company policies

GDPR Privacy Notice for Employees, Workers and Subcontractors (UK)

What Is The Purpose Of This Document?  

Vescala is committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after you have provided services to us, in accordance with the General Data Protection Regulation (GDPR).

It applies to all employees, workers and subcontractors.

Vescala is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice applies to current and former employees, workers and subcontractors.  This notice also applies to Limited Company Contractors that we engage with because we may hold and process personal data or special categories of personal data for the Limited Company Contractor’s directors, employees, substitutes or hired assistants. References in this notice to ‘you’ or ‘your’ refer to the data of the individual’s engaged by the Limited Company Contractor.  This notice does not confer, imply or create any direct contractual relationship between Vescala and any individual engaged or employed by the Limited Company Contractor.

This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.  For the avoidance of doubt, we are required by law to issue this notice to all individuals for which we hold personal data and the issuing of this notice does not alter the terms of any contracts we have agreed with you and does not alter the status under which we have contracted with you.  For the avoidance of doubt the GDPR applies to all individuals regardless of their status and this privacy notice does not confer any employment or worker rights onto you, any rights and obligations that you may or may not have are derived from the contract you agreed with us and this notice does not form part of that contract.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Data Protection Principles  

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

The Kind Of Information We Hold About You*

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Date of birth.
  • National Insurance number.
  • Bank account details, payroll records and tax status information.
  • Salary, annual leave and pension information for employees only.
  • Start date.
  • Location of workplace.
  • Recruitment information for employees only (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
  • Employment records for employees only (including job titles, work history, working hours, training records and professional memberships).
  • Disciplinary and grievance information for employees only.
  • Information about your use of our information and communications systems.
  • We may also collect, store and use the following “special categories” of more sensitive personal information for employees only:
    1. Information about your health, including any medical condition, health and sickness records.

*It should be noted that the above list are examples of information we may have concerning you and it does not mean that we do hold this information on you.  For example, if you are engaged under a contract for services by us we will not hold employment records or disciplinary and grievance information about you.

How Is Your Personal Information Collected?  

We typically collect personal information about employees, workers and Sub-contractors through the application, recruitment or engagement process, either directly from individuals or sometimes from our client or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We will collect additional personal information in the course of the services you provide to us throughout the period of you provide services to us.

If, under the contract you have agreed with us you have the right to send a substitute or engage hired assistants, we may need to collect some personal information relating to the substitute/assistants you choose to send for health and safety purposes and to ensure the substitute/assistants has the necessary skills and expertise to provide the services.  Where this is the case we will notify you at the time.

How We Will Use Information About You  

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform the contract we have entered into with you.
  2. Where we need to comply with a legal obligation.
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest or for official purposes.

Situations in which we will use your personal information

We need all the categories of information in the list above primarily to allow us to:

  • perform our contract with you; and
  • to enable us to comply with legal obligations.
  • In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below.

We have indicated below the purpose or purposes for which we are processing or will process your personal information, as well as indicating which categories of data are involved.

  • Determining the terms on which you work for us.
  • Checking you are legally entitled to work in the UK.
  • Paying you and, if you are an employee, deducting tax and National Insurance contributions.
  • Liaising with your pension provider (if applicable)
  • Administering the contract we have entered into with you.
  • Making decisions about your continued employment or engagement.
  • To contact you by phone, email or other method to notify you of potentially suitable vacancies.
  • Making arrangements for the termination of our contract with you.
  • To inform our clients of the candidates we have and their skills and experience.
  • Dealing with legal disputes involving you, or other employees, workers and subcontractor including accidents at work.
  • Ascertaining your fitness to work.
  • Managing sickness absence
  • Complying with health and safety obligations.
  • To prevent fraud.
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies.
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  • To conduct data analytics studies to review and better understand employee retention and attrition rates.
  • Equal opportunities monitoring.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. 

