PLEASE NOTE: This statement is also available to view online by clicking here.

Data Protection Policy

Purpose 
The purpose of the Data Protection Policy is to ensure the Siamo Group and its team members, contractors and any associated third-party providers are aware of the responsibilities associated with and, as such, can fully comply with The General Data Protection Regulations (GDPR), which came into force on 25th May 2018.  

Responsibility for Data Protection 
All team members, contractors and associated third-parties are responsible for Data Protection.   Siamo Group will ensure information on the responsibilities is freely available and full training is provided.  Siamo Group does not require a Data Protection Officer.  Should any team member have a concern in relation to Siamo Group’s compliance with the GDPR they should raise this with the HRBP, Head Office.   

Definitions 

Business Purpose 

The purpose for which personal data may be used by us: 

HR, training, administrative, financial, regulatory, payroll, recruitment services and business development purposes 

Business purposes can include the following: 

  • Compliance with our legal, regulatory and corporate governance obligations and good practice 
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests 
  • Ensuring business policies are adhered to (such as policies covering email and internet use) 
  • Investigating complaints 
  • Contacting individuals to establish availability for work, personal recommendations and referrals 
  • Checking references, ensuring safe working practices, monitoring and managing team access to systems and facilities and team absences, administration and assessments 
  • Monitoring team conduct, disciplinary and grievance matters 
  • Providing employment benefits, for example Siamo Benefits and pension scheme 

Personal data 

Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other team members, clients, suppliers and marketing / sales contacts. 

Personal data we gather may include: individual’s contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title and CV. 

Sensitive personal data 

GDPR defines sensitive personal data as genetic and biometric data as well as data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), health, sex life, sexual orientation and criminal offences or related proceedings. 

Sensitive personal data will be strictly controlled in accordance with this policy. In most cases the processing of such data will require explicit consent to do so unless exceptional circumstances apply or it is a legal requirement, for example, to comply with legal obligations to ensure health and safety at work. 

 

Scope and Monitoring 
This policy applies to all team members, contractors and third-party providers working with Siamo Group.  As an individual you must be familiar with this policy and comply with its terms.  Adherence to this policy will be regularly monitored to ensure compliance.      
This policy supplements our other policies relating to internet and email use as outlined in the Employee Handbook.  We may supplement or amend this policy by additional policies and guidelines from time to time.  Any new modified policy will be circulated to the team before being adopted. 


Data Protection Principles 
Siamo Group will adhere to the following principles in relation to Data Protection. All data will be: 

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals. 
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes. 
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and 
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  


Processing Data 
Siamo Group will process data in accordance with the above principles at all times.  Certain departments / functions require the collation, analysis, storage and processing of data.  This can be for: 

  1. Compliance with a legal obligation (such as HMRC and HSE) 
  2. Performance of a contract 
  3. Purpose of the legitimate interests of the employer or a third party.  


Processing Sensitive Personal Data 
Siamo Group will ensure the processing of any sensitive personal data is restricted to what is required for one or more of the three reasons for processing data as outlined above.   Any queries on the correct processing of sensitive personal data should be addressed to HRBP, Head Office. 

 

Retention 

Area 

Detail 

Retention Period 

Security considerations 

Occupational Health 

  

  

  

Health surveillance reports 

40 years 

6 years 

6 years  

  

 

 6 years 

Stored separately and securely 

  

  

  

H&S training records 

Medical reports 

Occupational health records 

Employment applications (unsuccessful) 

Curriculum Vitae 

6 months 

Stored separately and securely 

Application forms
Interview notes 

HR records 

As per file format  

6 years 

Stored securely 

Criminal convictions 

Criminal conviction declaration 

In line with rehabilitation period 

Stored separately and securely 

Active recruitment candidates 

Curriculum Vitae 
Application forms 
Interview notes 

12 months 

Stored separately and securely 

Inactive recruitment candidates 

Curriculum Vitae 
Application forms 
Interview notes 

6 months 

Stored separately and securely 

HMRC income tax / NI 

  

Records 

6 years + 1 

  

Stored securely 

  

Correspondence with HMRC 

Accident Book 

  

3 years 

Stored securely 

Employee wage / salary 

  

6 years + 1 

Stored securely 

Pension  

  

Individual pension information 

12 years 

  

Stored securely 

  

Pension scheme  

Shareholder information 

  

Contact details 

Permanently 

  

Stored securely 

  

Share information 

Senior Management Team 

Officers of the company 

Permanently 

Stored securely 

Customer information 

Contact details 

Permanently 

Stored securely 

Data will be held securely and separately as appropriate in line with the above retention periods.  After which time it will be securely destroyed. 
 

Individual rights 
Under the General Data Protection Regulations (GDPR) individuals have the following rights: 

Sharing Data with a third party 
Siamo Group will never share information with third parties for their own purposes, unless this is explained at the time the data is collected, express permission is given, or Siamo Group is legally required to do so. For example, Siamo Group is legally required to provide data to HMRC in relation to earnings for tax and National Insurance purposes.    

