Privacy Notice for Job Applicants, Current and Former Employees
Diamond is committed to protecting the privacy and security of your personal data. This Notice describes how we collect and use your data during and after your employment with us. This may be supplemented by additional privacy notices in certain specific instances, which set out in further detail how and why we use your personal data.
This Notice applies to all Diamond employees (i.e. those employed on a Diamond contract of employment) including those on fixed-term contracts (“you”). It does not apply to agency workers, consultants or self-employed contractors.
This Notice is not contractual and does not form part of an employee’s terms and conditions of employment; and may be subject to change at the discretion of Diamond.
The content of this Notice is not exhaustive. Instances may occur that fall outside of the areas covered in this document. Diamond reserves the right, whilst acting fairly and reasonably, to take such measures as are necessary in each individual case.
Diamond is the data controller for the information that we hold about you as a result of your employment at Diamond. We decide how to use your data and we are responsible for managing your personal data.
Diamond’s Directors have overall responsibility for this Notice and have delegated the day to day responsibility for its operation to the Head of HR. Any queries or suggestions relating to this Notice should be addressed to the Head of HR and sent to firstname.lastname@example.org.
Personal data is any information relating to an identified or identifiable individual and from which that individual can be directly or indirectly identified. It does not include information where your identity has been removed (anonymised information).
Sensitive personal data is information relating to an identified or identifiable individual that fall within special categories, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, sex life or sexual orientation.
The personal data that we expect to collect, hold and use about you is likely to include the following. This list is not exhaustive but is intended to give you a clear idea of the personal data about you which we process:
- Personal details such as name, title, addresses, telephone numbers, and personal email addresses, date of birth, gender, marital status and dependents, National Insurance number, copy of driving licence and/or other photographic ID such as a passport;
- Next of kin and emergency contact information;
- Bank account details, payroll records and tax status information;
- Salary, annual leave, pension and benefits information;
- Start date and termination date;
- Location of employment or workplace;
- Recruitment information (including copies of right to work documentation, references, interview notes and opinions taken during and following interviews and other information in a CV or cover letter as part of the application process including applications for alternative roles whilst employed) which may be electronic or physical copies;
- Employment records (including job titles, work history, working hours, training records, contracts and professional memberships, absence records including holiday records, self-certification forms and medical certificates);
- Details of your professional qualifications and education history;
- Compensation history;
- Performance information;
- Disciplinary, conduct and grievance information;
- CCTV footage and other information obtained through electronic means such as access card records;
- Information about your use of our information, communication and technology systems;
- Information relating to expense claims;
- Your vehicle registration number;
- Details of your working hours and attendance records;
- Any results of any test including psychometric, typing, or other skills tests included in the recruitment process;
- Information in applications you make for other positions within Diamond;
- Details of your use of business-related social media;
- Details in references about you that we provide to others;
- Communications with those responsible for managing you, others working with you and with HR in particular.
The above may include ‘special categories’ of more sensitive information such as:
- Information about your race, ethnicity, religious beliefs and sexual orientation. This personal data will only be processed where you have volunteered it and you need to process it in order to ensure meaningful equal opportunity monitoring and to meet our statutory obligations under the Equality Act 2010 and other relevant legislation;
- Trade union membership. This personal data will be used to pay trade union premiums, register the status of a protected employee and to comply with employment legislation;
- Information about your health, including any disability and/or medical condition, health and sickness records. This information will only be processed where it is necessary (for example to record absence from work due to sickness, to arrange to make appropriate payments for sick pay, to determine your fitness for work or to determine whether it is necessary to make reasonable adjustments for disability). Processing of this nature is necessary to carry out our obligations and/or exercise our rights as an employer, for the purposes of occupational health and for the assessment of the working capacity of employees. There may also be circumstances where we ask for your explicit consent to share data about your health;
- Biometric data. This information may be used as part of the recruitment process so as to comply with right to work checks and for the purpose of accessing electronic, communication and technology systems;
- Information about criminal convictions and offences, including proceedings or allegations. Data about spent criminal convictions or any barring decisions will only be collected for particular roles, where we are legally required to do so and where have told you that we are collecting this information. If a post requires additional screening you will be advised before the screening takes place. We may also process data relating to criminal conduct for disciplinary reasons in order to exercise rights under our contract with you.
We will only process sensitive personal data where absolutely necessary, specifically including in order to defend legal claims. We will ensure that any sensitive personal data is kept securely and only seen by those who have to see it.
The provision of information for us to monitor diversity is voluntary and will be anonymised as far as possible. You have the right to tell us to edit/delete personal data that you have provided to us and that you no longer wish us to process for the purpose of monitoring diversity.
We do not need your consent if we use special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific rights in accordance with employment legislation. For example, to ensure we provide you with a safe place of work or to consider making reasonable adjustments. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive personal data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.
We obtain the vast majority of information directly from you through the application and recruitment process. We may also obtain information from third parties, such as employment agencies, background check providers or referees.