It should be noted that the reasons listed above may not apply to all those we engage with.  For example; if you are engaged under a contract for services then we will not be using your personal information for disciplinary or grievance matters.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How We Use Particularly Sensitive Personal Information  

”Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. Where we need to carry out our legal obligations and in line with our data protection policy.
  3. If it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy.
  4. Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

Our obligations as an engager

For employees we may use your particularly sensitive personal information in the following ways:

  • We may use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • We may use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.

Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Information About Criminal Convictions  

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

Automated Decision-Making  

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Data Sharing 

We may have to share your data with third parties, including third-party service providers and other entities.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information.

Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. 

Which third-party service providers process my personal information?

”Third parties” includes third-party service providers (including contractors, designated agents and their sub-processors). The following third-party service providers or categories of third party service providers MAY process personal information about you for the following purposes:

  • Legal Advisers.
  • Our Clients – In accordance with providing working finding services.
  • Banking Providers.
  • Intermediary service suppliers including umbrella companies and commercial contractors.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data Security

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from Hannah Smiley (Data Protection Manager).

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention  

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from Hannah Smiley. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or subcontractor of the company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

Rights Of Access, Correction, Erasure, And Restriction  

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period you provide services to us.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Hannah Smiley in writing.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right To Withdraw Consent  

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Hannah Smiley. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Data Protection Manager 

We have appointed a data privacy manager to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the data privacy manager. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Changes To This Privacy Notice  

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact Hannah Smiley, Vescala Data Protection Officer (DPO) through admin@vescala.com or by calling 0131 600 0448.

Policy Statement

Vescala complies with all applicable laws in connection with processing data, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018. Our data protection standards are underpinned by this policy as well as our Code of Conduct. Data users are obliged to comply with this policy when processing personal data.

This policy does not form part of any employee’s contract of employment and may be amended any time.

Data Protection Definitions

  • Data is information which is held electronically, or in structured paper-based filing
  • Data Subjects for the purpose of this policy include all living individuals about whom we hold personal
  • Personal Data means data relating to a living individual who can be identified from that data (or in combination with other information in our possession). Personal data can be factual (such as a name, employee number or date of birth) or it can be an opinion about that person, their actions and
  • Data Controllers are the decision makers over the processing of personal data. They exercise control over the purposes and means of any
  • Data Processors processes personal data on the instruction of a data
  • Data Users are those employees (hereafter referred to as those people employed by Vescala and those working on Vescala premises/infrastructure and where Vescala policies are applicable) whose work involves processing personal data.
  • Processing is any activity that involves use of the data. It includes collecting, recording or holding the data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring personal data to other
  • Special Category Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic data or biometric data, physical or mental health or condition or sexual life or sexual orientation (and such other categories as may be added from time to time). Special category personal data can only be processed under certain
  • DP Legislation refers to any current or future laws or directives that are or will be applicable in the UK with respect to data processing. This includes the Data Protection Act 2018 and the General Data Protection

Data protection principles

Anyone processing Personal Data must comply with the six principles for processing Personal Data as are contained within DP Legislation. These provide that Personal Data must be:

Processed fairly, lawfully and transparently;

Personal Data must be processed in a way that is not unduly detrimental, unexpected or misleading. Personal Data may only be processed if there is a legal ground for that processing. One of the following conditions must be met:

  1. Performance of a contract (for example, an employment contract in respect of Vescala employees or a service contract in the case of services to clients)
  2. Legal obligation (where Processing is required to comply with a common law or statutory obligation)
  3. Legitimate interest (applicable where Vescala or the wider society has a benefit in processing Personal Data and where such processing is balanced against the rights and freedoms of individuals)
  4. Consent (where the Data Subjects have given their permission to process their Personal Data)

If the processing you are considering does not fall under one of the conditions above, then contact Hannah Smiley, Vescala Data Protection Officer, (DPO) for further guidance. Personal Data must be processed in an open and honest manner. Individuals must be informed as to how their data is processed.

When Special Category Personal Data is required to be processed, additional conditions to those set out above must also be met. If you are intending to process Special Category Personal Data, please contact Hannah Smiley, Vescala Data Protection Officer.