Siamo Group also use suppliers known as 'data processors' to process data, for example, to manage the workplace pension scheme. When enlisting the services of such suppliers the company will ensure that they are under a contractual obligation to only use individual information in accordance with instructions and for no other purposes.  

Siamo Group, as a recruitment and training business, is required to share candidate and delegate details with clients and potential clients.  Where possible, such data will be anonymised and when shared it will be encrypted.  Where this is not possible, or the personal data is required, for example when confirming an interview, the Company will ensure it has obtained express consent from the candidate or delegate. 


Subject Access Requests 
Individuals have the right to request copies of personal information that is held by Siamo Group.  This is known as a Subject Access Request.  Siamo Group will ensure any Subject Access Request is forwarded to the HR Team and is responded to within one month.  Siamo Group may need to conduct proof of identity checks to ensure that the request can be complied with.  All Subject Access Requests will need to be submitted in writing via email or letter providing a postal address to which the information is to be sent.  Should the copies contain supplementary information not relevant to the individual who has submitted the Subject Access Request this information will be deleted / blacked out as appropriate.  If this is not possible, only data relevant to the individual will be released.   

Reporting a breach in data protection 
All team members, contractors and third-parties are responsible for data protection which includes a duty to report any potential breach.  Should any individual be concerned that there has been a breach they should report it to Management Accountant.  The report should include as much information as possible to enable a full investigation to take place.  It is the responsibility of HRBP, in conjunction with the Directors, to decide when the potential breach should be reported to the ICO.    

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals. 

When a personal data breach has occurred, HRBP will establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is decided there is no need to report the breach a full report will be created as record of the incident. 


Training 
All team members, contractors and third-parties will be required to undergo training on data protection obligations under GDPR.  Any individual who will be handling personal data and / or sensitive personal data will undergo an additional level of training to include detailed understanding of the internal processes in place to support compliance with GDPR.  Any individual may request a refresher of the training and should make this request to the HR Team. 


Privacy Notice 
Being transparent and providing accessible information to individuals about how we use their personal data is important.  Siamo Group has Privacy Notices on its website and on team noticeboards.  In addition, there is a Data Control Log [Appendix A] which is owned and updated by HRBP. 
The Data Control Log contains information on what data is held, where it is stored, how it is used, who is responsible and any retention timeframes that may be relevant.  This Data Control Log will be audited on a regular basis to manage and mitigate any risks associated with data protection. 


Consent 
Data that is collected is subject to active consent by the data subject.  This consent can be revoked at any time.  


Data portability 
Upon request, a data subject should have the right to receive a copy of their data in a structured format.  These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.  A data subject may request that their data is transferred directly to another system.  This will not incur an administration fee.     
 

Right to be forgotten 
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request.  An erasure request can only be refused if an exemption applies, for example the data must be held in order to comply with a legal obligation or in relation to the contract of employment. 


Privacy by design and default 
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start.  HRBP will be responsible for conducting Privacy Impact Assessments and ensuring that all projects that involve personal / sensitive data commence with a privacy plan, for example, introducing a new customer relationship management system or a new payroll management system.  


International data transfers 
While it is not anticipated that Siamo Group will undertake an international data transfer, should the requirement arise, HRBP will be involved in any discussion where data is to be transferred to a country out of the EEA, for example, the provision of personal data to obtain a visa for international travel.  Prior to transfer, specific consent must be obtained from the data subject. 

For reference data is protected in the EU / EEA under GDPR and in the USA under The Privacy Shield.  Further information is available on www.ico.org.uk. for countries not listed above.   

Consequences of failing to comply with this policy
Siamo Group takes compliance with this policy very seriously.  Failure to comply puts individuals and Siamo Group at risk.  The importance of this policy means that failure to comply with any requirement may lead to disciplinary actions under our Disciplinary and Grievance Policy which may result in dismissal.   

Individual Consent
I hereby confirm that I have read and fully understand the terms of the 
Siamo Group Data Protection Policy.  I agree to comply with the policy at all times and confirm that I understand how to raise concerns about any potential breach of this policy.  I understand I have the right to receive regular training and updates on data protection. 

 

 

 

iintegra GDPR data management summary

PLEASE NOTE: This is a bullet point summary of our commitments and practices under the GDPR, the full statement can be found below.

Who are we and who sees your data

We are iintegra Ltd. We provide the software the recruiter uses to manage your application and are the primary "Data Processor" dealing with your application.

For direct recruiters, they are a "Data Controller", for agencies, depending on their recruitment practice, they may be a "Data Controller" (usually for temp role recruitment) or "Data Processor" (usually for permanent roles with an employer).

There may be other data processors involved in the process and you will be informed of their involvement. If we need to, we will ask you before providing these third parties with your data. Some third parties can be passed limited data about you without the need for consent.

