Strategi Solutions Group Ltd Privacy and Fair Processing Notice
Strategi Solutions collects, holds and processes personal data relating to its employees, which is essential for it to manage its operations and their employment fairly and effectively. These activities are carried out in accordance with the General Data Protection Regulation 2016 and Strategi Solutions’ Data Protection/Retention Policy.
The data held by Strategi Solutions’ Human Resources Department, is mainly taken from the details that employees provide during the application and recruitment process and will be added to during the course of their employment, as necessary and appropriate.
During the recruitment process and any contractual change events during employment, employees give their consent for Strategi Solutions to process and retain their personal data, with a legitimate interest for doing so.
Strategi Solutions provides this Privacy and Fair Processing Notice to inform employees of how their personal data will be processed by the Human Resources department and the purposes for which the data has been collected.
As a general guide, anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR. Under the Regulation, personal data is data which relates to a living/natural individual who can be identified from that data or from other information which is in the possession of, or is likely to come into the possession of, the data controller. In this case, the data controller is Strategi Solutions. It includes any expression of opinion about the individual as well as statements of fact.
IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information. ‘Pseudonymised’ personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
The processing of data includes obtaining, recording, storing, organising, maintaining, updating, retrieving, using, disclosing, transferring, and deleting.
Is consent to data processing always necessary for employment purposes?
According to Article 9, S.2(b) of the GDPR:
Consent is not required where “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment …. for appropriate safeguards for the fundamental rights and the interests of the data subject;” provided the connection is conferred or imposed by Law.
Types of personal data that Strategi Solutions may process, although not an exhaustive list, are:
- personal details (name, address, date of birth, contact details)
- e-mail addresses
- application form, CV, interview notes and references
- equal opportunities information such as gender, sexual orientation, marital status, religion
- financial information such as bank details, NI number, etc
- qualifications and professional registration details and certificates
- attendance/absence records and medical information (Fit Notes, OH reports, etc)
- eligibility to work documents and clearances (such as DBS, OH report, passport copy)
- employee relations case information (such as disciplinary, grievance, performance)
- CCTV footage
- next of kin / emergency contact information
For information, data concerning criminal offences, health, disability, ethnicity, sexual orientation and religion, constitutes sensitive personal data and is afforded an extra level of security and confidentiality.
The Regulation requires Strategi Solutions to process personal data in line with its 7 principles:
- Fairly, lawfully and transparently – the Data Subject has given consent
- Purpose limitation – consider what the data is held for
- Data minimisation – nothing held that isn’t necessary
- Accuracy – information must be correct and up to date
- Storage limitation – for no longer than is reasonably necessary
- Integrity & confidentiality – data to only be accessed by authorised people
- Accountability – the Data Controller (company) has the burden of proof to evidence that they are compliant, not the individual (this is a major change from the DPA).
The official purposes for which Strategi Solutions processes personal data are notified to the Information Commissioner on an annual basis and can be viewed on the Office of the Information Commissioner's website.
To manage its operations effectively, provide services to employees and meet certain legal requirements, Strategi Solutions will process and maintain the personal data of its employees. This personal data may include all or any of the above listed data types.
In addition to this, Strategi Solutions may process some sensitive personal data about employees, such as details about health in order to provide care, and information concerning ethnicity, sexual orientation, gender identity, domicile and disability for planning and monitoring purposes. Also, for certain programmes of study, information about past criminal convictions will be processed.
Personal data may be shared by Strategi Solutions to provide employees with services and support, such as our Occupational Health Provider, Hobson Health as well as with our Employment Lawyer, Keelys LLP.
Data management and protection agreements are in place with these partner organisations, and personal data shared will be done so with affirmative consent from the individual at the recruitment stage and again prior to any Occupational Health referral being made.
For example, the Occupational Health provider will need an employee’s name, address, phone number, sickness absence details, basic medical information, and any other relevant information as necessary, in order to offer a consultation and support to the employee.
Strategi Solutions may also use employee personal data to produce non-identifiable statistical data for analysis to fulfil monitoring commitments for purposes such as equality & diversity, and to provide a more targeted response to improving working lives and in working towards becoming an employer of choice.
Strategi Solutions may disclose appropriate personal data, including sensitive personal data, to third parties where there is a legitimate need or obligation, during or after an individual’s employment. Such disclosure is subject to procedures to ensure the identity and legitimacy of such agencies. These third parties may include the following:
- UK Visas and Immigration (for sponsored migrant workers)
- Accrediting bodies e.g. HSE etc.
- NHS Trust Occupational Health service providers - where this service is provided on Strategi Solutions’ behalf
- Other relevant partner organisations, such as accredited training providers, Employment Law Solicitors etc.
- Third parties performing or providing resources for administrative functions on Strategi Solutions’s behalf (such as Recruitment Agencies)
- The Government and local authorities during information gathering exercises when Strategi Solutions is legally obliged to provide data
- Police, crime or taxation agencies regarding the detection or prevention of a crime
- Potential employers requesting a reference or confirming the professional registration of a current or past employee. Consent is implied by the individual providing Strategi Solutions’ details as a referee.
This is not an exhaustive list and such third parties may have access to employee data only for the purpose of performing their function.
Any disclosures to third parties not listed here will be made only where there is a legitimate reason to do so and in accordance with the law and with prior affirmative consent from the individual.
Strategi Solutions may also use third party companies as data processors to carry out certain administrative functions on the company’s behalf. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with the GDPR
Spouses, partners, parents and other family members, are considered to be third parties and no employee personal data will be disclosed unless express consent is received from the employee or the disclosure is in accordance with the GDPR. The same applies for landlords, sponsoring employers or sponsoring governments.
