Staff & Volunteer Privacy Notice

GENESIS TRUST BATH 

About this privacy notice 

Genesis Trust Bath (the “Charity”) is committed to protecting and respecting the privacy of its staff. [We are [a registered charity in England and Wales (registration number: 1154253). 

This Privacy Notice sets out why and how we collect and use your personal data during and after your working relationship with us and who it might be shared with. It also explains the legal bases for our use of your personal data and your legal rights.  

This Privacy Notice applies to current and former employees, trustees and volunteers. It does not form part of any contract of employment or contract to provide services. 

Who we are 

For the purposes of data protection legislation, we are the controller of your personal data processed by us, which means that we decide why and how we process your personal data. We are registered as a controller with the Information Commissioner’s Office (registration number: Z329450) 

For further information regarding privacy and data protection at the Charity, or if you have any questions, please contact the Operations Manager via email at office@genesistrust.org.uk.   

How we obtain your personal data 

We collect personal data about you from the following sources: 

  • Directly: We collect personal data that you provide to us, this includes information you provide when applying for a role with us (such as your CV or application), during the course of our working relationship with you (such as when you communicate with us about taking time off), and after you end your relationship with us (for example, if you contact us to ask for a reference). 
  • Third parties or publicly available sources: We may also receive personal data from third parties and public sources. This may include: 
  • Employment agencies and recruiters. 
  • Your former employer or educational establishment (during the recruitment process). 
  • Internal and external referees. 
  • Government information sources (e.g., for DBS checks) 
  • Pension providers. 
  • HMRC. 
  • Social media & the internet. 
  • Church and other memberships.

Please note, where we need to collect personal data by law or in order to perform the contract we have with you and you fail to provide that data when requested, we may not be able to meet our legal obligations or perform the contract we have or are trying to enter into with you. This may, for example, result in the termination of an offer of employment. 

Types of personal data we process 

The type and amount of personal data we collect and hold depends on the purpose for which it is being provided and processed and will include but will not be limited to: 

  • Personal details and key identifiers: names, address, telephone numbers, email address, gender, date of birth, national insurance numbers, next of kin, emergency contact numbers, bank account details. 
  • Recruitment information: such as information provided in your application form, CV, references. 
  • Employment records: start date, leaving date and your reason for leaving, job titles, work history, working hours, holidays, compensation history, location of workplace, performance information, grievance and disciplinary information, data relevant to your training history and development needs, including training records and professional memberships. 
  • Your employment contract and remuneration details: including payroll records and tax status information, salary, annual leave, pension and benefits information, bank account details. 
  • Information generated through your use of the Charity’s information and communications systems. 
  • Next of kin contact details and emergency contact numbers. 
  • Images, audio and video recordings taken in the course of your work for the Charity, including those captured on our CCTV systems.

Certain categories of personal information are regarded by data protection law as more sensitive than others. Known as ‘special category personal data’, this relates to information about your health, racial or ethnic origin, details of sexual life, sexual orientation, religious beliefs, political opinions or any genetic or biometric data that is used to identify you. This information, and any information about criminal offences or convictions, warrants a higher level of protection under data protection law.  

The Charity may process special category data about you, including: 

  • Diversity monitoring information (such as racial or ethnic origin, sexual orientation). 
  • Information relating to your health and wellbeing (including details of disabilities and medical conditions, health and sickness records, and details of accidents in the workplace). 
  • Religious belief. 
  • Church membership or affiliation.

We will only collect information about criminal offences and convictions where it is necessary and lawful for us to do so.  

The Charity will always make it clear when we collect this information from you what special category personal data we are collecting and why.  

Why we process your personal data 

We process personal data relating to those we employ or engage to work at the Charity, for a range of purposes related to employment, efficient running of the Charity and compliance with our legal obligations. Specifically, we process your personal data to: 

  • Contact you in response to your query about job opportunity at the Charity and to make decisions about your recruitment. 
  • Enter into a contract with you, and to administer and fulfil the contract we have with you. 
  • Pay you and provide you with benefits (such as your pension). 
  • Manage your performance. 
  • Handle any grievance or disciplinary matters. 
  • Manage sickness absence and to assess your fitness to work. 
  • Make decisions about your employment. 
  • Comply with our legal obligations, including safeguarding obligations or health and safety obligations and help us to make reasonable adjustments as needed (e.g. in case of a disability). 
  • Ensure compliance with our Staff Handbook and policies. 
  • Monitor, as required, all usage of the information communication technology (ICT) systems (including internet usage and network traffic, the use of phone, email systems, collaboration software, videoconferencing software and any messaging apps used for work). Please see our Information Security Policy for further details. 
  • Provide references if requested.  
  • Ensure effective equal opportunities monitoring. 
  • Promote the work of our Charity on our website and on social media, and in publications, such as our newsletter.  
  • Pursue legal claims or defend any claims brought against us. 

