+44 (0)1235 778 577
Diamond is committed to protecting the privacy and security of your personal data. This Notice describes how we collect and use your data during and after your employment with us. This may be supplemented by additional privacy notices in certain specific instances, which set out in further detail how and why we use your personal data.
This Notice applies to all Diamond employees (i.e. those employed on a Diamond contract of employment) including those on fixed-term contracts (“you”). It does not apply to agency workers, consultants or self-employed contractors.
This Notice is not contractual and does not form part of an employee’s terms and conditions of employment; and may be subject to change at the discretion of Diamond.
The content of this Notice is not exhaustive. Instances may occur that fall outside of the areas covered in this document. Diamond reserves the right, whilst acting fairly and reasonably, to take such measures as are necessary in each individual case.
Diamond is the data controller for the information that we hold about you as a result of your employment at Diamond. We decide how to use your data and we are responsible for managing your personal data.
Diamond’s Directors have overall responsibility for this Notice and have delegated the day to day responsibility for its operation to the Head of HR. Any queries or suggestions relating to this Notice should be addressed to the Head of HR and sent to firstname.lastname@example.org.
Personal data is any information relating to an identified or identifiable individual and from which that individual can be directly or indirectly identified. It does not include information where your identity has been removed (anonymised information).
Sensitive personal data is information relating to an identified or identifiable individual that fall within special categories, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, sex life or sexual orientation.
The personal data that we expect to collect, hold and use about you is likely to include the following. This list is not exhaustive but is intended to give you a clear idea of the personal data about you which we process:
The above may include ‘special categories’ of more sensitive information such as:
We will only process sensitive personal data where absolutely necessary, specifically including in order to defend legal claims. We will ensure that any sensitive personal data is kept securely and only seen by those who have to see it.
The provision of information for us to monitor diversity is voluntary and will be anonymised as far as possible. You have the right to tell us to edit/delete personal data that you have provided to us and that you no longer wish us to process for the purpose of monitoring diversity.
We do not need your consent if we use special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific rights in accordance with employment legislation. For example, to ensure we provide you with a safe place of work or to consider making reasonable adjustments. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive personal data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.
We obtain the vast majority of information directly from you through the application and recruitment process. We may also obtain information from third parties, such as employment agencies, background check providers or referees.
We will collect additional information about you during your contract with us. This will usually be directly from you, but may be from third parties such as medical practitioners, pension administrators, insurance administrators, your trade union, other employees, consultants and other professionals we may engage to advise the business, CCTV and access control systems, communication systems, remote access systems, telephones, voicemails, mobile phone record, tools to monitor use of communication systems and data-loss prevention tools.
We will comply with data protection law by taking steps to ensure that the information that we hold about you is:
We will retain your personal data so long as it is necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employees, worker or contractor of the company we will retain and securely destroy your personal data in accordance with our Data Retention Policy.
We are clear on the purpose for which we collect your personal data and rely on a number of lawful reasons for processing your personal data arising out of your relationship with Diamond. Unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose, we will not change the original purpose for collecting your personal data. It is important to be aware that we may process your data without your knowledge or consent where this is required or permitted by law. Your personal data is collected for the purposes and reasons set out below. These reasons are not mutually exclusive, and may be used by Diamond under more than one heading for the same personal data:
A. It is necessary for the performance of your contract with us
We need to process your personal data in order to meet our obligations or exercise rights under your contract with Diamond. Information processed for this purpose includes, but is not limited to, personal data relating to: payroll; your pension; your bank account; your postal address, email address and telephone number; administering the contract we have entered into with you; emails sent or received by you or between other employees, which are stored by Diamond; any record of absence; sick pay; annual leave; family leave and pay; emergency contacts; training and development; conducting and managing performance reviews; making decisions about salary reviews and compensation; making decisions about your continued employment; making arrangements for the termination of our working relationship; reward and recognition; research and teaching; disciplinary matters; criminal convictions or barring decisions; health and safety; providing benefits to you and security. Your failure to provide us with this information may impair our ability to fulfil our obligations to you and/or our ability to comply with other legal obligations.
B. It is necessary for us to comply with our legal obligations
We need to process your data in order to meet legal obligations, such as those relating to immigration, health and safety, equal opportunities and employment legislation. Information processed for this purpose includes, but is not limited to, information relating to tax; national insurance; auto-enrolment for pension; statutory sick pay; statutory maternity, adoption, paternity and shared parental pay; family leave; work permits or immigration status; management of health and safety and equal opportunities monitoring. We are required to disclose much of this data to government departments or agencies.
