Community Store,
Llandudno Jctn

Douglas Road,
Colwyn Bay
Visit our eBay store
GDPR Candidate Privacy Notice (UK)

 

GDPR Candidate privacy notice (UK)

WHAT IS THE PURPOSE OF THIS DOCUMENT?

Crest Co-operative is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. You are being sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).

DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles, which means that your data will be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

THE KIND OF INFORMATION WE HOLD ABOUT YOU

In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

• The information you have provided to us in your curriculum vitae and covering letter.
• The information you have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications.
• Any information you provide to us during an interview.
We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
• Information about your health, including any medical condition, health and sickness records.
• Information about criminal convictions and offences.

HOW IS YOUR PERSONAL INFORMATION COLLECTED?

We collect personal information about candidates from the following sources:

• You, the candidate.
• Background check provider, from which we collect the following categories of data:
• Disclosure and Barring Service in respect of criminal convictions.
• Your named referees, from whom we collect the following categories of data: position in company, number of days absent from work, general work performance
HOW WE WILL USE INFORMATION ABOUT YOU

We will use the personal information we collect about you to:

• Assess your skills, qualifications, and suitability for the role.
• Carry out background and reference checks, where applicable.
• Communicate with you about the recruitment process.
• Keep records related to our hiring processes.
• Comply with legal or regulatory requirements.
It is in our legitimate interests to decide whether to appoint you to role since it would be beneficial to our business to appoint someone to that role.

We also need to process your personal information to decide whether to enter into a contract of employment with you.

Having received your application we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and carry out a criminal record where applicable before confirming your appointment.

If you fail to provide personal information

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION

We will use your particularly sensitive personal information in the following ways:

• We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during an interview.
• We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

INFORMATION ABOUT CRIMINAL CONVICTIONS

We envisage that we will process information about criminal convictions.

We will collect information about your criminal convictions history if we would like to offer you the work (conditional on checks and any other conditions, such as references, being satisfactory). We are required to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:

• The role of Support Worker is one which is [listed on the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (SI 1975/1023) [and is also specified in the Police Act 1997 (Criminal Records) Regulations (SI 2002/233)] so is eligible for a enhanced check from the Disclosure and Barring Service.
• [The role of Finance Administrator requires a high degree of trust and integrity [since it involves dealing with high value client money and so we would like to ask you to seek a basic disclosure of your criminal records history.
We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

DATA SHARING

Why might you share my personal information with third parties?

We will only share your personal information with third parties for the purposes of processing your application such as a company who will run a DBS background check and our payroll providers. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from General Operations Manager.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION

How long will you use my information for?

We will retain your personal information for a period of twelve months after we have communicated to you our decision about whether to appoint you to role . We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy.

If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.

RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Rod Williams in writing.

RIGHT TO WITHDRAW CONSENT

When you applied for this role, you provided consent to us processing your personal information for the purposes of the recruitment exercise. You have the right to withdraw your consent for processing for that purpose at any time. To withdraw your consent, please contact the General Operations Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely.

Cookies

 About cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Cookies that we use

We use cookies for the following purposes:

  • authentication – we use cookies to identify you when you visit our website and as you navigate our website. Cookies used for this purpose are: _ga , _gid.


(b)    security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally (cookies used for this purpose are: _gat.

Cookies used by our service providers

Our service providers use cookies and those cookies may be stored on your computer when you visit our website.

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy/. The relevant cookies are: _ga , _gid, and _gat.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

(a)    https://support.google.com/chrome/answer/95647?hl=en (Chrome);

(b)    https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);

(c)    http://www.opera.com/help/tutorials/security/cookies/ (Opera);

(d)    https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);

(e)    https://support.apple.com/kb/PH21411 (Safari); and

(f)    https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).

 

Blocking all cookies will have a negative impact upon the usability of many websites.

If you block cookies, you will not be able to use all the features on our website.

 

Subject Access Policy

 

SUBJECT ACCESS POLICY

This policy had been created in order to comply with the new General Data Protection Regulations (GDPR) which come into force on 25th May 2018 and supersedes the existing Data Protection Act 1998.

Data subjects have the right to access personal data held on them by the Organisation.

This policy is in place to ensure that internal procedures on handling of Subject Access Requests (SARs) are accurate and complied with and includes:

  • Responsibilities (who, what)
  • Timing
  • Changes to data
  • Handling requests for rectification, erasure or restriction of processing.

