Project 6 are committed to ensuring that the personal data of our employees is handled in accordance with the principles set out in UK data protection legislation. This privacy notice tells you what to expect when Project 6 collects personal information about you. It applies to all employees, ex-employees, agency staff, contractors, secondees and those applying to work for us.  However, the information we will process about you will vary depending on your specific role and personal circumstances.

How We Obtain Your Information

We get information about you from the following sources:

• Directly from you.
• From your employer if you are a secondee.
• From referees, either external or internal.
• From security clearance providers (such as the Disclosure and Barring Service).
• From Occupational Health and other health providers.
• From Pension administrators and other government departments (for example tax details from HMRC)
• From your Trade Union.
• From TUPE processes 
• From providers of staff benefits.

What We Collect and Why

We process the personal data related to your employment and we use the following information to carry out the contract we have with you, provide you access to business services required for your role and to manage our human resources processes:

• Personal contact details such as your name, address, contact telephone numbers and personal email addresses.
• Your date of birth, gender, disability, health status and nationality and national insurance number.
• A copy of your passport or similar photographic identification and /or proof of address documents.
• Relationship status.
• Emergency contacts and their contact information. 
• Employment and education history including your qualifications, job application, employment references, right to work information, records of background checks, and details of any criminal convictions that you declare.
• Details of any secondary employment, political declarations, conflict of interest declarations or gift declarations.
• Security clearance details including basic checks and higher security clearance details according to your job.
• Information related to your salary, pension, and loans. We process this information for the payment of your salary, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.
• Information about your job role and your employment contract including your start and leave dates, any changes to your employment contract, your place of work, working pattern (including any requests for flexible working).
• Expenses or other payments claimed.
• Details of any leave including sick leave, holidays, special leave, TOIL etc.
• Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking.
• Pension details including membership of pension schemes (current and previous).
• Your bank account details, payroll records and tax status information.
• Information relating to your performance at work e.g., probation reviews, Performance Improvement Plans, supervision notes and promotions.
• Grievance and dignity at work matters and investigations to which you may be a party or witness.
• Disciplinary records and documentation related to any investigations, hearings and outcomes
• Whistleblowing concerns raised by you, or to which you may be a party or witness.
• Information related to your training history and development needs.
• Information relating to monitoring. We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems and employees.
• Photos and video images.
• Health and wellbeing information either declared by you or obtained from health checks, eye examinations, occupational health referrals and reports, sick leave forms, health management questionnaires or fit notes i.e., Statement of Fitness for Work from your GP or hospital. This includes Covid testing status, Covid vaccination and booster status.
• Information you share with us about your lived experience, which you may share for example through recruitment or 1:1s.
• Accident and incident records if you have an accident or are involved in an incident at work.
• Access needs, including DSE audits and reasonable adjustments.
• Equal opportunities monitoring data. This includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics. We use the following information to comply with our legal obligations and for equal opportunities monitoring.

We are the data controller of all data which is stored on Project 6 devices, such as the equipment we provide you with for work. This means that any personal data you store about yourself (or others) is accessible by us at any time when saved or stored on these devices. In some instances, it is also possible for us to access personal data which you have deleted from these devices.

Lawful Basis 

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:

• Article 6(1)(b) which relates to processing necessary for the performance of a contract. 
• Article 6(1)(c) so we can comply with our legal obligations as your employer.
• Article 6(1)(d) in order to protect your vital interests or those of another person.
• Article 6(1)(f) for the purposes of our legitimate interest

Special Category Data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

• Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
• Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
• Article 9(2)(f) for the establishment, exercise or defence of legal claims.
• Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.

In addition, we rely on processing conditions at Schedule 1, part 1, paragraph 1 and Schedule 1, part 1, paragraph 2(2)(a) and (b) of the DPA 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee. 

We process information about staff criminal convictions and offences. The lawful basis we rely on to process this data are:

• Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1, part 2, paragraph 6(2)(a).
• Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1, part 1, paragraph 1.

Information Sharing

In some circumstances, such as under a court order, we are legally obliged to share your personal information (Data Protection Act 2018; Schedule 2; part 5). An example of this is if a court requests that we disclose comparator information within an employment tribunal. Under the UK GDPR, we do not need to notify you that we have shared your data for this purpose so long as it is court ordered and necessary.  We may share information about you with HMRC for the purpose of collecting tax and national insurance contributions.

During your employment you may be referred to occupational health following a request to the People Team by you or your line manager. This may result in a face-to-face consultation, a telephone appointment with an occupational healthcare professional and/or a medical report from a GP or specialist. We use Paycare to provide our employee assistance programme and Prohms to provide our occupational health service. A link to their privacy notices can be found here:

Paycare privacy notice- https://www.paycare.org/site-map/privacy-paycare-health-cash-plans/  

Prohms data privacy policy-  https://prohms.com/company/governance-policy/

If you leave, or are thinking of leaving, we may be asked by your new or prospective employers to provide a reference. For example, we may be asked to confirm the dates of your employment or your job role. If you are still employed by us at the time the request for a reference is received, we will discuss this with you before providing this.

We will also share information about you with our training providers. For example, this will include information such as your name, contact details and job role. When necessary, we will also share information about any dietary or access requirements that you might have when you attend training events.

As part of Transfer of Undertakings (Protection of Employment)/TUPE process Project 6 will be asked to produce a list of job roles, as part of due diligence, which will be transferred to the new employer/organisation taking on the new contract. At the initial stage, personal data is not required to be shared. However, this data may not always be considered anonymous if the job role is held by only one person (or a very small group of persons) as by process of elimination, their identity could be determined. At the closing stages of the TUPE process the full list of names and contractual information is shared to the receiving organisation as part of the Employer Liability requirement.

Information about the TUPE process and any proposed measures must be provided to employees prior to the transfer date.

Keeping Your Information Safe

Personnel data: Personal data is held on secure cloud-based system and protected by user permissions and secure access. 

Training data: Personal data is held on secure cloud-based system and protected by user permissions and secure access. 

How Long We Keep Your Information

We keep your information in line with our data retention and disposal policy, the key information relating to employees can be found in Appendix A.

Your Rights

Under the Data Protection Act 2018 and UK GDPR, you have the following rights:   

• to be informed about the collection and use of your personal data.   
• to access your personal data (known as Subject Access Request) 
• to have inaccurate personal data rectified; or completed if it is incomplete.   
• to have personal data erased (known as the right to be forgotten) 
• to request the restriction or suppression of your personal data 
• to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.   
• to object to the processing of your personal data in certain circumstances.   
• rights in relation to automated decision making and profiling.   

Please note that some of these rights only apply in certain circumstances and we may not be able to fulfil every request. Where a request is declined, we will always explain our decision in full.   

To request access to your data or to contact us about any of the rights we have listed, you can email Project 6’s DPO (jon.gooch@project6.org.uk).

How to Complain 

If you have any concerns about our use of your personal information, you can make a complaint through your line manager who will follow Project 6’s compliant procedure.

You can also make a formal complain to the UK independent Information Commissioner’s Office.

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Call: 0303 123 1113  

Website: www.ico.org.uk

Appendix A

Data Retention Schedule – People