DATA CONTROLLER (“the Company”):   IFPL Group Limited
DATA COMPLIANCE OFFICER:  Michael Woodward, Quality Manager

INTRODUCTION

The Company collects and processes personal information, or personal data, relating to its employees, workers and contractors to enable it to effectively manage its working relationships. This personal information may be held by the Company on paper or in electronic format.

The Company is committed to being transparent about how it handles personal information, to protecting the privacy and security of personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018.

The purpose of this privacy notice is to make people aware of how and why we will collect and use personal information both during and after any working relationship with the Company. We are required under GDPR to notify those effected, of the information contained in this privacy notice.

This privacy notice applies to all current and former employees, workers and contractors. It is noncontractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

The Company has appointed a data compliance manager to oversee compliance with this privacy notice. If you have any questions about this privacy notice or about how we handle personal information, please contact admin@ifpl.com with your query.

DATA PROTECTION PRINCIPLES

Under the GDPR, there are six data protection principles that the Company must comply with. These provide that the personal information we hold about you must be:

1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where applicable, kept up to date.
5. Kept in a form which permits identification for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.

The Company is responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.

WHAT TYPES OF PERSONAL INFORMATION DO WE COLLECT?

Personal information is any information about an individual from which that person can be directly or indirectly identified. It does not include anonymised data, i.e. where all identifying have been removed. There are also “special categories” of personal information, and personal information on criminal convictions and offences, which requires a higher level of protection because it is of a more sensitive nature. The special categories of personal information comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.

The Company collects, uses and processes a range of personal information. This includes (as applicable):

• contact details, including name, address, telephone number and personal e‐mail address
• emergency contact details/next of kin
• date of birth
• gender
• marital status
• the start and end dates of employment or engagement
• recruitment records, including personal information included in a CV, any application form, cover letter, interview notes, references, copies of proof of right to work in the UK documentation, copies of qualification certificates, copy of driving licence and other background check documentation
• the terms and conditions of employment or engagement (including job title and working hours), as set out in a job offer letter, employment contract, written statement of employment particulars, casual worker agreement, consultancy agreement, pay review and bonus letters, statements of changes to employment or engagement terms and related correspondence
• details of skills, qualifications, experience and work history, both with previous employers and with the Company
• professional memberships
• salary, entitlement to benefits and pension information
• National Insurance number
• bank account details, payroll records, tax code and tax status information
• any disciplinary, grievance and capability records, including investigation reports, collated evidence, minutes of hearings and appeal hearings, warning letters, performance improvement plans and related correspondence
• appraisals, including appraisal forms, performance reviews and ratings, targets and objectives set
• training records
• annual leave and other leave records, including details of the types of and reasons for leave being taken and related correspondence*
• any termination of employment or engagement documentation, including resignation letters, dismissal letters, redundancy letters, minutes of meetings, settlement agreements and related correspondence*
• information obtained through electronic means, such as swipe card or clocking‐in card records
• information about use of our IT systems, including usage of telephones, e‐mail and the Internet
• photographs

The Company may also collect, use and process the following special categories of your personal information (as applicable):

• information about health, including any medical condition, whether individuals have a disability in respect of which the Company needs to make reasonable adjustments, sickness absence records (including details of the reasons for sickness absence being taken), medical reports and related
  correspondence
• information about criminal convictions and offences.

WHY AND HOW DO WE USE YOUR SENSITIVE PERSONAL INFORMATION?

The Company may collect personal information about employees, workers and contractors in a variety of ways. It is collected during the recruitment process, either directly or sometimes from a third party such as an employment agency. We also collect personal information from other external third parties, such as references from former employers, and criminal record checks from the Disclosure and Barring Service (DBS).

We will collect personal information throughout the period of any working relationship with us. This may be collected in the course of work‐related activities. Whilst some of the personal information provided to us is mandatory and/or is a statutory or contractual requirement, some of it may be requested on a voluntary basis. Personal information is stored in different places, including personnel files (hard and electronic copy), in the Company’s HR management system and in other IT systems, such as MS Teams HR Channels.