 

The Organisation will ensure that personal data is easily accessible at all times in order to ensure a timely response to SARs and that personal data on specific data subjects can be easily filtered.

The Organisation has implemented standards on responding to SARs.

  1. Upon receipt of a SAR
    • The data subject will be informed who at the Organisation to contact, the Data Controller.
    • The identity of the data subject will be verified and if needed, any further evidence on the identity of the data subject may be requested.
    • The access request will be verified; is it sufficiently substantiated? Is it clear to the data controller what personal data is requested? If not additional information will be requested.
    • Requests will be verified as to them being unfounded or excessive (in particular because of their repetitive character); if so, the Organisation may refuse to act on the request or charge a reasonable fee.
    • Receipt of the SAR will be promptly acknowledged and the data subject will be informed of any costs involved in the processing of the SAR.
    • Whether the Organisation processes the data requested will be verified. If the Organisation does not process any data, the data subject will be informed accordingly. At all times the internal SAR policy will be followed and progress may be monitored.
    • Data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned may be permitted.
    • The data requested will be verified to establish if it involves data on other data subjects. This data will be filtered before the requested data is supplied to the data subject; if data cannot be filtered, other data subjects will be contacted to give consent to the supply of their data as part of the SAR.

 

  1. Responding to a SAR
    • The Organisation will respond to a SAR within one month after receipt of the request:
      • If more time is needed to respond to complex requests, an extension of another two months is permissible, and this will be communicated to the data subject in a timely manner within the first month;
      • if the Organisation cannot provide the information requested, it will inform the data subject on this decision without delay and at the latest within one month of receipt of the request.
    • If a SAR is submitted in electronic form, any personal data will be preferably provided by electronic means as well.
    • If data on the data subject is processed, the Organisation will ensure as a minimum the following information in the SAR response:
      • the purposes of the processing;
      • the categories of personal data concerned;
      • the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules or EU model clauses
      • where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
      • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
      • the right to lodge a complaint with the Information Commissioners Office (“ICO”);
      • if the data has not been collected from the data subject: the source of such data;
      • the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
    • Provide a copy of the personal data undergoing processing.

 

Implementing the Subject Access Requests Policy – Checklist on what MUST be done

 

On receipt of a subject access request it must be forwarded immediately to the designated manager who will identify whether a request has been made under the Data Protection legislation.

  1. A member of staff, who receives a request to locate and supply personal data relating to a SAR must make a full exhaustive search of the records to which they have access.
  2. All the personal data that has been requested must be provided unless an exemption applies. (This will involve a search of emails/recoverable emails, word documents, spreadsheets, databases, systems, removable media (for example, memory sticks, floppy disks, CDs), tape recordings, paper records in relevant filing systems.)
  3. A response must be provided within one calendar month after accepting the request as valid.
  4. Subject Access Requests must be undertaken free of charge to the requestor unless the legislation permits reasonable fees to be charged.
  5. Managers must ensure that the staff they manage are aware of and follow this guidance.
  6. The Organisation must provide where necessary an explanation with the personal data in an “intelligible form”, which will include giving an explanation of any codes, acronyms and complex terms. The personal data will be supplied in a permanent form except where the requestor agrees or where it is impossible or would involve undue effort. Agreement may be sought with the requestor that they will view the personal data on screen or inspect files on Organisation’s Any exempt personal data will be redacted from the released documents with explanation why that personal data is being withheld.
  7. The Organisation must ensure a request has been received in writing where a data subject is asking for sufficiently well-defined personal data held by the Organisation relating to the data subject. What personal data is needed will be clarified with the requestor, who must supply their address and valid evidence to prove their identity. The Organisation accepts the following forms of identification (* These documents must be dated in the past 12 months, +These documents must be dated in the past 3 months):
  • Current UK/EEA Passport
  • UK Photocard Driving Licence (Full or Provisional)
  • Firearms Licence / Shotgun Certificate
  • EEA National Identity Card
  • Full UK Paper Driving Licence
  • State Benefits Entitlement Document*
  • State Pension Entitlement Document*
  • HMRC Tax Credit Document*
  • Local Authority Benefit Document*
  • State/Local Authority Educational Grant Document*
  • HMRC Tax Notification Document
  • Disabled Driver’s Pass
  • Financial Statement issued by bank, building society or credit card company+
  • Judiciary Document such as a Notice of Hearing, Summons or Court Order
  • Utility bill for supply of gas, electric, water or telephone landline+
  • Most recent Mortgage Statement
  • Most recent council Tax Bill/Demand or Statement
  • Tenancy Agreement
  • Building Society Passbook which shows a transaction in the last 3 months and your address