Our lawful reasons for processing your personal data 

Our processing of your personal data is lawful because we only process your personal data when we have an appropriate lawful basis (under Article 6 UK GDPR). In the case of special category data and criminal convictions and offences data, in addition to an appropriate lawful basis, we must also satisfy one of the additional conditions set out in Article 9 or 10 UK GDPR.  

Depending on the purposes for which we use your data, one or more of the legal reasons listed below may be relevant: 

  • You have provided your consent for us to process your personal data (such consent may be withdrawn at any time by emailing office@genesistrust.org.uk) (for example, we may ask for your consent to use your photograph on the Charity’s website; 
  • The processing is necessary for the performance of the Charity’s obligations under a contract between you and the Charity (for example, your contract of employment or volunteer agreement); 
  • The processing is necessary for the performance of a legal obligation to which the Charity is subject (for example, our legal duty to safeguard beneficiaries, or to provide information to HM Revenue and Customs); 
  • The processing is necessary to protect the vital interests of you or another individual (for example, providing your details to a medical professional in the case of a medical emergency); 
  • The processing is necessary for the Charity’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. An example of where we may process your personal data in this way is for audit purposes. 

We will only process special category data where we have also identified an appropriate condition for doing so in accordance with Article 9 of the UK GDPR: 

  • You have provided explicit consent (such consent may be withdrawn at any time by emailing office@genesistrust.org.uk); 
  • The processing is necessary in connection with a legal obligation in the field of employment and social security law or for a collective agreement (for example, in relation to maintaining records of statutory sick pay and maternity pay); 
  • The processing is necessary in order to protect the your or another person’s vital interests where that person is physically or legally incapable of giving consent (for example, providing your details to a medical professional in a medical emergency); 
  • The processing relates to personal data which is manifestly made public by the data subject (e.g. where you publish information about yourself in the public domain); 
  • The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (for example, providing information to an employment tribunal where a claim has been made); 
  • The processing is necessary for reasons of substantial public interest, in accordance with Part 2, Schedule 1 of the DPA 2018 (for example, for the purposes of protecting the physical, mental or emotional wellbeing of a member of the workforce);  
  • The processing is necessary for public health purposes (with a basis in law) (for example, in connection with preventing the spread of a pandemic). 

In connection with criminal offence data, the Charity will only process this information where it has identified an appropriate lawful basis for processing and appropriate policy and safeguards are implemented in accordance with Article 10 of the UK GDPR. 

When we collect personal information on our forms, we will make it clear whether you are required by law, or under a contract, to provide your personal data, and what will happen if you do not provide that data. 

We do not use your personal data for automated decision-making (including profiling). If that changes, we will notify you in writing. 

When we collect your personal data from you, we will make it clear whether you are required by law or under a contract to provide your personal data, and what will happen if you do not provide that data. 

Who we share your personal data with third parties 

Occasionally, we may have to share your personal data with third parties. We will only share your personal data with third parties where the law allows us to do so.  

Where we share your personal data, we require third parties (under contractual arrangements where appropriate) to put measures in place to protect your personal data and to only process your personal data in compliance with the law.  

We may need to share personal data with third-party service providers or other third parties (please see below) and/or may be required by law to share some of your personal data with certain competent authorities.  

Sharing personal data with third parties may be necessary in the following circumstances: 

  • We disclose some of your personal data, including national insurance number and absence information, to our payroll provider to enable you to be paid. 
  • We disclose some of your personal data including name, employment history, medical information, performance records to our HR provider for the purposes of HR management. 
  • We share your identity and pay information with HMRC in conjunction with your legal obligation to pay income tax and to make national insurance contributions. 
  • Where you have decided to become part of a salary sacrifice scheme such as that for child care vouchers, we share your details with the provider to the extent necessary for them to provide the vouchers to you. 
  • We share your details with your pension provider to make sure that you pay the correct amount and maintain your entitlement to a pension. The pension scheme for staff is provided by People’s Pension. 
  • We share your details with our insurance brokers and suppliers so that they can provide us with insurance advice and services. 
  • We disclose certain data to our accountants and auditors (for example, to enable them to conduct a thorough audit of the Charity). 
  • We disclose certain data to our Health and Safety and Human Resources advisers to enable them to provide advice and support. 
  • We disclose certain data to our marketing & fundraising service providers. 
  • We may need to share your personal data with other third parties, for example in the context of the possible transfer of the Charity’s assets or restructuring of the Charity, or when obtaining legal advice from our external legal advisors.

