Data controller: Verve Personnel Limited
Verve Personnel Limited is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.
Verve Personnel Limited “The Company” collects, stores and processes personal data relating to its workers and employees in order to manage the employment relationship. This Privacy Notice sets out how the Company collects and uses personal information about you during and after your working relationship with us.
This Privacy Notice applies to current and former employees, workers and contractors. This notice does not form part of a contract of employment or any contract to provide services and may be updated at any time.
The Company is committed to protecting the privacy and security of your personal information. The Company is committed to being clear and transparent about how it collects and uses that data and to meeting its data protection obligations.
Data protection principles
The Company will comply with data protection law. This means that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes
- Relevant to the purposes we have told you about and limited to those purposes only
- Accurate and kept up to date
- Kept only for such time as is necessary for the purposes we have told you about
- Kept securely
Information we may hold and process
The Company collects and processes a range of personal information (personal data) about you. Personal data means any information about an individual from which the person can be identified. This includes:
- personal contact details, such as your name, title, address and contact details, including email address and telephone number
- date of birth
- the terms and conditions of your employment
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Company
- information about your remuneration, including entitlement to benefits such as pensions;
- details of your bank account, tax status and national insurance number
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK
- copy of driving licence
- details of periods of leave taken by you, including holiday, sickness absence, family leave, and the reasons for the leave
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- assessments of your performance, including appraisals, training you have participated in, performance improvement plans and related correspondence
- CCTV footage and other information obtained through electronic means e.g. swipe card records
We may also collect, store and use the following special categories of more sensitive personal information:
- information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments
- details of trade union membership
- information about your criminal record
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
- biometric data such as fingerprint or finger vein scans
The Company collects this information in a variety of ways. For example, data is collected through the application and recruitment process and during work-related activities throughout the period of working for us.
In some cases, the Company collects personal data about you from third parties, such as references supplied by former employers and information from employment background checks.
Data is stored in a range of different places, including in your personnel file, in the Company’s HR systems and in other IT systems (including the Company’s email system).
Why the Company processes personal data
The Company needs to process data to meet its obligations under your terms and conditions of engagement.
In addition, the Company needs to process data to ensure that we are complying with our legal obligations, for example, we are required to check an employee’s entitlement to work in the UK.
In other cases, the Company has a legitimate interest in processing personal data before, during and after the end of the employment relationship.
Situations in which we will use your personal information
Situations in which we will process your personal information are listed below:
- making decisions about recruitment and promotion processes
- maintaining accurate and up-to-date employment records and contact details (including details of whom to contact in the event of an emergency), and records of contractual and statutory rights
- checking you are legally entitled to work in the UK
- gathering evidence for, and keep a record of, disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- paying you and, in the case of employees, making deductions for tax and National Insurance
- making decisions about salary reviews and compensation
- operating and keeping a record of employee performance and related processes
- keeping records of training and development requirements
- operating and keeping a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- ascertaining your fitness to work
- operating and keeping a record of other types of leave (such as maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensuring effective general HR and business administration
- providing references on request for current or former employees
- dealing with legal disputes involving you or other employees, workers and contractors
- facilitating equal opportunities monitoring in the workplace
If you fail to provide personal information
If you do not prove certain information when requested, the Company may not be able to perform the contract we have entered into with you, such as paying you or providing a benefit. You may also have to provide the Company with data in order to exercise statutory rights, for example in relation to statutory leave entitlements.
Change of purpose
The Company will only use your personal information for the purpose for which it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will advise you of this and explain the legal basis which allows us to do so.
You should be aware that we may process your personal information without your knowledge or consent where this is required or permitted by law.
How sensitive personal information is used
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (for example, in relation to employees and workers with disabilities and for health and safety purposes).
The Company, in conjunction with clients and service providers, uses finger print or vein scanning at certain client sites for the sole purposes of clocking in and out in order to record working time and to ensure that entitlement to holiday pay is properly calculated. This is only used at the sites of clients who operate finger print or vein scanning clocking in systems and is collected and used with the express consent of the employees or workers. You are entirely free to decide whether or not to provide such data and there are no adverse consequences of failing to do so. Further information about the use of biometric data is included in the Company’s Biometric Time and Attendance Data Policy, which is at Appendix 1 of this policy.
