Privacy notice for staff
Effective: 25 May 2018
About this document
This privacy notice explains how and why OxBridge Centre UK Ltd (herein referred to as we, our, us, the centre) collects, uses and shares personal data of her current or former staff which include employees, workers and contractors. In addition, this document aims to inform and explain the rights of staff in relation to the personal data we hold.
OxBridge Centre UK Ltd is the data controller of the personal data of staff (data subject) and is subject to the General Data Protection Regulation (GDPR 2018).
How we collect your information
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal information about employees, workers and contractors through the application and recruitment process: either directly from candidates; sometimes from an employment agency (eg Job Search Engine); or background check provider including the Disclosure & Barring Service (DBS).
We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.
We will collect additional personal information in the course of job-related activities throughout the period that staff work for us.
The types of information we process
We may collect a range of personal data including, but not limited to the followings:
We may also collect, store and use the following special categories of more sensitive personal information:
How we will use personal information
We will only use personal information of staff when the law permits the centre to processing. Most commonly, we will use your personal information in the following circumstances:
We may also use personal information of staff in the following situation, which are likely to be rare:
Situations in which we will use your personal information
We need all the categories of information in the list above primarily to allow us to perform our contract with staff and to enable us to comply with legal obligations. In some cases, we may use personal information of staff to pursue legitimate interests of our own or those of third parties, provided the interest of staff and fundamental rights do not override those interests. The situations in which we will process the personal information of staff are listed below.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
Failure to provide personal information
If a member of staff fails to provide certain information when requested, we may not be able to perform the contract we have entered with staff (such as paying staff), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
Change of Purpose
We will only use personal information of staff for the purpose for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information of staff for an unrelated purpose, we will notify staff and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by staff or in the course the staff works for us (primarily if your role involves working with children to determine if a member of staff is legally able to do so. We are allowed to use personal information of staff in this way in compliance with our legal obligations.
The legal bases for processing the information
Below show the legal bases that we rely on when handling the personal information of staff:
In the circumstances that staff have provided their consent for personal data processing, they have the right to withdraw their consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer at email@example.com. Once we have received notification that the staff have withdrawn their consent, we will no longer process their information for the purpose or purposes they originally agreed to, unless we have another legitimate basis for doing so in law.
Information sharing and disclosure
For the purposes referred to in this privacy notice and relying on the bases for processing as set out above, we may share your selectively limited number of personal data with certain third parties. Third parties include third-party service providers (including contractors and designated agents) and other entities within the company. The following activities are carried out by third party service providers: payroll, pension administration, benefit provision and administration, IT services.
All our third party service providers and other entities in the company are required to take appropriate security measures to protect the personal information of staff in line with our policies. We do not allow our third party service providers to use the personal data of staff for their own purposes. We only permit them to process their personal data for specified purposes and in accordance with our instructions.
In the context of the possible sale or restructuring of the business, we may also need to share personal data of staff with a regulator or otherwise to comply with the law.
Sending information to other countries
We may send the information of staff where:
We will only retain personal information of staff for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the centre we will retain and securely destroy your personal information.
Changes to your personal data
Please tell us promptly about any changes to the information we hold about you (ie staff). This is particularly important for your contact details. You can do this by contacting our Data Protection Officer at firstname.lastname@example.org.
Under the GDPR 2018, you (former or current staff) have the following rights:
If you want to review, verify, correct or equest erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information, please contact our data protection officer at email@example.com
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide staff with a new privacy notice when we make any substantial updates. We may also notify staff in other ways from time to time about the processing of their personal information. If you have any questions about this privacy notice, please contact Data Protection Officer.
If you have any queries about this privacy notice, how we process your personal data, or to exercise your rights as stated above, you can contact our Data Protection Officer by email: firstname.lastname@example.org or by post: Data Protection Office, OxBridge Centre UK Ltd. 118 Blagdon road, New Malden, Surrey, KT3 4AE
You can find out more about your rights under data protection legislation from the Information Commissioner's Office website available at: www.ico.org.uk