WHY AND HOW DO WE USE YOUR PERSONAL INFORMATION?

We will only use personal information when the law allows us to. This is known as the legal bases for processing. We will use personal information in one or more of the following circumstances:

• where we need to do so to perform the employment contract, casual worker agreement, consultancy
• agreement or contract for services we have entered with you (1)
• where we need to comply with a legal obligation (2)
• where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests (3).

We may also occasionally use personal information where we need to protect vital interests (or someone else’s vital interests).

We need all the types of personal information listed under “What types of personal information do we collect about you?” primarily to enable us to perform our contract (1) and to enable us to comply with our legal obligations (2). In some cases, we may also use personal information where it is necessary to pursue our legitimate interests (or those of a third party), provided that individual interests or fundamental rights and freedoms do not override our interests (3).

Our legitimate interests include: performing or exercising our obligations or rights under the direct relationship that exists between the Company and its employee, worker or contractor; pursuing our business by employing (and rewarding) employees, workers and contractors; performing effective internal administration and ensuring the smooth running of the business; ensuring the security and effective operation of our systems and network; protecting our confidential information; and conducting due diligence on employees, workers and contractors. We believe that individuals have a reasonable expectation, as our employees, workers or contractors, that we will process personal information. We have indicated, by using (1), (2) or (3) next to each type of personal information listed above, what lawful basis we are relying on to process that personal information.

The purposes for which we are processing, or will process, your personal information are to:

• enable us to maintain accurate and up‐to‐date employee, worker and contractor records and contact details (including details of whom to contact in the event of an emergency)
• run recruitment processes and assess suitability for employment, engagement or promotion
• comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK
• comply with the duty to make reasonable adjustments for disabled employees and workers and with other disability discrimination obligations
• maintain an accurate record of employment or engagement terms
• administer the contract we have entered
• make decisions about pay reviews and bonuses
• ensure compliance with your statutory and contractual rights
• ensure individuals are paid correctly and receive the correct benefits and pension entitlements, including liaising with any external benefits or pension providers or insurers
• ensure compliance with income tax requirements, e.g. deducting income tax and National Insurance contributions where applicable
• operate and maintain a record of disciplinary, grievance and capability procedures and action taken
• operate and maintain a record of performance management systems
• record and assess your education, training and development activities and needs
• plan for career development and succession
• manage, plan and organise work
• enable effective workforce management
• operate and maintain a record of annual leave procedures
• operate and maintain a record of sickness absence procedures
• ascertain your fitness to work
• operate and maintain a record of maternity leave, paternity leave, adoption leave, shared parental leave, parental leave and any other type of paid or unpaid leave or time off work
• ensure payment of SSP or contractual sick pay
• ensure payment of other statutory or contractual pay entitlements, e.g. SMP, SPP, SAP and ShPP
• meet our obligations under health and safety laws
• make decisions about continued employment or engagement
• operate and maintain a record of dismissal procedures
• provide references on request for current or former employees, workers or contractors
• prevent fraud
• monitor use of our IT systems to ensure compliance with our IT‐related policies
• ensure network and information security and prevent unauthorised access and modifications to systems
• ensure effective HR, personnel management and business administration, including accounting and auditing
• ensure adherence to Company rules, policies and procedures
• monitor equal opportunities
• enable us to establish, exercise or defend possible legal claim*

Please note that we may process your personal information without your consent, in compliance with these rules, where it is required or permitted by law.

FAILURE TO PROVIDE PERSONAL INFORMATION

Failure to provide certain personal information when requested or required, may mean we are not able to perform the contract we have entered, or we may be prevented from complying with our legal obligations. Individuals may also be unable to exercise their statutory or contractual rights.

WHY AND HOW DO WE USE YOUR SENSITIVE PERSONAL INFORMATION?