The Company uses other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or philosophical belief, this is done for the purposes of meaningful equal opportunities monitoring or reporting.
Data used by the Company for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
Information about criminal convictions
We envisage that we will hold information about criminal convictions. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
Our employment decisions are not based solely on automated decision-making.
The Company will only hold your personal data for as long as is necessary to fulfil the purposes we collected it for, including any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Who has access to data?
Your information will be shared internally, including the finance department, human resources and managers.
The Company shares your data with third parties where required by law, where it is necessary in order to administer the working relationship with you or where we have another legitimate interest in doing so.
The Company may also share your data with other third parties, for example, in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
The Company will not transfer your data to countries outside the European Economic Area.
The Company takes the security of your data seriously. The Company has internal policies and controls in place to prevent your data being lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Details of these measures are available on request.
When the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please be sure to keep us informed if your personal information changes during your time working with us.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request (known as a “data subject access request”);
- require the Company to change incorrect or incomplete data;
- request erasure of your personal information. This enables you to ask the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing; and
- ask the Company to suspend the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you would like to exercise any of these rights, or you have any questions about the Privacy Notice, please contact the Data Protection Officer.
If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office.
Changes to this Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Appendix 1 – Biometric Time & Attendance Data Policy
Certain clients to whom the Company provides agency workers use finger print or vein scanning for the purpose of monitoring working time and attendance.
The Company engages Time Target to operate the finger print or vein scanning time recording system at the client. This policy explains how the data is collected and processed and how it is used.
How Does TimeTarget Technology Work?
TimeTarget hosts its clients on Amazon Web Services (AWS) which has a number of data security features, including:
- All data is hosted in the clients regional AWS Availability Zone;
- Two factor authentication for our internal super users to access the AWS environment.
- AWS Identity and Access Management for all internal super users.
- Instance security and networking including VPC, firewalls and private & dedicated endpoint management.
- Active monitoring and logging.
More information on AWS’ is located: https://aws.amazon.com/compliance/gdpr-center/
By standard all data is encrypted in transit (for example when communicated from a kiosk or mobile device to the main database) and key personal data is encrypted in the database at rest. Full database encryption at rest is available for an additional fee.
The vein scan template recorded by the system (if used) is stored as a 1142 character binary string which cannot be reverse engineered into an image or used with any other biometric system.
TimeTarget engages external experts to conduct penetration testing on an annual basis to ensure its product remains secure.
Data from different clients is logically separated on AWS servers and protected by MS SQL permissions, MS Access Level Security and GPO.
All TimeTarget laptops and USB are encrypted with Bitlocker. TimeTarget’s internal network is protected by industry standard anti-virus and firewall products with strong password requirements for its staff.
TimeTarget’s software uses individually configurable access levels to restrict (or allow) access to users across hundreds of combinations to ensure that the staff of its clients only have access to the data they need to access. All data activities are managed and logged using a centralised Endpoint Manager.
The Company is committed to seeking explicit consent from each and every new worker or employee before any data is collected. The Company will also seek to renew consent via a declaration from each of the existing workers and employees. Consent is not conditional to being assigned work. Consent can be withdrawn at any time by notifying the nominated Data Protection Officer of the intention to withdraw consent either in person, via telephone, e-mail or in writing. Where consent is not given, or is withdrawn, an alternative method of time and attendance recording will be provided. Withdrawal or refusal of consent will not be penalised in any way.
Collection and use of Biometric data
The Company is committed to fair use of any biometric data belonging to any and all employees and workers. Any use of such data will be limited to a specific purpose – to enable the Company to accurately record and monitor time and attendance when workers or employees come in and leave work and to assist in calculating Holiday entitlement. This data will not be used for any other purpose.
The Company strongly believes the biometric time and attendance system works for the benefit of the workers and employees and in their interest.
Benefits of Biometric Time and Attendance System
- Security and Safety – in case of emergency the system produces a Fire Report, so that the Company or the Hirer, as the case may be, will know exactly which staff are present on the premises and everyone is accounted for in case of emergency or evacuation.
- Accuracy and Fairness – on the basis of available Time and Attendance data the system automatically calculates how much holiday the worker or employee accrues through working, and is able to calculate to the minute the time worked and how much the worker or employee is due to be paid for said time.