Processed for a special purpose:

  • The purpose(s) of the Processing must be clear from the start and must be

Minimised:

  • The data collected must be adequate, relevant and limited to what is necessary to fulfil the stated purpose(s) of the Processing.

Accurate:

  • Steps must be taken to maintain the accuracy of data, including correcting information that is incorrect or misleading. Vescala employees are responsible for checking and updating their Personal Data and must notify HR immediately of any changes to their personal

Not kept longer than necessary for the purposes and processed securely:

  • All Personal Data is classified as ‘Confidential’ (information that must not be disclosed unless appropriate). This principle means that Personal Data must be kept secure by maintaining the confidentiality, integrity and access to the data. Data Users must employ reasonable security measures including, where appropriate and/or relevant:
    1. Access control (into a building and/or floor)
    2. Physical storage locking controls
    3. Electronic folder restrictions
    4. Encryption
    5. Vescala-approved file transfer methods
    6. Secure Personal Data destruction

In complying with this principal, Data users are required to adhere to the Vescala Information Security Policy.

Personal Data must be processed in a manner that will enable Vescala to demonstrate accountability in meeting each of the six principles.

Transferring Personal Data outside the UK

The Vescala DPO must approve where a transfer of personal data outside the UK is being proposed. Personal Data may only be transferred out under certain conditions, including ensuring the data subject rights are maintained.

Data sharing

Personal Data may be shared with any entity within Vescala or externally only on a ‘need to know’ basis and so long as the data subject is informed. Personal Data may only be disclosed externally if there is a legal basis (for example, a legitimate interest, legal obligation or to comply with a contract) to do so. We may also disclose Personal Data we hold to third parties:

  1. In the event that we buy or sell any business or assets, in which case we may disclose Personal Data we hold to the prospective buyer or seller of such business or assets.
  2. If our, or substantially all of our assets, are acquired by a third party, in which case Personal Data we hold will be one of the transferred assets.

Before sharing Personal Data, there are likely to be a number of factors that the Data user must consider before sharing it. Some or all of the following factors will likely need to be considered before sharing Personal data:

  1. The objective – this will help to provide clarity on what data needs to be shared, if any, and to
  2. Data required – the data that is shared must be minimised to the data that is required
  3. Recipients of data – data should only be shared on a ‘need to know’ basis
  4. Frequency of data sharing – Personal Data should not be shared more frequently than necessary. Data users must consider whether it is appropriate to share data on an exceptional basis, on-going or routinely
  5. Mode of sharing – data must be shared in a secure manner
  6. Risk of sharing Personal Data – data users should consider risks to the Data Subjects
  7. Anonymising data – data users should consider if the objective can still be achieved by anonymising data
  8. Transfer of data outside the UK – Personal Data must not be transferred outside the UK without authorisation from the Vescala DPO

Data transmission

Data transmission is the transfer of data from one location to another. It comprises the transmission of physical data and electronic data.

Physical transfer of data carries with it greater Personal Data risk due to the inherent lack control in the event of a potential data breach. Accordingly, physical data transfers should only be carried out where there is no electronic alternative available or if it would not be practical to transfer the data in another manner.

The duration of the transit period, when transferring from one Vescala location to another, should be kept to a minimum to lower the risk of a potential data breach.

Physical data that is required to be posted must be sent in a secure manner. This will typically be via point-to-point Courier or in accordance with agreed business unit protocols.

Where electronic transfer is appropriate, it is required to be transferred securely and through a Vescala approved means of transfer such as SharePoint (or, in some cases, by use of an FTP server).

Data Retention

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. Reference should be made to the Vescala Document Retention policy. We will take all reasonable steps to destroy or erase from our systems, all data which is no longer required.