We will collect additional information about you during your contract with us. This will usually be directly from you, but may be from third parties such as medical practitioners, pension administrators, insurance administrators, your trade union, other employees, consultants and other professionals we may engage to advise the business, CCTV and access control systems, communication systems, remote access systems, telephones, voicemails, mobile phone record, tools to monitor use of communication systems and data-loss prevention tools.
We will comply with data protection law by taking steps to ensure that the information that we hold about you is:
- Used lawfully, fairly and in a transparent way;
- Only collected for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have explained to you and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purpose we have explained to you; and
- Kept securely.
We will retain your personal data so long as it is necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employees, worker or contractor of the company we will retain and securely destroy your personal data in accordance with our Data Retention Policy.
We are clear on the purpose for which we collect your personal data and rely on a number of lawful reasons for processing your personal data arising out of your relationship with Diamond. Unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose, we will not change the original purpose for collecting your personal data. It is important to be aware that we may process your data without your knowledge or consent where this is required or permitted by law. Your personal data is collected for the purposes and reasons set out below. These reasons are not mutually exclusive, and may be used by Diamond under more than one heading for the same personal data:
A. It is necessary for the performance of your contract with us
We need to process your personal data in order to meet our obligations or exercise rights under your contract with Diamond. Information processed for this purpose includes, but is not limited to, personal data relating to: payroll; your pension; your bank account; your postal address, email address and telephone number; administering the contract we have entered into with you; emails sent or received by you or between other employees, which are stored by Diamond; any record of absence; sick pay; annual leave; family leave and pay; emergency contacts; training and development; conducting and managing performance reviews; making decisions about salary reviews and compensation; making decisions about your continued employment; making arrangements for the termination of our working relationship; reward and recognition; research and teaching; disciplinary matters; criminal convictions or barring decisions; health and safety; providing benefits to you and security. Your failure to provide us with this information may impair our ability to fulfil our obligations to you and/or our ability to comply with other legal obligations.
B. It is necessary for us to comply with our legal obligations
We need to process your data in order to meet legal obligations, such as those relating to immigration, health and safety, equal opportunities and employment legislation. Information processed for this purpose includes, but is not limited to, information relating to tax; national insurance; auto-enrolment for pension; statutory sick pay; statutory maternity, adoption, paternity and shared parental pay; family leave; work permits or immigration status; management of health and safety and equal opportunities monitoring. We are required to disclose much of this data to government departments or agencies.
C. It is necessary for our legitimate interests or the legitimate interests of a third party
“Legitimate Interests” means Diamond’s interests in conducting and managing our business, including the governance and operation of Diamond to ensure that we are able to manage our employees throughout the duration of their contract with us and beyond. It may, in limited circumstances, also include the legitimate interests of a third party. Examples of such processing include (but are not limited to) the following:
- Internal reporting;
- Policy development;
- Business management and planning;
- Accounting and audits;
- Administration of health and safety;
- Administration of grants;
- Administration of loans and/or benefits;
- Activities arising from your membership of Diamond committees or similar bodies;
- Your participation in events and other activities organised in support of Diamond's objectives;
- To enable us to deal with and/or defend any dispute or legal proceedings including accidents at work;
- To gather evidence for possible grievance or disciplinary hearings;
- To establish whether you are suitable for the role that you have applied for;
- To enable us to monitor your business performance and protect our business interests;
- To monitor your use of our information, communication and technology systems to ensure compliance with our IT policies;
- Security, including CCTV; Maintenance of IT systems, including information security; and
- Potential conflicts of interest.
D. Where it is necessary for the performance of a task carried out in the public interest
We may need to process your data for purposes related to academic research and research related administration in order to ensure that the scientific information generated by Diamond is published in accordance with normal academic practice and to ensure that Diamond is able to facilitate the advancement of science for public benefit in accordance with Diamond’s objects. We may also need to process your personal data for the purposes of education and training in order to fulfil Diamond’s objective of promoting public awareness and understanding of the facility and for public benefit. Research and related teaching are tasks that we perform in the public interest in order to fulfil our responsibility to our stakeholders. Information processed for these purposes includes, but is not limited to: your personal details; records of research and/or activity; correspondence sent or received by you or between other employees; and funding applications or grants.
E. Where none of the other lawful reasons apply, but it is necessary to protect your life or the life of someone else
While these situations are likely to be rare, if for example you were to become seriously unwell or have an accident during recruitment or employment, we may need to provide medical practitioners with personal data about you.
In certain limited circumstances we may rely on your consent to process your personal data. Where we rely on your consent, we will make this expressly clear and we will ask you to volunteer the information. We would typically rely on your consent when asking you to participate in surveys or where we ask you to share sensitive personal data with us.
We may share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
The following activities are carried out by third-party service providers:
Science and Technology Facilities Council / UK Research and Innovation: Provision of IT and RAL site services and vehicle insurance services.
