Employee & Volunteer Privacy Notice
We are committed to being transparent about how we collect and use data.
What information do we collect?
We collect and process personal information to manage our relationship with you. This includes
- information provided by you such as name, address and contact details, including email address and telephone number, date of birth and gender
- the terms and conditions of employment
- details of qualifications, skills, experience, volunteering and employment history, including start and end dates with previous employers and with the organisation
- information about pay and benefits
- details of bank accounts and national insurance number
- information about marital status, next of kin, dependants and emergency contacts
- information about nationality and entitlement to work in the UK
- information from references
- information obtained on vetting, right to work and Disclosure and Barring Service (DBS) checks including the outcome of the checks. The right to work check includes processing of facial mapping data.
- details of work or volunteering patterns (days of work and hours)
- details of periods of leave taken, including holiday, sickness and other absence, and the reasons for the leave
- details of any disciplinary or grievance procedures, including any warnings issued and related correspondence
- performance management information, including probation meetings, appraisals, performance reviews and ratings, training participated in, performance improvement plans and related correspondence
- information about medical or health conditions, including disability for which we need to make reasonable adjustments
- special category personal data, such as information about gender and gender identity, ethnicity, sexual orientation, disability or religion or belief, for the purposes of diversity monitoring. This data is anonymised or is collected with the consent of the individual employees, which can be withdrawn at any time. Individuals are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so. Records are stored on the HR system and individuals can amend or delete the data.
How is the information collected?
Data is collected through application forms and/or CVs; obtained from passports or other identity documents; from forms completed at the start of our relationship (such as new starter or benefit nomination forms); from correspondence; through interviews, meetings or other assessments; updates of personal records on our HR Information System.
We collect personal data from third parties, such as references from former employers and information from vetting and criminal records checks.
Data is stored in a range of different places, including in your individual file, in our HR management systems, the time tracking system and in other IT systems (including network drives and email system).
Why we process personal data
We process data to enter into an employment or volunteering contract and to meet our obligations arising from that relationship. For example, to pay you and to administer benefits such as pension and life insurance.
We need to process personal data to ensure we comply with legal obligations such as antiterrorism checks and to check entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable periods of leave and to consult with employee representatives. It is sometimes necessary to carry out criminal records checks to ensure that individuals are permitted to undertake a role.
Lawful basis for processing personal data
Most employee and volunteer data is processed on the lawful basis of contract. Some of your data is processed on the basis of our legal obligations eg identity and right to work checks.
In other cases, we have a legitimate interest to process personal data before, during and after the relationship. Before we rely on legitimate interests, we assess whether our interests, or those of a third party are overridden by the rights and freedoms of the individual and have concluded that they are not.
Processing employee or volunteer data allows us to:
- plan for career development, and for succession planning and workforce management purposes
- respond to and defend against legal claims
- maintain and promote equality, diversity and inclusion in the workplace.
Who has access to data?
Information will be shared internally, including with members of the People and Culture team, your line manager, managers in the business area, senior managers, Workplace & Facilities and IT staff if access to the data is necessary for performance of their roles. Information is also shared within the Plan International network eg email address.
Data could be shared with employee representatives in the context of collective consultation on a redundancy or merger. The information would be limited to that needed for the purposes of consultation, such as name, role and length of service.
We share data with third parties in order to obtain pre-employment references and to obtain necessary criminal records checks from the Disclosure and Barring Service and to conduct anti-fraud and anti-terrorism checks.
We share your data with third parties that process data on our behalf, in connection with payroll, the provision of benefits such as life insurance and pensions and the provision of occupational health services.
Data may be shared for the purposes of audit or donor compliance on the lawful basis of legal obligation or legitimate interest. For example, name and salary data may be shared with other teams internally (eg Finance and Grants Finance) or third parties for due diligence checks.
Data may be transferred to countries outside the European Economic Area (EEA) for information required within Plan International or for audit or compliance purposes. Where such transfers are required adequate safeguards will be implemented such as International Transfer Risk Assessments, International Data Agreements or a contract with valid transfer clauses will be in place.
How do we protect data?
We have policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. These include the Data Protection Policy, the Data Retention Policy and the Unstructured Personal Data Standard.
When we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to secure of data.
For how long do we keep data?
How long we retain your data is governed by our Data Retention Policy. After you leave the organisation, we delete your bank details data after 3 months. We will retain only key information regarding your employment history after 6 years, unless we are required to maintain data for a longer period for compliance or donor reporting reasons.
As a data subject you have the right to request the following:
- access and obtain a copy of your data on request
- to change incorrect or incomplete data
- to delete or stop processing your data, for example where the data is no longer necessary for the original purpose(s) of processing
- object to the processing of your data where the legal basis for processing is legitimate interests or consent as
- to stop processing data if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate interests
To exercise any of these rights, please contact the organisation’s Data Protection Officer either directly or by emailing email@example.com.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner’s Office (ICO) using their help line 0303 123 1113 or visit their website.
What if you do not provide personal data?
It is necessary for you to share your information in order for us to manage the relationship between us. Employees have obligations under the employment contract to provide their personal data. In particular to report absences from work and to provide information about disciplinary or other matters under the implied duty of good faith. You may have to provide your data to exercise statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that statutory rights cannot be exercised.
Information such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of our relationship efficiently.
Employment and volunteering decisions are not based solely on automated decisionmaking.
Last updated: October 2022