DLP Privacy Notice
This document explains how we use our client, and, our client-employee information.
The client information we collect, process, hold and share include contact, business, background, employees and financial data for the purpose of us fulfilling our contractual agreement with that client.
The client-employee information we collect, process, hold and share include:
- personal information (such as name, role, length of service, age – See Schedule 1 to this Notice)
- special categories of data (such as gender, age, ethnic group or religion)
- contract information (such as start dates, hours worked, post, roles and salary information)
- work absence information (such as number of absences and reasons)
- recruitment assessment information (such as applications, forms, references, presentations, cv’s, references, work experience, work history or qualifications
- medical information (such as pregnancy, pregnancy related illness, conditions affecting capability, illness, procedures, disabilities, stress at work or mental health but also names and details of medical professionals, hospitals, counsellors or support practitioners)
- payroll information (such as tax references, student loans, attachment of earnings orders or other deductions)
- employees files and disciplinaries (such as warnings, grievances, disciplinaries, performance reviews, one2ones, formal or informal meetings, consultations or any complaints, either internal or external)
- CCTV records from visits to our DLP premises stored and overwritten every 24 hours in accordance with our policy (available on request) and used for specific purposes only.
Why we collect and use this information
We use this client, or, client-employee data to:
- enable us to advise on employment law or HR matters (either specific matters or for general HR strategy)
- enable us to develop HR and employment Law policies, practices and strategies for the client
- enable us to assist with paying client payroll
- enable our clients to be fully compliant with employment law and HR practices and current statutes
- enable us to defend client legal claims and represent the client, and obtain insurance, for any legal or tribunal proceedings
The lawful basis on which we process this information
We process this information, lawfully under Article 6 GDPR, for the following purposes; (a) the necessary performance of a contract (including your express or implied contract of employment), (b) compliance with a legal obligation (for example under Employment Rights Act 1996, or, Working Time Regulations 1998, or, Health and Safety at Work Act(s), or, Equality Act 2010, or, National Minimum Wage and rules and laws on taxation or pay) or (c) the legitimate interests of a data controller (which are overridden by fundamental interests and rights of client-employees).
We also process some information, lawfully under Article 9 GDPR, which is considered special or sensitive information (set out in schedule). This processing takes place for the specific purposes of (a) being necessary for carrying out obligations under employment law (eg sickness leave), or, (b) is in the vital interest of the client-employee (where consent is not available), or, (c) processing is necessary to establish or defend a legal claim (eg if you lodge an ACAS EC or employment tribunal), or, (d) we ask you for explicit consent (eg you may be asked to sign a medical consent form for an medical report to be obtained on your behalf)
Collecting this information
Whilst the majority of information provided or collected is contractually required or mandatory, some of it is provided to us on a voluntary basis. For client-employees In order to comply with data protection legislation, we will inform you whether you are required to provide this information or if you have a choice to do this.
Storing this information
We hold client-employee information in accordance with our Data Retention Policy.
If we undertake the HR function for the Client we will keep employee files for a period of six years after the year of termination (or 3 years for medical information, 3 years for salary information, 2 years for working time information, 3 years for National Minimum Wage information, 3 years for statutory leave and 6 months for job applications) after which time the data will be deleted.
If we act in an advisory capacity only, then after completion of client advice we will take the necessary steps to return client-employee data to the client and remove records from DLP systems.
Who we share this information with
We routinely share this information with:
- barristers, barristers clerks, solicitors, tribunals, judges and other legal bodies for the purposes of a legal claim or legal defence
- insurance underwriters or brokers (although anonymised where possible)
- third party referees (responded to depending upon client policy)
- medical professionals (with your explicit and written consent)
- mortgage professionals (with your explicit request and / or consent)
- third party, networks, local authorities or other businesses for the legal purpose of due diligence in any tupe or merger process
- third parties for the purpose of tendering (with your express written consent)
Why we share client-employee information
We do not share information about client-employees with anyone, without consent unless the law and our policies allow us to do so.
Data collection requirements
DLP has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether DLP releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested; and
- the arrangements in place to securely store and handle the data
For client-employees to be granted access to other client-employees workforce information, they must comply with the strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information, contact the DLP data protection officer by emailing email@example.com.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact Levi Liebling at firstname.lastname@example.org or by calling 0330 400 4454.
This is a list of information we may process (to include but not limited to)
- Name, work and home contact details
- Date and place of birth
- Education and work history
- *Individual demographic information in compliance with legal requirements (such as marital status, national identifier, passport/visa information, nationality, citizenship, military service, disability, work permit, date and place of birth or gender)
- *Health issues requiring adaptations to working environment
- Job title, grade and job history
- Employment contract related information (including compensation, location, hours of work and so on)
- Reporting and managerial relationships
- *Leaves of absence (such as maternity leave, sickness absence)
- Disciplinary / grievance records
- Time and attendance details
- Bank account details for salary payment purposes
- Expenses such as travel and expenses claimed from the bank
- Skills and qualifications
- Training history and plans
- Results of original and ongoing employee screening, where relevant
- *Details provided in relation to Conduct policies (such as conflicts of interest, personal account dealing, trade body membership and so on)
- *Health & safety incidents, accidents at work and associated records
- *Building CCTV images
- *Audio recordings of telephone interviews
- *Video recordings of interviews
- *Notes from face to face interviews
- Psychometric test results and associated reports
- Results from behavioural assessments
- Results from technical assessments
* These categories of information might potentially include some sensitive personal information. Sensitive personal information is not routinely collected about all applicants, it may be collected for legal obligations, or if you choose to disclose it to us during the course of the application or interview process.