Data Subject’s rights under DP Legislation

We will process all Personal Data in accordance with Data Subjects’ rights where it is applicable, and in particular their right to:

  1. request to have inaccurate data amended
  2. request access to any data held about them by a data controller
  3. be informed about how their Personal Data is processed
  4. prevent the processing of their data for direct-marketing purposes
  5. object to the processing of their Personal Data in certain instances
  6. restrict the processing of their Personal Data in certain instances
  7. withdraw their consent in the case where consent had previously been granted
  8. request erasure in certain instances

Data breaches and complaints

A potential data breach is an incident in which sensitive, confidential or otherwise Personal Data has been accessed, disclosed or handled in a manner inconsistent with the intended treatment of that information.

A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to, Personal Data. This includes breaches that are the result of both accidental and deliberate causes.

A non-comprehensive list of potential data breach examples includes:

  • Unauthorised deletion of data
  • Sending data to an unintended recipient
  • Access to data by an unauthorised individual
  • Sending Vescala confidential data to a personal email address for non-business use
  • Loss or theft of a laptop
  • Alteration of data without permission
  • Misplacing data
  • Cyber attack

Data breaches may also include cases where Data Subjects’ rights (noted in section 10) are not managed appropriately.

It is important that we are able to deal with any data incident as soon as possible to effectively manage the incident. As such, all Vescala employees must notify the Data Protection Officer (DPO), Hannah Smiley), immediately after becoming aware of any data incident. In no circumstances should you communicate details of the incident outside of those managing the data security incident without first contacting the DPO.

The DPO, and a team compiled by the DPO, a representative from the relevant business unit/function and potentially the Head of IT and the Managing Director, if a large or significant enough breach, will consider the potential data breach facts as presented. The DPO will determine the course of action to take according to the findings.

Consequences of breaching this policy

Non-compliance with this policy by employees and contractors may result in disciplinary action up to and including summary dismissal, and by contractors or agents to termination of contract.

Speaking up

If you have a concern or suspect a violation of this policy, we want you to speak up immediately. Speaking up can be a difficult thing to do, so be reassured that all information received will be treated seriously and investigated appropriately. If you act in good faith, believing your information is accurate, we will protect you even if you are wrong. Some concerns can be addressed by speaking to the person whose conduct is the cause for concern. We understand that this is not always possible, so we suggest that you speak to your line manager. If, for whatever reason, you do not feel comfortable doing this, you can contact any member of the Compliance or Legal departments or your Line Manager.

SCOPE / OUT OF SCOPE

The purpose of this document is to ensure uniform retention periods for key records, proper archiving and ease of retrieval and compliance with the provisions of the General Data Protection Regulations 2018 (GDPR) and set out the reasons for maintaining personal data.

The GDPR applies to all personnel records, whether held in paper, microfilm or computerised format. Under the GDPR data must not be kept any longer than is strictly necessary for a particular purpose.

This policy covers the period over which documents can be retained; retention of personal data does not indicate we have permission to contact individuals who are no longer active. Consent is required in order to contact individuals with whom we are no longer in regular, active engagement.

This document applies data held in the UK and EU whether electronic or paper.

In addition, there is a substantial and complex amount of EU and UK legislation that has an impact upon the retention of candidate and other related records. A full list of legislation dealing with particular categories of records is detailed in Appendix A.

SUMMARY

Records Containing Personal Data

Items

Proposed Retention Period (up to)

Comment

Justification

1.      Candidates

Temporary and permanent including workers and potential own employees with whom we have had no contact

6 months

If no contact made or consent to represent received

Must not scrape from personal social media sites, e.g. Facebook, Instagram etc.

Data can only be maintained longer if consent obtained.

1.            Candidates who make their information public on job boards and business contact boards are aware that organisations who subscribe to the service will be able to access personal data.

2.            Individuals will have signed up to the Privacy Policy issued by the website, which will notify them

 

Items

Proposed Retention Period (up to)

Comment

Justification

Personal data taken from job boards, CV databases LinkedIn, etc.

 

 

their information may be shared with third parties and they will have had the opportunity to refuse this.

 

3.      For candidates we contact, if they agree for us to represent them for new roles we will have a “legitimate interest” for continuing to holding their personal data subject to our policies.