Employees have certain rights and responsibilities regarding their personal data, including:
- To know what personal data Strategi Solutions holds about them and what it is used for
- To securely access and review their own personal data
- To request that their personal data is accurately updated/rectified if they believe that it is out of date or incorrect (supporting evidence must be provided, where appropriate)
- To request to have their data erased and to ‘be forgotten’ (this is not an automatic right, but if granted, Strategi Solutions will ensure total deletion of data, i.e. from its own systems and those of partner organisations/third parties)
- To know how Strategi Solutions is complying with its obligations under the Regulation
- To make a complaint if they believe that the GDPR and/or Strategi Solutions’ Data Protection/Retention policy has not been followed.
Employees have a responsibility to ensure that the personal information they provide to Strategi Solutions is accurate and up to date.
Employees wishing to receive a copy of their own personal data can do so by making a Subject Access Request to the Human Resources department.
Employee files will normally be held for seven years after an employee has left Strategi Solutions. Basic information (including full name, job title and employment dates) about the former employee will be retained indefinitely after they have left Strategi Solutions. Individuals can withdraw consent for this information to be retained, and for it to be erased. Such requests must be made in writing to the HR department.
For any queries regarding the General Data Protection Regulation and how this affects your recruitment or employment, please contact the Governance department in the first instance, who may refer your query to HR Support.
The Information Commissioner's Office: ico.org.uk.
General Data Protection Regulation (GDPR) Data Protection and Data Retention Policy
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles, as listed below;
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- meeting our legal obligations as laid down by the Data Protection Act 1998 and General Data Protection Regulations 2016
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects' rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all staff are made aware of good practice in data protection
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the organisation.
For further details on how we process data, please find our Fair Processing and Privacy Notice on our website – strategisolutions.co.uk
The GDPR does not specify retention periods for personal data. Instead, Principle 5 states that personal data may only be kept in a form that permits identification of the individual, for no longer than is justified and necessary for the purposes for which it was obtained and processed.
For example, Medical/health information, such as OH reports, or other related information, can be kept for 40 years, but other more general personal data should not be.
Therefore, in deciding how long to retain personal data and any special categories of data held separately, Strategi Solutions Group based its decision on statutory retention periods, maximum periods for potential claims, and, in accordance with the aforementioned, legitimate business requirements.
All systems used by Strategi Solutions Group, both electronic and any remaining paper records.
Strategi Solutions Group will ensure effective management and safeguarding of personal and sensitive data in its control, and has taken steps to ensure the integrity, security and compliance measures taken by data processors acting on its behalf.
System owners will manage the retention of personal data for systems that they maintain.
This policy should be read in conjunction with our Privacy and Fair Processing Notice, available to view or download on the company website.
The GDPR definition of personal data, is any information relating to a ‘natural’ person who can be directly or indirectly identified by this data.
A wide range of ‘personal identifiers’ constitute personal data, including name, age, location, etc.
The GDPR applies to both electronic personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key/numerically-coded – falls within the scope of the GDPR, depending on the level of ease of attributing the pseudonym to a particular individual.
Special Categories of Data under GDPR, is defined as personal data which is more sensitive, and therefore needs a higher level of protection. Such data is as follows:
- Ethnic origin
- Trade Union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual Orientation
In order to lawfully process these Special Categories of Data, there must be both a lawful basis under Article 6 of the GDPR and a separate condition (of 10 listed under the Regulation) for processing the Special Category of Data under Article 9 of the GDPR. Genetic data and some biometric data is included in this Category.
Data relating to criminal offences and convictions (e.g. DBS disclosures) is not included in this Category. Article 10 of the GDPR sets out separate and specific safeguards for this type of data in Article 10.
These do not have to be linked. Before processing this category of data, it is vital that a reason for doing so, in accordance with the above, is documented.
36 months after an employee has left, only the following basic information will be retained, unless there are circumstances which require the data to be retained for longer:
- Date of Birth
- Job title(s) held by the employee throughout the duration of their employment
- Dates of employment
- One method of contacting the individual, such as phone number
Any requests for erasure of the above retained data, from the Data Subject, will be considered and actioned as appropriate, by the Company Board and HR.
This policy is non-contractual and will be reviewed every 2 years, or in the event of changes in legislation, or company practice.
It is Strategi Solutions Group Ltd.’s policy to handle complaints as part of the overall strategy to satisfy the needs of customers using our services. Expressions of dissatisfaction will be considered as important as complaints and plans put in place to remedy the service.
- Be courteous to the complainant
- Respond positively
- Offer constructive solutions
- Acknowledged within 14 days
- Notified to Senior Management
- Publicly displayed on Strategi’s Website
- Monitored regularly as per our internal QMS auditing process
- Reviewed and evaluated periodically as per our Policy review process
- Will be analysed
- Discussed with the trainer
- Discussed with the venue provider
- Corrective action implemented where appropriate
Any person dissatisfied with Strategi’s services will be encouraged to make this fact known at the point and time of their dissatisfaction to the persons directly involved.
The first person to be advised of the complaint will, if appropriate, endeavour to resolve the difficulty, ensuring that Strategi’s policy and procedures are followed. If it is not appropriate for the member of staff to deal with the complaint, it will be referred as soon as possible to the relevant Manager.
This is the sequence of activities to be followed:
- Complaint received.
- Complaint formally acknowledged by relevant manager.
- If necessary, complaint information passed to the functional Director.
- Facts ascertained and recorded by an independent manager.
- Explanations/remedy proposed and recorded internally.
- Complainant kept informed.
- Outcome recorded and where appropriate will be discussed with the complainant.
- Report filed by Manager in complaints file.
If a satisfactory conclusion is not obtained by the customer from the above procedure then the customer has the right to escalate the complaint to the Managing Director who will investigate the complaint until resolved.