We intend to comply with all our legal obligations under the Data Protection Act 2018 and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security.
The principles of GDPR are that data must:
- be collected and processed only for specified, explicit and legitimate purposes;
- be adequate, relevant and limited to what is necessary;
- be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
- not be kept for longer than is necessary for the purposes for which it is processed; and be processed securely and confidentially, protecting against unauthorised / unlawful processing, accidental loss, destruction or damage.
- be processed lawfully, fairly and transparently
- We will only ask you what we really need to know
- We will collect and use the personal data that you share with us transparently, honestly and fairly
- We will always respect your choices around the data that you share with us and the communication channels that you ask us to use
- We will put appropriate security measures in place to protect your personal data
- We will never sell your data
What is personal data?
Personal data relates to information about a living person (a ‘data subject’) who can be identified from that on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person.
This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
What information we have?
This personal data will be provided to us by you when using Action Deafness Services. Whether you book an interpreter, use our Personal Assistant Community services, make a website purchase or use our training services we will require information to effectively provide our service. It could also be provided or created during the recruitment process or during the course of the contract of employment or provision of services or after its termination.
Data gathered may include name, address, contact details, dates of birth, gender, marital status and family details, information detailed on a CV including educational history, employment history, financial details such as pay and bank details, tax details such as NI number, references, identification documents such as driving licence. The level of information will vary depending on the service that we provide and whether you are employed with us or not.
Additional information for employees and applicants:
Applicant data is held and stored within the EasyWeb ATS (Applicant Tracking System). Applicant data will be kept up to and including 365 days of inactivity, after which point the data will be cleansed. EasyWeb ATS operating under
The sort of personal data we hold about you usually includes: your application form and references; your contract of employment and any amendments to it; correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; information needed for equal opportunities monitoring; and records relating to your career history, such as training records, appraisals, other performance measures, attendance and, where appropriate, disciplinary and grievance records.
We use your personal data to administer payroll, pensions, training and appraisal, monitor equal opportunities, employ you and manage your access to various services such as IT facilities and buildings, in order to fulfil the contract between you and us. In addition, we are legally obliged to collect, retain and disclose certain information about you, for example to ensure you pay the correct rate of taxation, to fulfil our statutory reporting duties and comply with other obligations. As part of this, relevant and necessary data may be shared with the following operations partners:
- Peepul Centre (Leicester Managed Office)
- Loughborough University (Loughborough Managed Office)
- Disability Direct (Derby Managed Office)
- Air IT (Managed IT Supplier)
- Pay Academy (Payroll Service Provider)
We may also use special category personal data, such as ethnicity, disability and sexual orientation data to monitor and promote equality and diversity, should you choose to disclose this information. The legal basis for this is your explicit consent, which you are free to withdraw at any time.
Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage any sick pay.
If you are referred to OH, or refer yourself, you will be directed to or given information about how that department will use and share the personal data it collects from you.
Sometimes we will pass information about you to third parties, where the law allows it. For example, we would confirm the dates and nature of your employment here to a prospective employer. We provide information to your provider if you join a pension scheme. We will share information with other parties who may be responsible for part or all of your employment. You should refer to the privacy notices of these other organisations where applicable. We will share information with HMRC for U.K. taxation purposes. We do not give or sell your information to other organisations.
How we use your personal information?
Action Deafness will only use your information to process the service that you have requested, in order to carry out our obligations under contract we must process the information you give us.
We will use your personal data for:
- performing the contract of employment or provision of services between us;
- complying with any legal obligation; or
- if it is necessary for our legitimate interests (or for the legitimate interests of someone else).
If you choose not to provide us with certain personal data you should be aware that we may not be able to carry out certain parts of the contract between us.
We will never sell your information to another party, nor will it be used for any other purpose than the one we have agreed.
How long we keep your data?
We will only retain your personal data for as long as:
- it is needed for the purposes set out in this document
- the law requires us to
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.
Information we process because we have a legitimate reason
Wherever possible, we aim to obtain your explicit consent to process this information.
Sometimes we might share your personal data with contractors, agents and third parties to carry out our obligations under our contract with you. We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. We are only permitted to process your data for the purpose for which it has been shared and in accordance with our instructions.
We will disclose your personal information where required to do so by law or in accordance with any safeguarding concerns.
When we receive a complaint, we record all the information you have given to us. We use that information to resolve your complaint. If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint.
We may also compile statistics showing information obtained from this source to assess the level of service we provide, but not in a way that could identify anyone.
Retention and Review or update or remove personally identifiable information
We will only keep personal data for as long as necessary for the purposes required by us to provide the services you have requested, in accordance with any retention period prescribed by law.
- You have the right to information about what personal data we process, how and on what basis.
- You have the right to access your own personal data. There is no fee for this.
- You have the right to rectification of any inaccuracies in your personal data.
- You have the right to be forgotten and request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
- You have the right to restrict the processing of personal data whilst it is being corrected, erased or are contesting the lawfulness of our processing.
- You have the right to request portability of data. We will aim to do this within one month.
- You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.
- You have the right to object if we process your personal data for the purposes of direct marketing.
- With some exceptions, you have the right not to be subjected to automated decision-making.
- You have the right to be notified of a data security breach concerning your personal data.
Security and access of your personal data
We endeavour to ensure that there are appropriate and proportionate technical and organisation measures to prevent the loss, destruction, misuse, alteration, unauthorised disclosure of or access to your personal information.
We have very secure processes and firewalls in place to ensure your data is completely safe and protected. All computers and laptops have firewalls installed and are password protected to prevent any dangerous Malware issues.
Action Deafness are accredited with ISO 27001:2013 Information Security Management System and we are audited on an annual basis to check our compliance.
Your information is only accessible by the appropriate members of staff within Action Deafness and all our staff have received Data Protection Training and receive ongoing training.
How to deal with data breaches
We have many procedures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we would take detailed notes and keep evidence of that breach and notify all parties concerned. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we must also notify the information Commissioners Office within 72 hours.
All staff receive training on the policy. New staff as part of an induction process.
We are not required by law to have a Data Protection officer, if you have any queries, concerns or requests you may contact us at:
Advanced Technology innovation Centre
5 Oakwood Drive
Loughborough. LE11 3QF
Tel : 0844 593 8440
Email : [email protected]