How we keep your personal data safe 

We understand how important it is to protect your personal data and take appropriate steps to safeguard it. 

We implement adequate technical and organisational measures to ensure a level of security appropriate to the potential risks. We have an internal Information Security Policy, which governs how we protect your personal data. For example: 

  • All persons authorised to access personal data are required to undergo appropriate training and must comply with organisational and technical measures that we have put in place. 
  • We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.   

We always ensure that access to your personal data is restricted on ‘need to know basis’, i.e. to those members of our staff, volunteers and contractors who need to access personal data to fulfil their roles. All authorised persons are appropriately trained and commit to ensuring confidentiality and security of your data. 

We interact via the internet and email, and no external data transmission over the internet can be guaranteed to be 100% secure. While the Charity strives to safeguard your personal data and reduce any risks as far as possible (for example by using password protection and secure platforms for document sharing), we cannot guarantee the security of the information you provide online and you do this at your own risk. 

If you would like more information about the security measures we have implemented please contact the Operations Manager at office@genesistrust.org.uk. 

Transferring personal data outside the UK 

Due to the nature of our charitable objectives and work, we may transfer your information to countries or territories outside the UK, which are subject to different data protection laws. We may do this where, for example, we use suppliers in a third country or data is stored on servers outside the UK.  

We meet the UK GDPR requirements by ensuring that personal data is protected as if it were being held in the UK. This will usually be because the country to which we transfer data either benefits from an adequacy determination or we have entered into a contract with the third party which contains EU standard contractual clauses recognised as a valid data transfer mechanism in the UK. 

If you would like more information about how we protect your personal data if it is transferred outside the UK please contact the Operations Manager at office@genesistrust.org.uk. 

How long we keep your personal data 

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required for us to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.  

For example, we hold your payroll records for at least six years so we can fulfil our statutory obligations for tax purposes. Our Records Retention and Deletion Policy, a copy of which is available on the shared library, sets out the relevant retention periods. 

Your rights 

Data protection law provides individuals with various legal rights, which may be exercised in certain circumstances. You have the following legal rights over your personal data: 

  • The right of access (commonly referred to as a “subject access request” or “SAR”). This right enables you to obtain a copy of the personal data we hold about you as well as other information about how we are processing your personal data. 
  • The right to rectification. This right enables you to require us to correct the personal data we hold about you if it is inaccurate or incomplete. 
  • The right to erasure (also known as the right to be forgotten). In certain circumstances you have the right to request that personal information we hold about you is erased (such as where we no longer need your personal data for the purpose it was originally collected for). 
  • The right to restrict processing of your personal data. You may ask us to restrict the use of your personal data in certain circumstances (such as where you believe your personal data is incorrect and we need to verify the accurate of the personal data we hold). 
  • The right to object. You may object to our processing of your personal data in certain circumstances such as where we are processing your personal data on the basis of “legitimate interests”. Please note, you always have the right to object to processing of your personal data for direct marketing purposes.  
  • The right to data portability. This right allows you to request that we transfer your personal data to you or another third party in a commonly used, machine-readable format. Please note, this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you. 
  • The right to withdraw consent. Where we are relying on your consent to process your personal data you have the right to withdraw your consent at any time and may do so by contacting us at office@genesistrust.org.uk. If you decide to withdraw your consent that does not mean that our use of your personal data before you withdrew your consent is against the law.

Please note, some of your legal rights are subject to safeguards, limitations or exemptions.  

If you wish to exercise your rights, please contact us via office@genesistrust.org.uk and we will respond within the time limits set out in data protection law. 

Complaints  

If at any time you are not happy with how we are processing your personal information then you may raise the issue with the Operations Manager in the first instance. 

If you are not satisfied with the handling of your issue, you may raise a complaint with the Information Commissioner’s Office, which regulates and enforces data protection law in the UK.  

Details of how to do this can be found at https://ico.org.uk/make-a-complaint/ 

Changes to this Privacy Notice  

This Privacy Notice was published on 2nd February 2024. We will update and change this privacy notice from time to time to reflect changes to the way we handle your personal data or changing legal requirements. Whenever you visit our website or place an order with us, please check back so that you are aware of any changes. 

END.