- Accessibility and Ease of Use – There is no PIN to remember, no key to carry around that can be lost or stolen. The Clock – In and Out is swift, straightforward and simple.
Storage of Biometric Data
The Company is committed to the secure storage of all workers’ and employees’ personal data, including biometric data. All such data is protected by technical security measures, such as encryption, authentication, firewalling and password restricted access required to view any of the time and attendance records.
Please note that in terms of biometric data the access to that data is only granted as outlined above to the time and attendance record which has already undergone encryption, not the biometric data itself (shift start and finish time, not the image of a scanned fingerprint).
Transfer and Disclosure of Biometric Data
No biometric data will ever be transferred, disclosed, shared or used for commercial or any other purpose. No biometric data will ever be transferred to, or allowed access by any other third party.
Destruction of Biometric Data
All biometric data will be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
All inquiries about this policy, including requests for exceptions or changes should be directed to the HR department or the Data Protection Officer via e-mail.
This policy shall be available to all employees and workers of the Company as well as all new workers and employees via the Company website and will be appended to the Privacy Notice within the Staff Handbook or via alternative means as deemed appropriate by the Data Protection Officer
This policy is effective as of 14 February 2019.
The Data Protection Officer is responsible for the maintenance and accuracy of this policy. Notice of significant revisions shall be provided by the Company.
Data Protection Policy
The General Data Protection Regulation (GDPR) defines personal data as any information relating to an identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The Company holds personal data that is directly relevant to its employees. That personal data shall be collected, held, and processed in accordance with employee data subjects’ rights and the Company’s obligations under the GDPR and with this policy. The Company may collect, hold, and process personal data such as that detailed below:
- Identification information relating to employees such as names and contact details
- Equal opportunities monitoring information (such information shall be anonymised where possible) such as age, gender, ethnicity, religion etc.
- Health / medical records such as absence details, medical conditions, disabilities, medication and allergies.
- Employment information, such as; interview notes, CV’s, performance reviews, disciplinary records, salary information, grievance information
Please note, this list is not exhaustive.
The Company will only collect and process personal data for, and to the extent necessary for, the specific purpose or purposes of which employee data subjects have been informed (or will be informed).
Special Category Data
If the personal data in question is special category data (also known as sensitive personal data), e.g. data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation, at least one of the following conditions must be met:
- The data subject has given their explicit consent to the processing of such data for one or more specified purposes
- The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law
- The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
The Processing of Personal Data
The GDPR seek to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR state that processing of personal data shall be lawful if at least one of the following applies:
- The data subject has given consent to the processing of their personal data for one or more specific purposes
- The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them
- The processing is necessary for compliance with a legal obligation to which the data controller is subject
- The processing is necessary to protect the vital interests of the data subject or of another natural person
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data.
Accuracy of Data
The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of an employee data subject.
The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Data Protection Impact Assessments
The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of employee data subjects under the GDPR.
Rectification of Personal Data
Employee data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.
The Company shall rectify the personal data in question, and inform the employee data subject of that rectification, within one month of the employee data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the employee data subject shall be informed.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
Erasure of Personal Data
Employee data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
- It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
- The employee data subject wishes to withdraw their consent to the Company holding and processing their personal data;
- The employee data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so)
- The personal data has been processed unlawfully;
- The personal data needs to be erased in order for the Company to comply with a particular legal obligation.
Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the employee data subject informed of the erasure, within one month of receipt of the employee data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the employee data subject shall be informed.
In the event that any personal data that is to be erased in response to an employee data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Restrictions and Objections to Personal Data Processing
Employee data subjects may request that the Company ceases processing the personal data it holds about them. If an employee data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
Where an employee data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the employee data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
Subject Access Request Procedure
Data subjects may make a subject access request (SAR) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.
Data subjects wishing to make a SAR may do so in writing, using the Company’s SAR form. Responses will be provided within a month of receiving the SAR. If the SAR is complex or numerous requests are made this time may be extended, in which case the individual will be notified.
No fee will be charged for a SAR, however, charges may be made for additional copies of information provided or if requests are deemed to be excessive.
The Company is able to decline a SAR if it is unreasonable, excessive or unfounded.