Good Law Project HR Privacy Notice Good Law Project (GLP) collects and processes personal data relating to its employees to manage the employment relationship, and is the Data Controller for such personal data. GLP is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. What information does GLP collect? GLP collects and processes a range of information about you. This includes: your name, address and contact details, including email address and telephone number, date of birth and gender; the terms and conditions of your employment; details of your qualifications, skills, experience and employment history, including start and end dates with previous employers and with GLP; information about your remuneration, including entitlement to benefits such as pensions or insurance cover; details of your bank account and national insurance number; information about your marital status, next of kin, dependants and emergency contacts; information about your nationality and entitlement to work in the UK; details of your working pattern and attendance at work; details of periods of leave taken by you, including holiday, sickness absence, and other leave, and the reasons for the leave; details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence; assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence; information about medical or health conditions, including whether or not you have a disability for which GLP needs to make reasonable adjustments; equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief. GLP collects this information in a variety of ways. For example, data is collected through CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment such as new starter form or benefit nomination forms; from correspondence with you; or through interviews, meetings or other assessments. In some cases, GLP collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from credit reference agencies. Data is stored in a range of different places, including in your personnel file, in GLP's HR management systems and in other IT systems, including GLP's email system. Why does GLP process personal data? GLP needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits, pension and insurance entitlements. In some cases, GLP needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. In other cases, GLP has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows GLP to: run recruitment and promotion processes; maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights; operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace; operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes; operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled; obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled; operate and keep a record of other types of leave, including maternity, paternity, adoption, parental and shared parental leave, to allow effective workforce management, to ensure that GLP complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled; ensure effective general HR and business administration; provide references on request for current or former employees; respond to and defend against legal claims; and maintain and promote equality in the workplace. Lawful basis We mainly use ‘contractual obligation’ as a lawful basis for processing your personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees and volunteers. We may also have legal obligation in order to process and share your data, for example we need to share salary information to HMRC or use some of your data to enrol a new employee on a pension scheme. We rely on ‘legitimate interest’ as a lawful basis for keeping supervision and appraisal records. When relying on legitimate interest, we may undertake a balancing test to ensure your rights are upheld. When it comes to processing activity involving special category data or using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity, we rely on ‘explicit consent’ and/or ‘substantial public interest’ as conditions under GDPR Article 9 read with conditions from the schedules of the DPA 2018. When processing criminal records, for example in order to perform DBS check, the organisation relies on the lawful basis of legitimate interest and Condition 10 from Schedule 1, DPA 2018, ‘preventing or detecting unlawful acts’. Who has access to data? Your information will be shared internally, including with your line manager, the Chief Operating Officer, and the Executive Director and IT staff if access to the data is necessary for performance of their roles. GLP shares your data with third parties in order to obtain pre-employment references from other employers and obtain employment background checks from third-party providers. GLP may also share your data with third parties in the context of a sale or reorganisation of itself or of some or all of its business. This could include information such as job titles, job descriptions and salary information. In those circumstances, the data will be subject to a Data Sharing Agreement. Third parties GLP also shares your data with third parties that process data on its behalf in connection with payroll, the provision of benefits and the provision of occupational health services, insurances and other services. Your data may be transferred to countries outside the European Economic Area (EEA) for the operation, administration or security arrangements and legitimate interests of GLP and in order to fulfil GLP’s obligations to you. No personal data will be transferred outside of the UK, or any country deemed to be adequate by the UK or the EU without first ensuring that the destination country offers adequate levels of protection for personal data and the rights of data subjects. According to the new UK data transfer regime, we will undertake a Transfer Risk Assessment (TRA) and ensure that an appropriate UK safeguard is in place. This may include the use of the UK Addendum which converts existing EU standa rd contractual clauses (SCCs) into a valid UK safeguard or the International Data Transfer Agreement (IDTA). How does GLP protect data? GLP takes the security of your data seriously. GLP has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Where GLP engages third parties to process personal data on its behalf, they do so on the basis of binding contracts, are under duty of confidentiality and are obliged to implement appropriate technical measures to ensure the security of data. Wherever possible, GLP has Data Processor Agreements with such processors in place. For how long does GLP keep data? We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases we will keep your data for a period of 6 years after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 6 months. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us here if you want to know more about retention periods. Data is destroyed or deleted in a secure manner as soon as the retention date has passed. Your rights As a data subject, you have a number of rights. You have the right to: be informed about how we are using your data; access and obtain a copy of your personal data on request; ask GLP to change your personal data if it is incorrect or incomplete; ask GLP to delete your data, for example in certain circumstances where the data is no longer necessary for the purposes of processing and there is no further basis for processing; ask GLP to restrict processing of data if that data is inaccurate or there is a dispute about whether or not your interests override GLP's legitimate grounds for processing that data. ask us to provide you, or a third party (if practically possible), with some of the personal data we hold about you in a structured, commonly used, electronic form, so that it can be easily transferred; object to the processing of your data. However, please note there are circumstances under which this right does not apply, for example where GLP processes your data because it is necessary to fulfil a contract; If you would like to exercise any of these rights, please contact us here. If you believe that GLP has not complied with your data protection rights, you can complain to the Chair of the Board and if not satisfied, the Information Commissioner. What if you do not provide personal data? You have some obligations under your employment contract to provide GLP with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide GLP with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights. Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable GLP to enter a contract of employment with you. If you do not provide other information, this will hinder GLP's ability to administer the rights and obligations arising as a result of the employment relationship efficiently. Automated decision-making Employment decisions are not based solely on automated decision-making. Change in personal details You should immediately notify the HR team in writing of any changes to your personal details. Such changes may include but are not limited to your name, address or telephone number; nationality or immigration status; personal details of your next of kin or a change in your next of kin; bank details; arrest, prosecution or conviction for a criminal offence; and any disciplinary action taken against you by a professional or regulatory body or if you become bankrupt, apply for or have made against you a receiving order, make any composition with your creditors or commit any act of bankruptcy.