 

  1. Where a requestor is not satisfied with a response to a SAR, the Organisation must manage this as a complaint under their Complaints Policy.
Data Protection Policy

Introduction

The Company is committed to being transparent about how it collects and uses the personal data of its workforce, and to meeting its data protection obligations. This policy sets out the Company’s commitment to data protection, and individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, workers, contractors, volunteers, interns, apprentices and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

The Company has appointed Rod Williams, General Operations Manager as the person with responsibility for data protection compliance within the Company. He can be contacted at rod@crestcooperative.co.uk. Questions about this policy, or requests for further information, should be directed to him.

 

Definitions

“Personal data” is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data Protection Principles

The Company processes HR-related personal data in accordance with the following data protection principles:

  • The Company processes personal data lawfully, fairly and in a transparent manner.
  • The Company collects personal data only for specified, explicit and legitimate purposes.
  • The Company processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • The Company keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • The Company keeps personal data only for the period necessary for processing.
  • The Company adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

The Company tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where the Company relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.

Where the Company processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.

The Company will update HR-related personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship is held in the individual’s personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which the Company holds HR-related personal data are contained in its privacy notices to individuals.

The Company keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Individual Rights

As a data subject, individuals have a number of rights in relation to their personal data.

 Subject access requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, the Company will tell him/her:

  • whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
  • to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • for how long his/her personal data is stored (or how that period is decided);
  • his/her rights to rectification or erasure of data, or to restrict or object to processing;
  • his/her right to complain to the Information Commissioner if he/she thinks the Company has failed to comply with his/her data protection rights; and
  • whether or not the Company carries out automated decision-making and the logic involved in any such decision-making.

The Company will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.

If the individual wants additional copies, the Company will charge a fee, which will be based on the administrative cost to the Company of providing the additional copies.

 To make a subject access request, the individual should send the request to info@crestcooperative.co.uk. In some cases, the Company may need to ask for proof of identification before the request can be processed.

The Company will inform the individual if it needs to verify his/her identity and the documents it requires.

The Company will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of the individual’s data, it may respond within three months of the date the request is received. The Company will write to the individual within one month of receiving the original request to tell him/her if this is the case.

If a subject access request is manifestly unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If an individual submits a request that is unfounded or excessive, the Company will notify him/her that this is the case and whether or not it will respond to it.

 Other rights

Individuals have a number of other rights in relation to their personal data. They can require the Company to:

  • rectify inaccurate data;
  • stop processing or erase data that is no longer necessary for the purposes of processing;
  • stop processing or erase data if the individual’s interests override the Company’s legitimate grounds for processing data (where the Company relies on its legitimate interests as a reason for processing data);
  • stop processing or erase data if processing is unlawful; and
  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the Company ‘s legitimate grounds for processing data.

To ask the Company to take any of these steps, the individual should send the request to info@crestcooperative.co.uk.

Data Security

The Company takes the security of HR-related personal data seriously. The Company has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where the Company engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Impact Assessments

Some of the processing that the Company carries out may result in risks to privacy. Where processing would result in a high risk to individual’s rights and freedoms, the Company will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data Breaches

If the Company discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

 International Data Transfers

The Company will not transfer HR-related personal data to countries outside the EEA.

Individual Responsibilities

Individuals are responsible for helping the Company keep their personal data up to date. Individuals should let the Company know if data provided to the Company changes, for example if an individual moves house or changes his/her bank details.

Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, volunteer period, internship or apprenticeship. Where this is the case, the Company relies on individuals to help meet its data protection obligations to staff and to customers and clients.

Individuals who have access to personal data are required:

  • to access only data that they have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside the Company) who have appropriate authorisation;
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
  • not to remove personal data, or devices containing or that can be used to access personal data, from the Company’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
  • not to store personal data on local drives or on personal devices that are used for work purposes; and
  • to report data breaches of which they become aware to Rod Williams immediately.

