;
• information about your nationality and entitlement to work in the UK;
• information about your criminal record;
• details of your schedule (days of work and working hours) and attendance at work;
• details of periods of absence taken by you, including holiday, sickness absence, family absence, and the reasons for the absence;
• details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
• assessments of your performance, including personal objectives, half and end of year reviews and ratings, performance improvement plans and related correspondence;
• information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments;
• equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

We may collect this information in a variety of ways. For example:

• Before you join us: When we send you your contract of employment we request personal data so that we can enter your data, and the terms and conditions of employment into our HR and payroll system.
• On your first day: When you start work we may ask for further personal information and/or copies of certificates or right to work documentation such as passports or driving licenses. We may collect forms completed by you (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
• From 3rd parties: In some cases, we may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, and information from criminal records checks permitted by law.  During Employment: Throughout your time with us, we will collect lots of personal information as you move through the employment life cycle. This will include information such as performance reviews, assessment information, absence and disciplinary records.
• When you leave: Even when you leave we need to record information to ensure we get everything right and even after you have stopped working if we continue to have correspondence.

Data will be stored in a range of different places, the main systems that we use are: Fourth – our HR and payroll system holds your personal and payment data in an electronic employee record. IT Systems – as a team member you are also a member and so your information will be held in all our member data bases. In addition your information will be held on shared drives and in our email systems. There are many internal systems which store your data, such as the expenses system and KITbag.

Why do we process personal data?

We need to process data to meet our obligations under your employment contract. For example, we need to process your data, to pay you in accordance with your employment contract and to administer benefits and pension.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:

• provide benefits and savings both internally and through 3rd parties
• run recruitment and internal promotion processes;
• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
• operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
• ensure effective general HR and business administration;
• provide references on request for current or former employees;
• respond to and defend against legal claims;
• maintain and promote equality in the workplace

Some special categories of personal data, such as information about health or medical conditions are processed to carry out employment law obligations (such as those in relation to employees with disabilities).

As well as storing your data, we also report on it. Any reporting which contains identifiable information will continue to be treated in the same confidential way as the data that we hold for you.

Who has access to my data?

Your information may be shared internally, including with members of the HR team, Payroll team, your line manager and managers in the business area in which you work.

Your data will be held on various systems and at times specific job roles within Club Support may have access to your data, if access to the data is necessary for performance of their roles. This only applies to those who have had the relevant training and understand their responsibilities in line with the legislation.

We share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and if required, to obtain necessary criminal records checks from the Disclosure and Barring Service.

We also share your data with third parties that process data on our behalf, in connection with payroll, the provision of benefits and the provision of occupational health services.

We may also share your data with third parties in the context of business transactions. In those circumstances the data will be subject to confidentiality arrangements.

We will not transfer your data to countries outside the European Economic Area.

How do we share data with you?

We will send you information about your pay and benefits, or other personal data that we hold on you on occasions. Often this information will come from a 3rd party organisation, such as your pension scheme provider or HMRC directly. In addition, we will send the following information directly to you about your pay in the following ways:

• Payslips – These are available monthly and can be accessed through KITbag or on Fourth once you are logged in. If you wish, you can opt to have your payslip emailed to you, just let your Club / HR Administrator know. If you receive your payslip in an email, it will be a pdf document which is password protected with your date of birth in the format DDMMYYYY.
• P45 – This is sent to you as a pdf to your personal email address held in fourth when you are made a leaver, it is password protected with your date of birth in the format DDMMYYYY. If you do not have a personal email address in the system, this will be sent in paper format to your home address. If you do have an email address and would prefer to have a paper P45, just let your Club / HR Administrator know.
• P60 – This is made available to you annually during your employment, and you can access this on KITbag or through your employee self service on fourth.

As we use your personal email address to contact you personally and often with personal data, generic work email addresses such as [email protected] should not be provided and recorded in fourth as a personal contact for you.

How do we protect data?

We take the security of your data seriously. There are internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, we do so, on the basis of written instructions, or under a duty of confidentiality and are they obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long do we keep data?

The majority of the data that we collect, we will hold for the duration of your employment. There are 2 exceptions to this:

Data that has a single purpose: For example, if we collect data in relation to an event, we will delete the personal data that is no longer needed after the event. Or if we provide data to a 3rd party to allow you access to a benefit, all records externally are destroyed when you are no longer eligible.

Data that has expired: For example, if we collect data in relation to a specific event, e.g. pay review, talent review, conference. We will destroy the data relating to the event that is no longer needed 5 years after the expiry date of the event. This refers to centrally held records stored in restricted access folders and shared drives. In addition, and for example, if we collect data in relation to a specific incident, e.g. sickness absence, disciplinary, grievance. We will hold this information in your employee record on fourth, however, if you wish for this to be removed after 5 years, you can make a request to your HRBP who will respond within 14 days.

After you leave us, we will retain your data for 7 years from the end of the tax year in which you leave and then the records will be destroyed.

Your rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data on request;
• request us to change incorrect or incomplete data;
• request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
• object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing.

In the first instance you should contact your line manager or if this is not possible then contact, Mark Dillon, Head of Corporate Administration.

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner.

ICO Helpline: 0303 123113

What if you do not provide personal data?

You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you