 

4.      For candidates we contact who do not want representation at this time, we will ask for consent for us to continue to maintain their information, and they can select which purposes from the consent form.

 

5.      If candidates do not give consent their data must be removed / deleted within the retention period.

 

6.      If we have not made contact with candidates sourced in this method we will delete their information within 6 months of us obtaining their details.

2.   Temporary

Candidates

Contacted but not placed

1 year from registration / consent to represent / last contact whichever is the later

Data can only be maintained longer if consent obtained.

If a candidate contacts us after a prolonged period of no contact we should ask for consent again

1.            Enables us to deal with any subsequent requests or complaints from the candidate.

2.            May be required to provide reporting information to the client to demonstrate service levels.

3.    Permanent Candidate

Contacted but not placed

1 year from registration / consent to represent / last contact whichever is the later

Data can only be maintained longer if consent obtained.

If a candidate contacts us after a prolonged period of no contact we should ask for consent again

1.            Enables us to deal with any subsequent requests or complaints from the candidate.

2.            May be required to provide reporting information to the client to demonstrate service levels.

4.   Temporary Workers

Placed

6 years from end of last assignment

Bank details should be deleted as soon as reasonably possible.

Data can only be maintained longer if consent obtained.

1       We can search for alternative roles for the temp.

2       Ability for employee to bring breach of contract claims for 6 years following end of employment.

 

 

If a candidate contacts us after a prolonged period of no contact we should ask for consent again

3       Client will have the ability to bring a claim regarding the temporary workers within 6 years of last assignment, this could include quality of temp work or our services.

 

 

 

4       HMRC requires key data is maintained for 6 years.

5.    Permanent Workers

Placed

2 years from placement date.

Data can only be maintained longer if consent obtained.

1       We can contact the candidate if other vacancies arise at a later date.

 

 

If a candidate contacts us after a prolonged period of no contact we

2       Enables us to deal with any subsequent requests or complaints from the candidate.

 

 

Items

Proposed Retention Period (up to)

Comment

Justification

 

 

should ask for consent again

3       Client will have the ability to bring a claim regarding our service in supplying the permanent worker. Although this could be for up to 6 years of placement we believe that 2 years should be sufficient and is reasonable.

4       May be required to provide reporting information to the client to demonstrate service levels.

6. Our Own Permanent Employees or Direct Hire Temps

Hire / Not Hired

Not hire – 1 year from registration or consent if not placed.

6 years from end of employment

Bank details should be deleted as soon as reasonably possible.

Data can only be maintained longer if consent obtained.

1       Ability for employee to bring breach of contract claims for 6 years following end of employment.

2       HMRC requires key data is maintained for 6 years.

 

Records Not Containing Personal Data

 

RECORD TYPE

MINIMUM RETENTION PERIOD

Client

Destroy 6 years after last supply or at least 1 year beyond expiry of all obligations and/or warranties.

Supplier / Umbrella

Destroy 3 years after last supply

Exceptions

Any exceptions to the above retention periods will need to be documented with justification and approved by senior management.

General

We strongly recommend that paper records are minimised where at all possible, and paper records are transferred to electronic format. Ensure they are properly saved in a manner which enables you to identify the individual concerned, e.g. against that individuals record in our systems, or saved into a secure folder on a server.

All records containing personal data in whatever format should be reviewed regularly to ensure the reason for retention is still applicable and the data is accurate, otherwise the data should be deleted or securely destroyed.

Individuals may request that their data be erased in which instance Legal must be advised and will liaise with the business and IT for all of that individual’s data (paper and electronic), other than that which is required to be retained for statutory or regulatory reasons, to be erased.

You should assume that all records are confidential and they should be treated as such with secure filing /storage at all times.

All electronic files must be stored with adequate security preventing unauthorised access.

All documents containing personal or confidential data must be securely destroyed and electronic data securely deleted.

PROCEDURE

Candidate Files (Not Placed)

This category of candidate has been registered in full but has neither been placed in a temporary assignment or placed into a permanent position.

Not placed candidate records must be destroyed or erased in accordance with the retention periods above.