 Further details about the Company’s security procedures can be found in its data security policy.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the Company’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

Training

The Company will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Data Protection Clause

Employee’s personal data

The Company will collect and process information relating to you in accordance with the Privacy Notice which is in the Policy Handbook, available in the Senior Management office or on the Company Server. You are required to sign and date the Privacy Notice and return to your manager.

Employee’s responsibilities when handling personal data

You are required to comply with the Company’s Data Protection Policy when handling personal data in the course of employment including personal data relating to any employee, customer, client, supplier or agent of the Company. You are also required to comply with the Company’s IT and communications systems policy and Social media policy.

Failure to comply with the Data Protection Policy or any of the policies listed above may be dealt with under our disciplinary procedure and, in serious cases, may be treated as gross misconduct leading to summary dismissal.

Privacy Notice for Employees, Workers and Contractors (UK)

Crest Co-operative is committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).
It applies to all employees, workers and contractors.

Crest Co-operative is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. This notice applies to current and former employees, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Data Protection Principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

The Kind of Information We Hold About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.

We will collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Date of birth.
  • Marital status and dependants.
  • Next of kin and emergency contact information.
  • National Insurance number.
  • Bank account details, payroll records and tax status information.
  • Salary, annual leave, pension and benefits information.
  • Start date.
  • Location of employment or workplace.
  • Copy of driving licence.
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
  • Employment records (including job titles, work history, working hours, training records and professional memberships).
  • Compensation history.
  • Performance information.
  • Disciplinary and grievance information.
  • CCTV footage and other information obtained through electronic means such as swipecard records.
  • Information about your use of our information and communications systems.

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
  • Trade union membership.
  • Information about your health, including any medical condition, health and sickness records.
  • Information about criminal convictions and offences.

How is your personal information collected?

We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform the contract we have entered into with you.
  2. Where we need to comply with a legal obligation.
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest or for official purposes.

Situations in which we will use your personal information

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below. Determining the terms on which you work for us.

  • Making a decision about your recruitment or appointment.
  • Checking you are legally entitled to work in the UK.
  • Paying you and, if you are an employee, deducting tax and National Insurance contributions.
  • Providing the following benefits to you:
  • Liaising with your pension provider.
  • Administering the contract we have entered into with you.
  • Business management and planning, including accounting and auditing.
  • Conducting performance reviews, managing performance and determining performance requirements.
  • Making decisions about salary reviews and compensation.
  • Assessing qualifications for a particular job or task, including decisions about promotions.
  • Gathering evidence for possible grievance or disciplinary hearings.
  • Making decisions about your continued employment or engagement.
  • Making arrangements for the termination of our working relationship.
  • Education, training and development requirements.
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
  • Ascertaining your fitness to work.
  • Managing sickness absence.
  • Complying with health and safety obligations.
  • To prevent fraud.
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies.
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  • To conduct data analytics studies to review and better understand employee retention and attrition rates.
  • Equal opportunities monitoring.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. Where we need to carry out our legal obligations or exercise rights in connection with employment.
  3. Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

 

Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways:

We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Data Sharing

We may have to share your data with third parties, including third-party service providers and other entities in the group.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group, as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

Data security

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our website.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from our website – www.crestcooperative.co.uk. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.

Rights of access, correction, erasure, and restriction

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the General Operations Manager in writing.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the General Operations Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact the General Operations Manager by emailing rod@crestcooperative.co.uk.

 

Employment Records: Retention and Erasure Guidelines

EMPLOYMENT RECORDS: RETENTION AND ERASURE GUIDELINES

 About These Guidelines

These guidelines support the Organisation’s Data Protection Policy and adopt its definitions.

The guidelines are intended to ensure that the Organisation processes personal data in the form of employment records in accordance with the personal data protection principles, in particular that:

  • Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
  • Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by these guidelines.
  • Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
  • Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
  • Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Rod Williams is responsible for overseeing these guidelines. Any questions about the operation of the guidelines should be submitted to Rod Williams.

LOCATION OF EMPLOYMENT RECORDS

The General Operations Manager holds employment records and can be contacted with any enquiries relating to your personal data.

KEEPING INFORMATION UP TO DATE

The Organisation needs to ensure that your personal details are up to date and accurate.

When you first start working for the Organisation, we record your name, address, next of kin and contact telephone details. In the event that any of these change, you should inform your manager. You will be invited to review and update personal information on a regular basis.

These provisions are intended to complement the data subject rights referred to in the Data Protection Policy.