Electronic Recruitment (Hireserve): If you use our online application system, you will provide the requested information to Hireserve who provide this online service for us. Once you click ‘apply now’ you will be taken to Hireserve’s website and they will hold the information you submit but Diamond will have access to it. We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, and for answers to questions relevant to the role you have applied for. HR will have access to all of this information. You will also be asked to provide diversity information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any employees outside of HR in a way which can identify you. Any information you do provide, will be used only to produce and monitor equality, diversity and inclusion statistics. Our hiring manager’s will receive a shortlist of applications for interview and they will not be provided with your name or contact details or with your diversity information if you have provided it. Hireserve will provide us with management information about our recruitment activity. This is anonymised information which tells us the effectiveness of campaigns, for example, from which source we received the most candidates.
HR Management System (Civica): If you accept a final offer from us, some of your personnel records will be held on a Civica HR & Payroll database, which is an internally used HR records system.
Pension Scheme (Research Council Pension Scheme): Details will be provided to the Joint Superannuation Services (JSS) who are the administrators of the Research Council Pension Scheme, of which Diamond is a member organisation. You will be auto-enrolled into the pension scheme and the details provided to JSS will be your name, date of birth, National Insurance number and salary.
Occupational Health (Cordell Health): Cordell Health provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to your working environment or systems so that you may work effectively. Cordell Health will send you a link to the questionnaire, which will take you to Cordell Health’s website. The information you provide will be held by Cordell Health who will provide us with a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you choose not to allow us to see the report, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Cordell Health.
KornFerry: We use Kornferry to administer our Employee Opinion Surveys. They are provided with employee names, email addresses, division, sex, grade, age (in 10 year brackets), full-time/part-time, tenure (in brackets), people manager (yes/no), employment status (fixed term / permanent).
Prospect: Prospect is our recognised union at Diamond. We provide a list of employee names to Prospect when you join Diamond in order for them to make contact with new starters.
Redrock: We provide Redrock with documents for bulk scanning which may contain personal sensitive personal data such as name, National Insurance number and pay details. Redrock sites are fully secured with access control and designated secure areas. Transportation from Diamond to Redrock is also via secure courier.
We may also share your personal details with third party:
- Recruitment agencies which are from time to time involved in finding potential candidates. We share some personal data with them including feedback on candidates and information regarding the terms of any job offer;
- Insurance brokers may from time to time be involved in finding and liaising with third party benefit providers;
- Organisations that offer benefits to employees, such as travel schemes, nursery providers and employee assistance programmes;
- Relevant governmental departments or agencies, including those responsible for tax and immigration;
- Organisations with which you have a relationship, such as collaborators;
- Mortgage/Rental which is provided with the employees consent at the time of the request. The information provided is the name, salary, date of commencement and whether employed in a fixed term role;
- Head Hunters/Agencies;
- Our internal and external auditors;
- External advisors (such as solicitors);
- Dosimetry service providers;
- Travel and accommodation providers;
- Mobile phone providers;
- Cloud based services such as Formsite.
We are taking steps to ensure that all third-party service providers are required to take appropriate security measures to protect your information in line with our policies. We will limit third-party service providers to use your personal data for their own purposes and will be clear with them as to the specified purposes that they are authorised to process your personal data.
Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may share only your employee number and not your name (pseudonymisation) or we will anonymise it where practical.
There may be occasions when we transfer your personal data outside the EEA, for example, if we communicate with you using a cloud based service provider that operates outside the EEA, or if we seek a reference from a person outside the EEA. Such transfers will only take place if one of the following applies:
- The country receiving the data is considered by the EU to provide an adequate level of data protection;
- The organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection (for example transfers to companies that are certified under the EU US Privacy Shield);
- The transfer is governed by approved contractual clauses;
- The transfer has your consent;
- The transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract;
- The transfer is necessary for the performance of a contract with another person, which is in your interests;
- The transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent;
- The transfer is necessary for the exercise of legal claims; or
- The transfer is necessary for important reasons of public interest.
It is important to note that we may display your name and/or email address, telephone number and limited employment history information on our website, which may be accessible to internet users, including those in countries outside the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We are putting in place procedures that deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
It is important that the personal data we hold about you is accurate and current.
Under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact HR in writing.
If you would like a copy of the personal data that Diamond holds about you or if you are a Diamond employee and you receive such a request from an individual, please send the request to email@example.com with the words "Subject Access Request" in the subject line and include specific details of the data requested. Please keep in mind that Diamond has a maximum of 30 days to respond.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact HR. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
This notice should be read in conjunction with any related privacy notices that Diamond may bring to your attention.
At Diamond we understand that there are differences amongst our employees in terms of the protected characteristics contained within the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage & civil partnerships, pregnancy & maternity, race, religion or belief, sex (gender) and/or sexual orientation). We therefore aim to deliver policies, documents and services which are efficient and effective, accessible to all, and which meet our employee’s different needs. If you need any help to understand this document or require any appropriate support please contact HR.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
Date last revised: 25 May 2018