Staff and Applicant Data Policy

Overview

The Company is committed to maintaining the accuracy, confidentiality and security of your personal information. 

This policy explains what personal information we collect from staff and applicants, how we use it, and when we may disclose it. 

This policy supplements our Data Privacy Policy, which explains information rights, how to make requests, and our complaints procedure if you are unhappy with the data we collect or how we use it. 

What Personal Information Do We Collect?

For the purposes of this policy, personal information means any information about an identifiable individual. It does not include anonymous or non-personal information. 

We collect and keep different types of personal information about people who apply to work for us, work for us, or have previously worked for us. Depending on the context, we process this information because it is necessary to take steps before entering into a contract, to perform the employment contract, to comply with legal obligations, or for our legitimate interests in managing recruitment and employment.  The information we collect is not limited to, but includes the following; 

  • CVs and applications.

  • References and interview notes.

  • DBS and vetting information

  • Education and training information.

  • Right to work information.

  • Photographs, testimonials, video and audio recordings, including CCTV imagery.

  • Letters of offer and acceptance of employment and other employment records.

  • Policy acknowledgement sign-off sheets.

  • Payroll information, including national insurance number and banking details.

  • Wage and benefit information including annual leave information.

  • Forms relating to the application for welfare benefits.

  • Health questionnaires and risk assessments, including details of any medical condition or medication you are taking.

  • Beneficiary and emergency contact information.

  • Disciplinary and grievance records.

  • Driving licence and insurance documentation.

  • Equal opportunities monitoring forms.

In addition to the examples above, we may collect personal information such as your name, home address, telephone number, personal email address, date of birth, employee identification number, ethnicity, marital status, nationality, next of kin or emergency contact details, salary, GPS location data from fundraising tablets where used for work purposes, and any other information reasonably needed for recruitment or employment purposes that you provide during your application or employment. 

This list is not exhaustive and applies across The Company. 

We usually collect personal information directly from you. We may also receive it from recruitment consultants, recruitment websites or agencies where this is necessary to take steps at your request before entering into a contract, for our legitimate interests in recruitment, or to comply with legal obligations. 

We may also receive personal information from third parties, such as recruitment agencies, when they provide services to us. In those cases, we will take reasonable steps to ensure they are entitled to share your personal information with us. 

In limited circumstances, where permitted or required by law, we may collect personal information from other sources without informing you first. 

Why Do We Collect Personal Information?

We collect, use and share personal information where this is necessary to take steps before entering into a contract, to perform the employment contract, to comply with our legal obligations, and where necessary for our legitimate interests in managing the employment relationship, provided those interests are not overridden by your rights and interests. 

Where we process special category data, including health information, we do so only where this is necessary to carry out obligations and exercise rights in connection with employment, social security and social protection law, to assess working capacity, to protect health and safety, to monitor equality of opportunity, or where otherwise permitted by law. This may include processing for: 

  • Determining eligibility and suitability for employment, including right to work checks and verification of references and qualifications.

  • Administering pay and benefits including holiday pay.

  • Assessing suitability for a particular role or task, including where health, safety or fitness to work considerations are relevant.

  • Investigating and managing disciplinary, grievance or whistleblowing matters where special category data needs to be considered.

  • Establishing a contact point in the event of an emergency (such as next of kin).

  • Preventing, identifying and responding to equality, welfare, health and safety or safeguarding risks and incidents.

  • Public health management, including infection control where relevant.

  • Applying for or administering funding, relief or support measures linked to employment during emergencies where relevant.

  • Complying with regulatory and legislative requirements.

  • Ensuring your security and the security of Company information and data.

We process special category personal data in accordance with Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. 

Monitoring

Any work you create as part of your role, whether on paper, on a computer, or in any other format, belongs to The Company. We may review work-related information and activities on Company systems where this is necessary for our legitimate interests in business operations, security, safeguarding and regulatory compliance, or to comply with legal obligations, provided any monitoring is proportionate. 

Where relevant to the role, we may track the GPS location of fundraisers during working time where this is necessary for our legitimate interests in lone working, health and safety, operational management, data accuracy and fraud prevention, provided those interests are not overridden by your rights and interests. 

We may monitor the use of Company computers, email accounts and other business communication systems where this is necessary for our legitimate interests in managing and protecting our business, or to comply with legal or regulatory obligations. 

This does not mean employees are monitored at all times. Monitoring may take place in specific circumstances through the use of Company systems and resources. Any monitoring will be carried out only where justified and proportionate, and in line with our legal obligations. 

Monitoring activities are undertaken only where necessary for legitimate business purposes, including business operations, security, safeguarding, lone working, health and safety, fraud prevention, regulatory compliance and protection of company assets, or to comply with legal obligations.  

How Do We Use Your Personal Information?