Information Gathered

When processing an application, we gather the following information as a minimum:

This data is used to enable a recruiter to contact you about the vacancy you've applied to.

When you apply via a job board, sometimes, they send more information than we require. We store this extra information for auditing purposes only. This data may include prior work experience and other employment information you have provided to them in the past.

The Data Controller can ask for further information when processing your application using custom forms defined by them. Custom form data is only ever processed in relation to your application.

Consent and you

Storing and protecting your data

Complaints and requests for information

For more details on any of these points, please refer to our full GDPR data management statement.

About your application process

There may be several stages of your application that allow us to process your data in an automated, semi-automated or manual way, each of which is described below.

Telephone Interview

During your application, we will want to speak to you on the phone.

You may be contacted by one of our recruiters or a third party agent acting on our behalf who will want to discuss the role with you and your reasons for applying. You may also be asked some specific questions that the employer has set out for the application process.

Talent Network Consent Request

As part of your application, if you have not provided explicit consent, we may need to ask you for consent later in the process to do something specific to your application.

If we require consent to perform a specific action, we will automatically e-mail you and ask that you provide consent. If you decline or do not provide consent within a pre-defined response time, we will assume that you do not consent and will proceed with your application in a way that is permitted under legitimate interest.

iintegra GDPR data management statement

Introduction

iintegra Ltd ("iintegra") takes the privacy and security of your information very seriously. This policy explains how and for what purposes we use the information collected about you via the iintegra Talent Acquisition Platform (referred to below as the “TAP”). Please read this data management policy carefully.

For the purposes of the GDPR, iintegra is classed as a Data Processor and processes your information on behalf of the Data Controller.

If you have any queries about the policy, please get in touch with us using the contact details set out here and we will do our best to answer your questions.

Service Providers

iintegra uses the Azure platform from Microsoft to deploy its servers. All of the servers used by the iintegra platform are restricted to physical locations based in the European Union.

Microsoft and its employees do not have access to any data stored on the iintegra platform. However, restricted access may be required occasionally to assist with technical issues as they arise.

Personal information collected

The TAP is configurable on a client by client basis to collect any data they deem reasonable for the purposes of recruiting individuals to open positions that they have.

The TAP requires a minimum of information to start an application which is set out below:

The TAP may be configured by the client to request additional information from you in furtherance of your application.

Use of this information

The TAP uses the information you provide to assist our client in the management of the application.

Sharing this information

Where our client requires a third party to process your data, we will make the minimal amount of information available for the process to work. Your data may be shared with a third party as part of your application process for the purposes of telephone interview, assessment or background checks.

Security

We have implemented technology and policies to safeguard your privacy from unauthorized access and improper use. We use secure sockets, currently implementing the TLS v1.2 standard to encrypt any personal information you need to input before it is sent to us. Your password is stored as a one-way hash (a special string of characters mathematically generated using your password as a starting point) using the SHA-512 hashing algorithm which does not contain any trace of your original password. When you login, we re-calculate the hash based on the password you provide and compare it with the hash we store.

All of your data is stored within encrypted databases and on storage mediums with encryption enabled. This is typically referred to as encryption at rest.

Control over your information

As the data processor, we provide services and facilities that help you to manage your data and exercise your rights according to the GDPR. These facilities are outlined below:

Your right to withdraw consent

At any time, you can access your application management portal and withdraw your consent for each application individually. When you withdraw consent, your application will still be processed but under the stricter "Legitimate Interest" clauses of the GDPR.

Your right to be forgotten

In addition to the ability to withdraw your consent for individual applications, you can at any time remove either individual applications or all of your data from iintegra in your account. When you do this, anonymised copies of your applications are retained for reporting purposes.

Your right to complain

If you are unhappy with the way your data has been handled, you have the right to complain at any time. If you wish to make a complaint, please contact our Data Protection Officer via our Support portal by emailing help@iintegra.com. You also have the right to lodge complaints with the Information Commissioners Office. Please visit https://ico.org.uk/concerns/ for further information or to start a live chat. Alternatively, you may call the ICO on 0303 123 1113.

How we prevent duplicate applications

When you make your application, we store a one-way hash of your e-mail address against the vacancy to which you apply in order to detect and prevent duplicate applications. This hash is not connected to your personal data and will be retained if you remove an application or your entire account.

When you apply to a vacancy, we calculate a one-way hash of the e-mail address you provide and compare the hash against any previous hashes we have stored for that vacancy. If we find a match using this technique, we prevent the application from being made.

Updates to this Notice

We review the ways we manage your information in accordance with the guidelines and legal requirements set out by the GDPR and other relevant Data Protection acts. As a result of these reviews we may change how we manage and store the information collected and who we share it with. Consequently, this privacy notice may be updated from time to time.

Contact

Contact us with your views about our privacy practices, or with any enquiry relating to your personal information. You can do so by sending an e-mail to the data officer or write to us at Unit 42 The Quarters, New Street, Hinckley, LE10 1QY.

Date : 30/Apr/2018