The Company will only collect and use sensitive personal information, which includes special categories of personal information and information about criminal convictions and offences, when the law additionally allows us to.

Some special categories of personal information, i.e. information about your health or medical conditions, and information about criminal convictions and offences, is also processed so that we can perform or exercise our obligations or rights under employment law and in line with our GDPR Data Protection Policy.

The Company may also process these special categories of personal information, and information about any criminal convictions and offences, where we have explicit written consent to do so. In this case, we will first provide full details of the personal information we would like and the reason we need it, so that
individuals can properly consider whether they wish to consent or not. It is entirely the individual’s choice whether to consent. Consent can be withdrawn at any time.

The purposes for which we are processing, or will process, these special categories of personal information, and information about any criminal convictions and offences, are to:

• assess suitability for employment, engagement or promotion
• comply with statutory and/or regulatory requirements and obligations, e.g. carrying out criminal record checks
• comply with the duty to make reasonable adjustments for disabled employees and workers and with other disability discrimination obligations
• ensure compliance with statutory and contractual rights
• ascertain fitness to work
• manage, plan and organise work
• enable effective workforce management
• meet our obligations under health and safety laws
• make decisions about continued employment or engagement
• ensure effective HR, personnel management and business administration
• ensure adherence to Company rules, policies and procedures

We may also occasionally use your special categories of personal information, and information about any criminal convictions and offences, where it is needed for the establishment, exercise or defence of legal claims.

CHANGE OF PURPOSE

The Company will only use personal information for the purposes for which it was collected. In the event we may need to use personal information for a purpose other than that for which it was collected, we will provide, prior to that further processing, individuals with information about the new purpose. We will explain the legal basis which allows us to process personal information for the new purpose and we will provide any relevant further information. We may also issue a new privacy notice.

WHO HAS ACCESS TO PERSONAL INFORMATION 

Personal information may be shared internally within the Company, including with members of the HR department, payroll staff, Line Managers, other managers in the department in which you work and IT staff if access to personal information is necessary for the performance of their roles.

The Company may also share personal information with third‐party service providers (and their designated agents), including:

• external organisations for the purposes of conducting pre‐employment reference and employment background checks
• benefits providers and benefits administration, including insurers
• pension scheme provider and pension administration
• occupational health providers
• external IT services
• external auditors
• professional advisers, such as lawyers and accountants

The Company may also share personal information with other third parties in the context of a potential sale or restructuring of some or all its business. In those circumstances, personal information will be subject to confidentiality undertakings.

We may also need to share personal information with a regulator, or to otherwise comply with the law.

We may share personal information with third parties where it is necessary to administer the contract we have entered, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party).

HOW DOES THE COMPANY PROTECT PERSONAL INFORMATION?

The Company has put in place measures to protect the security of personal information. It has internal policies, procedures and controls in place to prevent personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way.

Access is limited to personal information, to those employees, workers, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities. Further information about these measures can be requested from our data compliance manager.

Where personal information is shared with third‐party service providers, we require all third parties to take appropriate technical and organisational security measures to protect it and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.

The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

HOW LONG DOES THE COMPANY KEEP PERSONAL INFORMATION?

The Company will only retain personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.

The Company will generally hold personal information for the duration of employment or engagement. The exceptions are:

• any personal information supplied as part of the recruitment process will not be retained if it has no bearing on the ongoing working relationship
• personal information about criminal convictions and offences collected in the course of the recruitment process will be deleted once it has been verified through a DBS criminal record check, unless, in exceptional circumstances, the information has been assessed by the Company as relevant
  to the ongoing working relationship
• it will only be recorded whether a DBS criminal record check has yielded a satisfactory or unsatisfactory result, unless, in exceptional circumstances, the information in the criminal record check has been assessed by the Company as relevant to the ongoing working relationship
• if it has been assessed as relevant to the ongoing working relationship, a DBS criminal record check will nevertheless be deleted after 12 months or once the conviction is “spent” if earlier (unless information about spent convictions may be retained because the role is an excluded occupation or
  profession)
• disciplinary, grievance and capability records will only be retained until the expiry of any warning given (but a summary disciplinary, grievance or performance management record will still be maintained for the duration of your employment).