We use your personal information for the purposes set out in this policy where this is necessary to take steps before entering into a contract, to perform the employment contract, to comply with legal obligations, or for our legitimate interests in managing the employment relationship. Where the law requires your consent, we will ask for it before using or disclosing your personal information. 

When Do We Disclose Your Personal Information?

We may share your personal information with employees, contractors, advisers, consultants, service providers and other parties where this is necessary to take steps before entering into a contract, to perform the employment contract, to comply with legal obligations, or for our legitimate interests in establishing, managing, funding or ending the employment relationship. 

We may also disclose your personal information where this is necessary to perform the employment contract, to comply with legal obligations, to protect vital interests, for our legitimate interests, or with your consent where consent is the appropriate basis: 

  • Where necessary to perform the employment contract or to take steps at your request before entering into it.

  • Where permitted or required by law or regulatory requirements, in which case we will disclose only what is reasonably necessary in the circumstances. 

  • To comply with valid legal processes such as warrants or court orders.

  • As part of our regular reporting activities within the Company, where this is necessary for employment administration, legal compliance or our legitimate business interests.

  • Where necessary for our legitimate interests in protecting the rights, property, security or operations of the Company or others, provided those interests are not overridden by your rights and interests.

  • During emergencies or where necessary to protect the vital interests of you or another person.

  • Where special category data needs to be used to assess working capacity or to meet obligations in connection with employment, social security or social protection law.

We do not routinely transfer your personal data outside the UK or EEA. If this changes, we will do so only where appropriate safeguards are in place and where required by law.  

Notification and Consent

Privacy law does not usually require us to obtain your consent to collect, use or disclose personal information where this is necessary to take steps before entering into a contract, to establish, manage or end the employment relationship, to comply with legal obligations, or for legitimate interests that are not overridden by your rights and interests. 

Where your consent is required or has been obtained, you may withdraw it at any time, subject to legal or contractual restrictions and reasonable notice. Any request to withdraw or change consent should be made in writing to privacy@thefundraisingpartnership.co.uk

How is Your Personal Information Protected?

We maintain physical, technical and organisational safeguards appropriate to the sensitivity of the personal information concerned. These include firewalls, encryption, and other information security controls, systems and procedures. They are designed to protect your personal information from loss and from unauthorised access, copying, use, modification or disclosure. 

Where personal data is shared with service providers or other organisations, we use appropriate contractual and organisational measures to protect it. If personal data is transferred outside the UK or EEA, we will use appropriate safeguards as required by law. 

How Long is Your Personal Information Retained?

For unsuccessful applicants, or applicants who do not accept a role with us, we usually delete personal data after two months unless you ask us to keep it for longer. 

For recruited staff, unless the law requires otherwise, we retain personal information only for as long as necessary to meet the purposes for which it was collected, including contractual, legal, accounting, reporting and regulatory requirements. Instead of deleting or erasing personal information, we may anonymise it so it can no longer be linked to you. 

Personal data retention periods are set out in the Company’s Data Retention Schedule and Data Protection and Privacy Policy. 

Updating Your Personal Information

It is important that the personal information we hold is accurate and up to date. If your personal information changes during your employment, please tell us as soon as possible. 

In some circumstances, we may not agree to change your personal information and may instead add a note to the relevant record. 

Access to Your Personal Information

You may ask for access to the personal information we hold about you, and you may ask us to review, correct or update it where appropriate. Please contact: 

privacy@thefundraisingpartnership.co.uk

Please make any such request in writing. 

When you make a request, we may ask for information to confirm your identity and help us locate the personal information you have asked for. 

Subject access requests are usually free of charge. We may charge a reasonable fee only if a request is manifestly unfounded, excessive or repetitive, or if you ask for additional copies. 

Your right of access is not absolute. In some cases, the law allows or requires us to withhold some information. Personal information may also have been deleted, erased or anonymised in line with our retention requirements. 

If we cannot provide access, we will explain why, unless legal or regulatory restrictions prevent us from doing so. 

Accountability requirements

The Company maintains records demonstrating compliance with UK data protection legislation, including: 

  • Subject access request logs.

  • Data protection complaint logs.

  • Data breach records.

  • Staff training records.

  • Records of processing activities where required. 

Your other legal rights

Data protection law gives you other rights as well. These rights are not always absolute and depend on the circumstances. They include the right to: 

  • Request erasure of your personal data in certain circumstances, where there is no lawful reason for us to keep using it.

  • Request that we restrict how we use your personal data in certain circumstances.

  • Receive certain personal data in a structured, commonly used and machine-readable format, and ask for it to be transferred where this right applies.

  • Object to processing based on legitimate interests or the performance of a task carried out in the public interest.

  • Challenge certain decisions made solely by automated means, where this right applies. 

You have the right to raise your concerns with the Information Commissioner’s Office. You can contact them via their website at www.ico.org.uk, by phone on:

0303 123 1113, or by writing to: 

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF