GDPR Handbook

General Data Protection Regulation (GDPR) Employee Information

​

GDPR stands for the General Data Protection Regulation and came into force across Europe on 25th May 2018, it has been fully adopted by the UK replacing the Data Protection Act. Personal data covers any piece of information that can be used to uniquely identify you such as, photographs, CVs, bank details, address etc. It also includes special categories of personal data such as physical and mental health or biometric data that are considered especially sensitive and require additional protection.

​

We are committed to safeguarding the privacy of our employees and clients; in this handbook we will explain how we will handle your personal data, your rights and your obligations as an employee.

​

GDPR APPLIES TO ALL PERSONAL DATA, INCLUDING YOUR OWN, CLIENTS, PUPILS, SUPPLIERS, COLLEAGUES AND ALL OTHER CATEGORIES.

​

Our Commitment

​

PERSONAL DATA

​

We process your personal information for the purposes of administering your employment and managing our employees.

​

If we need to use your personal data for any other reason, we will inform you and, where necessary, obtain your consent.

​

THIRD PARTIES

 

Wilson Vale will not disclose personal data to third parties unless:

• Required to by law

• There is an information sharing agreement in place to ensure that any processing by the third party will be within the law and maintain your rights

• It is necessary to fulfil a legitimate purpose that has been advised to you, the data subject

​

We share your personal data with approved third parties including the following organisations:

• Pension provider

• HMRC

• Occupational Health Professionals

• Staff benefit providers

• Clients, including your CV, DBS certificates, disciplinary records etc.

• Companies that help us run our IT systems and companies that securely archive and dispose of our confidential waste

• Alternative catering service provider in the event of a TUPE transfer

​

STORAGE AND RETENTION OF DATA

​

Your personal data will be stored securely by Wilson Vale for the duration of your employment with us. Following the termination of your employee contract, your personal data is retained in line with government legislation. After this point, your data is securely destroyed by an approved third party.

​

Should your employment transfer to another service provider under The Transfer of Undertakings (Protection of Employment) Regulations 1981 (TUPE), we shall be legally required to provide the details of your employment contract to your new employer.

​

Employee Obligation

 

Under the new ruling, you can be held personally liable for any breaches of the law. This includes buying or selling personal data, tampering with or using it for your own purposes, however well intentioned. This may result in a fine and/or convictions.

 

As our employee it is your responsibility to:

 

1. Update us with any amendments to your current information, e.g. Address, telephone number

2. Ensure every effort is made to keep personal data relating to yourself and others secure and confidential

3. Always protect with a password any documents containing personal data that you save or send electronically

4. Never save any documents containing personal data to an external hard drive e.g. USB stick

5. Retain employee records for the required time period only – see below under Retention Periods.

6. Dispose of any personal data appropriately and securely (e.g. permanently delete or shred)

7. Maintain confidentiality and share only the minimum data necessary with those entitled to have it and in an appropriately secure manner

8. Report any potential breaches that you become aware of immediately. Any breach of this may be investigated and where proven, may result in disciplinary action being taken, up to and including dismissal and referral to law enforcement where warranted.

​

Reporting a Breach or Potential Breach

​

WHAT IS A BREACH?

​

A personal data breach means a breach of security or procedures leading to the unlawful

disclosure, use, access, alteration, loss or destruction of personal data. This includes

breaches that are the result of both accidental and deliberate causes. It also means that a

breach is more than just about losing personal data.

​

For example:

• Your filing cabinet containing personal information has been tampered with, or

• The computer system at site has been hacked/infected with a virus

• These are both incidents that could result in the unauthorised disclosure of personal data and we must be made aware of them by the fastest possible means so we can take steps to reduce the impact and help to avoid it happening again.

• You also need to make us aware of any concerns you may have about handling of personal data however trivial it may seem so we can advise on preventative measures.

 

WHAT TO DO – LET US KNOW!

​

We have appointed a Data Protection Officer and have a Data Protection Team with a dedicated email address (dpo@wilsonvale.co.uk) who are available should you witness a breach of personal data or need guidance They are also available to telephone on 01530 563100.

​

Your Rights

​

The GDPR provides the following rights for individuals:

​

• The right to be informed – to know what information we hold about you and why

• The right of access – to request copies of your personal data

• The right to rectification – to have inaccurate personal data corrected

• The right to erasure – to have personal data erased under limited conditions

• The right to restrict processing – to have the processing suspended in certain circumstances

• The right to data portability – to have personal data sent directly to another company

• The right to object – to personal data being used for marketing and advertising to you

• The right to complain - to us and/or the ICO

• The right to have the complaint investigated by the ICO and, where upheld, right to judicial remedy

• Rights in relation to automated decision making and profiling – to have an explanation of the logic behind any computer-based decisions

​

Further information can be found on the Information Commissioner’s Office website: ico.org.uk 

​

Subject to Access Requests (SAR)

​

You have the right to request what information we hold on you and where it has been shared internally and with third parties. We will always try to help you within our routine HR administration activities but you can also make a formal written request. This is called a Subject Access Request (SAR).

 

THE PROCESS

​

• You must contact the Data Protection Officer in the first instance - dpo@wilsonvale.co.uk

• We will issue you an open bodied letter for you to complete in full

• You then need to submit this back to us in writing – please note, we will ask you to provide an indication of the information you are requesting, including date and time frames to help us fulfil your request

• We will need to verify your identity prior to disclosing any information

• We have 30 days to initially respond to your SAR

 

If we believe that your request is unfounded or excessive, we can charge a reasonable fee or refuse to respond. We will inform you why we have made that decision and provide you with the relevant supervisory authority contact information with whom you can lodge a complaint. All of your other rights under GDPR can be found above.

​

Retention Periods

​

BUSINESSES ARE ONLY PERMITTED TO RETAIN DATA FOR SPECIFIC PERIODS.

​

AT WILSON VALE WE HAVE SHORTER RETENTION PERIODS AT SITE LEVEL AS HEAD OFFICE WILL HAVE COPIES OF MOST OF THE PERSONAL DATA YOU HOLD WHICH WE RETAIN FOR THE APPROPRIATE LEGAL TIME FRAMES BEFORE SECURELY DESTROYING IT.

​

Site Retention Periods

​

We have covered the main categories of data here but please contact one of the data protection team at head office should you require more information.

​

CVs

Retention period: 3 months for non-shortlisted candidates

Retention period: 6 months for shortlisted candidates, interview notes

 

PERSONNEL RECORDS

Retention period: Until employment ceases

(Head Office to keep for 6 years)

 

WAGE AND SALARY RECORDS

Retention period: 3 months

Sent to Head Office

 

DBS CERTIFICATES AND QUERCUS

Retention period: Do not keep at site level

 

WRS

Retention period: 3 months

Sent to Head Office

​

Complaints Procedures and Useful Information

​

COMPLAINTS PROCEDURE

 

If you believe that there has been a breach of your personal data or are unhappy with a recent event relating to personal data, please contact the Data Protection Officer by email or telephone. You can also log a complaint directly with the ICO

 

USEFUL INFORMATION

 

Wilson Vale

dpo@wilsonvale.co.uk / 01530 563 100

Ivanhoe Office Park, Ivanhoe Park Way, Ashby de la Zouch, Leicestershire, LE65 2AB

 

Information Commissioners Office (ICO)

You can find more information regarding the General Data Protection Regulation or log a complaint at ico.org.uk or by calling 0303 123 1113.