GDPR & Data

This policy is all about HR data, which is personal data of:

• job applicants

• employees

• workers

• contractors

• volunteers

• interns

• apprentices

• former employees

Personal data is defined as any data that can be used to identify you, such as your name, home address or credit card number.

Our Data Protection Officer is NAME. Their role is to inform and advise us on our data protection obligations. They can be contacted at EMAIL and any questions about your data, or requests for further information, should be directed to them.

Any information we hold about you is to enable us to:

• comply with your employment contract

• comply with our legal obligations

• pursue legitimate interests of RUSH

• protect our legal position in the event of legal proceedings

A large amount of information we hold on you will have been provided by you, but some may come from other sources such as your manager, or external sources like references, your GP or HR.

The data we hold includes, but isn't limited to:

• your application form, CV, proof of qualifications and references

• your contract of employment and any variations to it

• evidence of your right to work in the UK

• correspondence with or about you in relation to pay increases, reference letters, payroll, benefits, expenses, contact and emergency contact details, records of holidays, sickness and other absences, equal opportunities monitoring, letters and information relating to disciplinary and grievance matters

• records relating to your career history such as training records, appraisals and other performance measures

• CCTV images

During the course of your employment, you'll inevitably be referred to in documents and records that we produce.

Where necessary we also hold data relating to your health. This might include sick notes, reasons for absence, occupational health, GP or consultant reports. We use this information in order to comply with our Health & Safety and Occupational Health obligations. It may be used to consider how your health affects your ability to do your job and if we need to make any adjustments for you. We'll also use it to administer and manage sick pay entitlements.

There may be times when we process special categories of information relating to race, ethnicity, political opinion, religion or belief, trade union membership, biometric data, or sexual orientation. Where we do process this type of information, we'll always obtain your consent, unless it isn't required by law or the information is needed to protect your health in an emergency.

We also monitor computer and telephone use.

We share your information with team members who may require access to perform their roles, such as HR, recruitment, payroll, your line manager, other managers, IT.

We sometimes need to share your information with third parties in order to obtain pre-employment references and background checks. We may also need to share your data in the context of a sale of some or all of our business - in those circumstances your data is subject to confidentiality agreements.

We don't transfer your data outside the EEA and its stored securely and in line with our data retention policies.

If in future we intend to process any of your personal data for a purpose other than that which it was collected for, we'll provide you with information on that purpose and any other relevant information.

Whilst you work for us, all data is kept. Upon leaving, your personal data is archived. For many types of HR records, there's no definite retention period set out in law, so we work to the Chartered Institute of Personnel and Development recommendations that personnel records should be kept for 6 years after an employee has left. Some records may be retained longer in order to comply with our statutory obligations.

The GDPR sets out the following 7 key principles that lie at the heart of data protection:

• lawfulness, fairness and transparency

• purpose limitation

• data minimisation

• accuracy

• storage limitation

• integrity and confidentiality (security)

• accountability

Under GDPR you have 8 rights in relation to your personal data:

1. the right to be informed

2. the right of access

3. the right to rectification

4. the right to erasure

5. the right to restrict processing

6. the right to data portability

7. the right to object

8. rights in relation to automated decision making and profiling

You can speak to our Data Protection Officer about your rights. In some cases our ability to uphold these rights for you may depend on our obligations to process personal data for legal reasons. Where this is the case, we'll inform you of specific details in response to your request.

Where we have obtained your consent to process your personal data, you have the right to withdraw that consent at any time.

You can request your personal data by making a Subject Access Request to the Data Protection Officer. We aim to respond to these requests within one month, or we'll notify you if we can't do this. Please be as clear as possible as to the data you want access to (including timeframes, types of data, etc.)

Its your responsibility to notify us of any changes to your personal data and if you inform us of any changes or inaccuracies we'll update or amend the data we hold. For changes to address, bank details, next of kin, etc. you can use a change of details from, which can be found on the intranet.

We have security policies, standards, technologies and ongoing training to safeguard your personal data from improper access, use, alteration, destruction and loss.

Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of your data.

If we discover a data breach of our HR data and it poses a risk to your rights and freedoms, our Data Protection Officer will report it to the Information Commissioner within 72 hours and make a record of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we'll tell you there's been a breach and provide you with information on the possible consequences and any mitigating measures we've taken.

Absolutely! You may have access to team members personal data, and that of our clients and we rely on you to help us meet our data protection regulations.

If you have access to personal data you must:

• access only the data you have authority to access and only for authorised purposes

• never disclose data, except to individuals who have appropriate authorisation (either inside or outside the business)

• keep data secure

• never remove personal data, or devices containing personal data, from our premises without appropriate security measures

• never store personal data on local drives or personal devices that are used for work purposes