GENERAL PRINCIPLES ON RETENTION AND ERASURE

The Organisation’s approach to retaining employment records is to ensure that it complies with the data protection principles referred to in these guidelines and, in particular, to ensure that:

  • Employment records are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary to facilitate you working for the Organisation.
  • Employment records are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Where appropriate the Organisation uses anonymisation to prevent identification of individuals.
  • When records are destroyed, whether held as paper records or in electronic format, the Organisation will ensure that they are safely and permanently erased.

RETENTION AND ERASURE OF RECRUITMENT DOCUMENTS

The Organisation retains personal information following recruitment exercises to demonstrate, if required, that candidates have not been discriminated against on prohibited grounds and that recruitment exercises are conducted in a fair and transparent way.

The Organisation’s candidate privacy notice advises candidates how long the Organisation expects to keep their personal information for, once a recruitment decision has been communicated to them. This is likely to be for six months from the communication of the outcome of the recruitment exercise which takes account of both the time limit to bring claims and for claims to be received by the Organisation.

Information relating to successful candidates will be transferred to their employment record with the Organisation. This will be limited to that information necessary for the working relationship and, where applicable, that required by law.

Following a recruitment exercise information, in both paper and electronic form, will be held by the Organisation. Destruction of that information will take place in accordance with these guidelines.

RETENTION AND ERASURE OF EMPLOYMENT RECORDS

The Organisation has regard to recommended retention periods for particular employment records set out in legislation, referred to in the table below. However, it also has regard to legal risk and may keep records for up to seven years (and in some instances longer) after your employment or work with us has ended.

Type of employment record

Retention period

Recruitment records
These may include:
Completed online application forms or CVs.
Equal opportunities monitoring forms.
Assessment exercises or tests.
Notes from interviews and short-listing exercises.



Pre-employment verification of details provided by the successful candidate. For example, checking qualifications and taking up references. (These may be transferred to a successful candidate's employment file.)
Criminal records checks. (These may be transferred to a successful candidate's employment file if they are relevant to the ongoing relationship.)
Six months after notifying candidates of the outcome of the recruitment exercise.
Immigration checksThree years after the termination of employment.

Contracts

These may include:
Written particulars of employment.
Contracts of employment or other contracts.
Documented changes to terms and conditions.
While employment continues and for seven years after the contract ends.

Collective agreements

Collective workforce agreements and past agreements that could affect present employees.Any copy of a relevant collective agreement retained on an employee's record will remain while employment continues and for seven years after employment ends.

Payroll and wage records

Payroll and wage records
Details on overtime.
Bonuses.
Expenses.
Benefits in kind.
These must be kept for at least three years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they will be retained for seven years after employment ends.
Current bank detailsBank details will be deleted as soon after the end of employment as possible once final payments have been made
PAYE recordsThese must be kept for at least three years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they will be retained for seven years after employment ends.
[Payroll and wage records for companies][These must be kept for six years from the financial year-end in which payments were made. However, given their potential relevance to pay disputes they will be retained for seven years after employment ends.]
[Payroll and wage records for unincorporated businesses][These must be kept for five years after 31 January following the year of assessment. However, given their potential relevance to pay disputes they will be retained for seven years after employment ends.]
Records in relation to hours worked and payments made to workersThese must be kept for three years beginning with the day on which the pay reference period immediately following that to which they relate ends. However, given their potential relevance to pay disputes they will be retained for seven years after the working relationship ends.
Travel and subsistence.While employment continues and for seven years after employment ends.
Record of advances for season tickets and loans to employeesWhile employment continues and for seven years after employment ends.

Personnel records

These include:
Qualifications/references.
Consents for the processing of special categories of personal data.
Annual leave records.
Annual assessment reports.
Disciplinary procedures.
Grievance procedures.
Death benefit nomination and revocation forms.
Resignation, termination and retirement.
While employment continues and for seven years after employment ends.

Records in connection with working time

Working time opt-outThree years from the date on which they were entered into.
Records to show compliance, including:
Time sheets for opted-out workers.
Health assessment records for night workers.
Three years after the relevant period.

Maternity records

These include:
Maternity payments.
Dates of maternity leave.
Period without maternity payment.
Maternity certificates showing the expected week of confinement.
Four years after the end of the tax year in which the maternity pay period ends.

Accident records

These are created regarding any reportable accident, death or injury in connection with work.For at least four years from the date the report was made.