Personal Touch Care Services Limited (“the Company”)
Employee Privacy Notice
The Company collects and processes personal data relating to its employees to manage the employment relationship. The Company is committed to being transparent about how it collects and uses that data and to meet its data protection obligations.
This privacy notice explains:
the categories of personal data the Company collects;
how the Company collects your personal data;
the lawful processing conditions for personal data;
who has access to your data;
how is your data protected;
how long is data kept;
what if you don’t provide your data;
automated decisions; and
Categories of personal data
The Company collects and processes a range of information about you. This includes:
details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Company;
the terms and conditions of your employment including information about your remuneration, including entitlement to any benefits;
details of your schedule (days of work and working hours) and details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
details of your bank account, tax and social security number;
information about your nationality and entitlement to work in Jersey, your next of kin and emergency contacts;
details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
details of any criminal records, convictions or charges;
assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence; and
information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments under discrimination law.
How the Company collects your personal data
The Company collects this information in a variety of ways. Data is collected through application forms, CV’s or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms or personal details form); from correspondence with you; or through interviews, meetings or other assessments and/or investigations when utilising the Company’s policies and procedures or when you use HR services.
In some cases, the Company collects personal data about you from third parties, such as: recruitment or government agencies; references supplied by former employers; information from employment background check providers; information you provide to the Company’s media relations provider; from credit reference agencies and information from criminal records checks permitted by law. Data is stored in a range of different places, including in your personnel file, in the Company’s HR management systems and in other IT systems (including the Company’s email system).
Lawful Processing Conditions
Where the Company holds and processes personal data (including special category data) it will do so normally for the following lawful basis:
Contract: the processing is necessary for a contract the Company has with you, or because you have asked the Company to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for the Company to comply with a law (not including contractual obligations).
Legitimate interests: the processing is necessary for the Company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
The Company may also use personal information with:
Consent: you have given clear consent for the Company to process your personal data for a specific purpose and have given explicit consent for the processing of special category data, where required.
Finally the Company may also use personal information in the following situations, which are likely to be rare:
Public Interest: the processing is necessary for the Company to perform a task in the public interest or for the Company’s official functions, and the task or function has a clear basis in law.
Vital interests: the processing is necessary to protect your life.
The Company needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example:
it needs to process your data to provide you with an employment contract;
to pay you in accordance with your employment contract;
to administer any benefits;
maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
to operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled.
In some cases, the Company needs to process data to ensure that it is complying with its legal obligations. For example:
it is required to check your entitlement to work in Jersey;
to deduct tax and social security;
to comply with health and safety laws;
respond to and defend against legal claims;
operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
to enable you to take periods of leave to which you are entitled;
obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, and meet its obligations under health and safety or discrimination laws; and
operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the Company complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
In other cases, the Company has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Where the Company relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by your rights and freedoms and has concluded that they are not. Processing your data allows the Company to:
run recruitment and promotion processes;
operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
ensure effective general HR and business administration;
provide references on request for current or former employees; and
maintain and promote equality in the workplace.
In limited circumstances, the Company may process your data (including special category data) with your consent. However, in some instances even special category data may fall under a legal or contract processing reason. For example:
information about trade union membership may be used to pay trade union premiums, register the status of a protected staff member and to comply with employment law obligations;
it may be necessary to carry out criminal records checks to ensure that you are permitted to undertake a role in question, or to work for certain clients, in these circumstances the Company will require your consent;
information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). However where the Company requires further information such as medical or health history, it will seek your express consent;
information about ethnic origin, sexual orientation, or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the Company uses for these purposes is collected with your express consent, which can be withdrawn at any time.
You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
Who has access to your data?
Your information will be shared internally, including with members of the senior management team, directors, directors of any subsidiary company of the Company, those responsible for payroll, and your line manager.
The Company shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from a disclosure and barring service. The Company may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances, the data will be subject to confidentiality arrangements.
The Company also shares your data with third parties that process data on its behalf, such as in connection with payroll, the provision of benefits, the provision of IT systems for its hosted desktop and the provision of occupational health services.
How does the Company protect your data?
The Company takes the security of your data seriously. the Company has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Full details of security measures can be found in the Company’s data protection policy in the Handbook.
Access to personal information is limited to those staff members, agents, contractors and other third parties who have a business need to know. Where the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to
ensure the security of data.