Once individuals have left employment, or engagement has been terminated, the Company will hold personal information for 12 months after the termination of employment or engagement, but this is subject to: (a) any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types of personal information for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court.

We hold payroll, wage and tax records (including salary, bonuses, overtime, expenses, benefits and pension information, National Insurance number, PAYE records, tax code and tax status information) for six years after the termination of employment or engagement.

We will “thin” the file of personal information we hold six months after the termination of employment or engagement, so that we only continue to retain for a longer period what is strictly necessary.

Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we also require third parties to destroy or erase such personal information where applicable.

In some circumstances we may anonymise personal information so that it no longer permits identification. In this case, we may retain such information for a longer period.

RIGHTS IN CONNECTION WITH PERSONAL INFORMATION

It is important the personal information we hold is accurate and up to date. It is an individual’s responsibility to advise us should their information change, e.g. change of home address.

The Company cannot be held responsible for any errors in personal information in this regard unless the Company has been notified of the relevant change.

As a data subject, individuals have a number of statutory rights. Subject to certain conditions, and in certain circumstances, they have the right to:

• request access to their personal information ‐ this is usually known as making a data subject access request and it enables them to receive a copy of the personal information held about them and to check that we are lawfully processing it
• request rectification of personal information ‐ this enables them to have any inaccurate or incomplete personal information held corrected
  Page
• request the erasure of personal information ‐ this enables individuals to ask us to delete or remove personal information where there is no compelling reason for its continued processing, e.g. it is no longer necessary in relation to the purpose for which it was originally collected
• restrict the processing of personal information ‐ this enables individuals to ask us to suspend the
  processing of personal information, e.g. if they contest its accuracy and so want us to verify its
  accuracy
• object to the processing of personal information ‐ this enables individuals to ask us to stop processing their personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to their particular situation which makes
  them decide to object to processing on this ground
• data portability ‐ this gives individuals the right to request the transfer of their personal information to another party so that they can reuse it across different services for their own purposes.

Should any individual wish to exercise any of these rights, please contact our data compliance manager.

We may need to request specific information in order to verify identity and check the right to access the personal information or to exercise any of the other rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. In the limited circumstances where individuals have provided their consent to the processing of personal information for a specific purpose, they have the right to withdraw consent for that specific processing at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. Anyone wishing to withdraw consent, should contact our data compliance manager. Once we have received notification that consent has been withdrawn, we will no longer process personal information for the purpose for which it was originally agreed, unless we have another legal basis for processing.

Should an individual believe the Company has not complied with its data protection rights, they have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.

TRANSFERRING PERSONAL INFORMATION OUTSIDE THE EUROPEAN ECONOMIC AREA

The Company may transfer personal information to countries outside the European Economic Area (EEA) should there be a genuine business need. There may not be an adequacy decision by the European Commission in respect of these countries. This means that the country to which we transfer personal information may not be deemed to provide an adequate level of protection for personal information.

To ensure personal information does receive an adequate level of protection, it is only transferred outside the EEA on the basis it will be treated in accordance with GDPR regulations even if the transferring country is not obliged to adhere by it.

AUTOMATED DECISION MAKING

Automated decision making occurs when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any employment decisions will be taken based solely on automated decision making, including profiling.

CHANGES TO THIS PRIVACY NOTICE

The Company reserves the right to update or amend this privacy notice at any time, including where the Company intends to further process personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information.

We will issue a new privacy notice when we make significant updates or amendments. We may also notify individuals about the processing of personal information in other ways.

CONTACT

Should there be any questions about this privacy notice or how the Company handles personal information, then please contact our data compliance manager by emailing admin@ifpl.com.