All documents containing personal and confidential data must be securely destroyed for example, by secure shredding and all electronic data securely deleted.

Temporary Candidate

A flexible employee / worker (“Temp”) is a candidate that has been placed on a temporary assignment with a client, i.e. we have acted as an Employment Business.

All current Temp records should be filed (preferably electronically or in hardcopy format) securely.

For details of what, as a minimum, should be held in a Temp’s record please see the compliance standards document applicable for your business.

Temp’s records must be destroyed or erased in accordance with the retention periods above.

N.B. there may be client specific requirements that dictate that candidate files should be held for longer. Legal will advise when a client contract is signed if a longer data retention period will apply for assignments with that specific client only.

All documents containing personal and confidential data must be securely destroyed for example, by secure shredding and all electronic data securely deleted.

Permanent Candidate

A permanent candidate (“Perm”) is a candidate that has been placed into a permanent position only, i.e. we have been acting as an Employment Agency. This category does not include candidates that have transferred to the client on a temp to perm, temp to temp, or temp to third party arrangement.

For details of what, as a minimum, should be held in a Perm’s record please see the Vescala Compliance Standards document.

For Perms that have been placed with a client – the records must be destroyed or erased in accordance with the retention periods above.

All documents containing personal and confidential data must be securely destroyed for example, by secure shredding and all electronic data securely deleted.

Client Files

All standard and non-standard client contracts must be sent filed safely sand securely in line with this policy, a local copy these must retained in accordance with the retention periods above.

Any documents containing personal and confidential data must be securely destroyed for example, by secure shredding and all electronic data securely deleted.

Supplier Files

Any documents containing personal and confidential data must be securely destroyed for example, by secure shredding and all electronic data securely deleted.

CONTACT POINTS

Telephone: 0131 600 0448 | Email: admin@vescala.com

APPENDIX A – Legislation relating to retention

As of January 2021

Record

Statutory retention period

Statutory authority

 

accident books, accident records/reports

 

3 years after the date of the last entry (see below for accidents involving chemicals or asbestos)

 

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended. Special rules apply concerning incidents involving hazardous substances (see below).

 

accounting records

 

3 years for private companies, 6 years for public limited companies

 

Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006

 

income tax and NI returns, income tax records and correspondence with HMRC

 

not less than 3 years after the end of the financial year to which they relate

 

The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631)

 

medical records and details of biological tests under the Control of Lead at Work Regulations

 

40 years from the date of the last entry

 

The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676)

 

medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)

 

40 years from the date of the last entry

 

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)

 

medical records under the Control of Asbestos at Work Regulations

·       medical records containing details of employees exposed to asbestos

·       medical examination certificates

 

·       40 years from the date of the last entry

·       4 years from the date of issue

 

The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/. 2739)

 

medical records under the Ionising Radiations Regulations 1999

 

until the person reaches 75 years of age, but in any event for at least 50 years

 

The Ionising Radiations Regulations 1999 (SI 1999/3232)

 

Record

Statutory retention period

Statutory authority

 

records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)

 

5 years from the date on which the tests were carried out

 

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)

 

records relating to children and young adults

 

until the child/young adult reaches the age of 21

 

Limitation Act 1980

 

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity

 

6 years from the end of the scheme year in which the event took place

 

The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

 

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence

 

3 years after the end of the tax year in which the maternity period ends

 

The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended

 

Statutory Sick Pay records, calculations, certificates, self- certificates

 

3 years after the end of the tax year to which they relate

 

The Statutory Sick Pay (General) Regulations 1982 (SI 1982/894) as amended

 

wage/salary records (also overtime, bonuses, expenses)

 

6 years

 

Taxes Management Act 1970

 

national minimum wage records

 

3 years after the end of the pay reference period following the one that the records cover

 

National Minimum Wage Act 1998

 

records relating to working time

 

2 years from date on which they were made

 

The Working Time Regulations 1998 (SI 1998/1833)

Policy statement

The Vescala code of conduct sets out the minimum behaviour we expect from our employees and supply chain partners. This policy deals with the specific issues associated with modern slavery and human trafficking.