The Company expects staff members handling personal data to take steps to safeguard personal data of staff members (or any other individual) in line with this Privacy Notice and the Company’s Data protection policy.
For how long does the Company keep data?
The Company will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment can be found in the schedule accompanying this privacy statement.
Your rights and obligations
The Company will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. You are under a duty to inform the Company of any changes to your current circumstances.
As a data subject, you have a number of rights. You can:
access and obtain a copy of your data on request;
require the Company to change incorrect or incomplete data;
require the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing; and
ask the Company to stop processing data for a period if the data is inaccurate or there is a dispute about whether or not your interests override the Company’s Law’s legitimate grounds for processing data.
If you would like to exercise any of these rights, please request a copy of the forms from the Registered Manager. If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner.
You also have obligations to the Company, particularly if you are tasked with regularly handling personal data of colleagues or third parties (including client details), and therefore you also have responsibility for ensuring that processing meets the standards set out in this privacy notice and the Company’s data protection policy. You should observe, as a minimum, the following rules:
you must observe to the letter any instruction or guidelines issued by the Company in relation to data protection;
you should not disclose personal data about the Company, colleagues or third parties unless that disclosure is fair and lawful, and in line with the Company’s policies;
you must take confidentiality and security seriously, whether you consider the information to be sensitive or not;
any personal data collected or recorded manually which is to be inputted to an electronic system should be inputted accurately and without delay or the recorded data should be filed appropriately;
you must not make any oral or written reference to personal data held by the Company about any individual except to other employees of the Company who need the information for their work or who are authorised recipients;
great care should be taken to establish the identity of any person asking for personal information and to make sure that the person is entitled to receive the information;
if you are asked by an unauthorised individual to provide details of personal information held by the Company, you should ask the individual to put their request in writing and send it to the Registered Manager, but inform the Registered Manager immediately. If the request is in writing you should pass it immediately to the Registered Manager;
you must not use personal information for any purpose other than your work for the Company;
if you are in doubt about any matter to do with data protection you must refer the matter to a Director immediately;
passwords should not be disclosed and should be changed regularly;
your own or third party personal data should not be left unsecured or unattended, e.g. on public transport;
unauthorised use of computer equipment issued by the Company is not permitted;
you must follow the Company “clear desk” policy and ensure that all confidential information, whether containing employee or third party personal data or not, is secured when it is not in use or when you are not at work;
unless authorised, you may use only the Company equipment to carry out work and must ensure that devices are password protected and locked when not in use;
where authorisation has been given, you may use personal equipment to carry out work but you must ensure that devices are password protected, locked when not in use and you must ensure that any employee or third party personal data is hard-deleted from devices after you have finished working;
emails containing employee or third party personal data must not be sent from a web-based email system;
as far as possible, employee or third party personal data contained in emails and attachments should be annonymised before it is sent by email; and
documents containing sensitive information should be password protected and, if the document requires to be transmitted, the document and password should be transmitted separately.
Any breach of the above rules will be taken seriously and, depending on the severity of the matter,
may constitute gross misconduct which could lead to summary termination of employment.
What if you do not provide personal data?
The Company does not require consent from you to process most types of personal data. In addition, the Company will not usually need consent to use special category personal data in order to carry out legal obligations or exercise specific rights in the field of employment law. If you fail to provide certain information when requested, the Company may not be able to perform the contract entered into with you (such as paying you or providing a benefit). The Company may also be prevented from complying with legal obligations (such as to ensure the health and safety of its staff).
You have some obligations under your employment contract to provide the Company with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the Company with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in Jersey and payment details, have to be provided to enable the Company to enter a contract of employment with you. If you do not provide other information, this will hinder the Company’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
In limited circumstances, for example, if a medical report is sought for the purposes of managing sickness absence, you may be asked for written consent to process special category data. In those circumstances, you will be provided with full details of the information that is sought and the reason it is needed, so that you can carefully consider whether to consent. It is not a condition of your contract of employment to agree to any request for consent.
Where you have provided consent to the collection, processing and transfer of personal information for a specific purpose, you have the right to withdraw consent for that specific processing at any time. Once the Company has received notification of withdrawal of consent it will no longer process information for the purpose or purposes originally agreed to, unless it has another legitimate basis for doing so in law.
Employment decisions are not based solely on automated decision-making.
Data security breaches
The Company has put in place procedures to deal with any data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.
In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach. Therefore, if you become aware of a data security breach it is imperative that you report it to the Registered Manager immediately.