Modern slavery is a crime and a violation of an individual’s fundamental human rights. It takes various forms, such as slavery, servitude, forced or compulsory labour and human trafficking, all of which have in common the deprivation of a person’s liberty by another in order to exploit them for personal or commercial gain. We have a zero-tolerance approach to modern slavery and we are committed to acting ethically and with integrity in all our business dealings and relationships and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in within Vescala or in any of our supply chains.

We are also committed to ensuring there is transparency in our own businesses and in our approach to tackling modern slavery throughout our supply chains, consistent with our disclosure obligations under the Modern Slavery Act 2015. We expect the same high standards from all of our contractors, suppliers and other business partners, and as part of our contracting processes, we will include specific prohibitions concerning modern slavery, whether of adults or children, and we expect that our suppliers will hold their own suppliers to the same high standards. Vescala’s approach will be to work with our supply chain partners to improve performance standards but ultimately, we may have to review whether we can continue on-going relationships if our standards cannot be met.

Who does this policy apply to?

This policy applies to all full and part-time employees, as well as temporary staff, whenever they are working. It also applies to agents, contractors and other third parties acting on our behalf in any capacity.

This policy does not form part of any employee’s contract of employment and we may amend it at any time.

Responsibility for the policy

The management of Vescala has overall responsibility for ensuring this policy complies with our legal and ethical obligations.

Vescala Compliance Department, with assistance from the Procurement function, has primary and day- to-day responsibility for implementing this policy, monitoring its use and effectiveness, dealing with any queries about it and engaging internal audit resource to audit internal control systems and procedures to ensure they are effective in countering modern slavery.

Management at all levels are responsible for ensuring those reporting to them understand and comply with this policy and are given adequate and regular training on it and the issue of modern slavery in supply chains.

Compliance with the policy

You must ensure that you read, understand and comply with this policy.

The prevention, detection and reporting of modern slavery in any part of our businesses or supply chains is the responsibility of all of us.

You are required to avoid any activity that might lead to, or suggest, a breach of this policy. You are expected to report as soon as possible:

  • whether you know or suspect any instance of modern slavery is occurring in any part of our businesses or supply chains;
  • and whether you know or suspect a breach of this policy is/has occurred to your line manager, or a member of the Compliance Department, or if you don’t feel comfortable doing this for any reason, to the confidential Speak-Up whistleblowing helpline (contact details are set out at the end of this policy).

If you are unsure about whether a particular act, the treatment of workers more generally, or their working conditions within any of our businesses or supply chains constitutes any of the various forms of modern slavery, raise it with your line manager, or a member of the management team.

We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken. We are committed to ensuring no one suffers any detrimental treatment as a result of reporting in good faith their suspicion that modern slavery of whatever form is or may be taking place in any part of our businesses or in any of our supply chains. Detrimental treatment includes dismissal, disciplinary action, threats or other unfavourable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform Compliance immediately.

Communication and awareness of this policy

Regular training on this policy and on the risks our businesses face from modern slavery in its supply chains will be provided as necessary.

Our zero-tolerance approach to modern slavery must be communicated to all suppliers, contractors and business partners at the outset of our business relationship with them and reinforced as appropriate thereafter.

Breaches of this policy

Non- compliance with this policy by employees may result in disciplinary action up to and including summary dismissal, and by contractors, agents or other third parties working on our behalf, in termination of contract.

Speaking up

If you have a concern or suspect a violation of this policy, we want you to speak up immediately. Speaking up can be a difficult thing to do, so be reassured that all information received will be treated seriously and investigated appropriately. If you act in good faith, believing your information is accurate, we will protect you even if you are wrong. Some concerns can be addressed by speaking to the person whose conduct is the cause for concern. We understand that this is not always possible, so we suggest that you speak to your line manager. If, for whatever reason, you do not feel comfortable doing this, you can contact any member of the management team.