C. It is necessary for our legitimate interests or the legitimate interests of a third party
“Legitimate Interests” means Diamond’s interests in conducting and managing our business, including the governance and operation of Diamond to ensure that we are able to manage our employees throughout the duration of their contract with us and beyond. It may, in limited circumstances, also include the legitimate interests of a third party. Examples of such processing include (but are not limited to) the following:
D. Where it is necessary for the performance of a task carried out in the public interest
We may need to process your data for purposes related to academic research and research related administration in order to ensure that the scientific information generated by Diamond is published in accordance with normal academic practice and to ensure that Diamond is able to facilitate the advancement of science for public benefit in accordance with Diamond’s objects. We may also need to process your personal data for the purposes of education and training in order to fulfil Diamond’s objective of promoting public awareness and understanding of the facility and for public benefit. Research and related teaching are tasks that we perform in the public interest in order to fulfil our responsibility to our stakeholders. Information processed for these purposes includes, but is not limited to: your personal details; records of research and/or activity; correspondence sent or received by you or between other employees; and funding applications or grants.
E. Where none of the other lawful reasons apply, but it is necessary to protect your life or the life of someone else
While these situations are likely to be rare, if for example you were to become seriously unwell or have an accident during recruitment or employment, we may need to provide medical practitioners with personal data about you.
In certain limited circumstances we may rely on your consent to process your personal data. Where we rely on your consent, we will make this expressly clear and we will ask you to volunteer the information. We would typically rely on your consent when asking you to participate in surveys or where we ask you to share sensitive personal data with us.
We may share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
The following activities are carried out by third-party service providers:
Science and Technology Facilities Council / UK Research and Innovation: Provision of IT and RAL site services and vehicle insurance services.
Electronic Recruitment (Hireserve): If you use our online application system, you will provide the requested information to Hireserve who provide this online service for us. Once you click ‘apply now’ you will be taken to Hireserve’s website and they will hold the information you submit but Diamond will have access to it. We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, and for answers to questions relevant to the role you have applied for. HR will have access to all of this information. You will also be asked to provide diversity information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any employees outside of HR in a way which can identify you. Any information you do provide, will be used only to produce and monitor equality, diversity and inclusion statistics. Our hiring manager’s will receive a shortlist of applications for interview and they will not be provided with your name or contact details or with your diversity information if you have provided it. Hireserve will provide us with management information about our recruitment activity. This is anonymised information which tells us the effectiveness of campaigns, for example, from which source we received the most candidates.
HR Management System (Civica): If you accept a final offer from us, some of your personnel records will be held on a Civica HR & Payroll database, which is an internally used HR records system.
Pension Scheme (Research Council Pension Scheme): Details will be provided to the Joint Superannuation Services (JSS) who are the administrators of the Research Council Pension Scheme, of which Diamond is a member organisation. You will be auto-enrolled into the pension scheme and the details provided to JSS will be your name, date of birth, National Insurance number and salary.
Occupational Health (Cordell Health): Cordell Health provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to your working environment or systems so that you may work effectively. Cordell Health will send you a link to the questionnaire, which will take you to Cordell Health’s website. The information you provide will be held by Cordell Health who will provide us with a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you choose not to allow us to see the report, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Cordell Health.
KornFerry: We use Kornferry to administer our Employee Opinion Surveys. They are provided with employee names, email addresses, division, sex, grade, age (in 10 year brackets), full-time/part-time, tenure (in brackets), people manager (yes/no), employment status (fixed term / permanent).
Prospect: Prospect is our recognised union at Diamond. We provide a list of employee names to Prospect when you join Diamond in order for them to make contact with new starters.
Redrock: We provide Redrock with documents for bulk scanning which may contain personal sensitive personal data such as name, National Insurance number and pay details. Redrock sites are fully secured with access control and designated secure areas. Transportation from Diamond to Redrock is also via secure courier.
We may also share your personal details with third party:
We are taking steps to ensure that all third-party service providers are required to take appropriate security measures to protect your information in line with our policies. We will limit third-party service providers to use your personal data for their own purposes and will be clear with them as to the specified purposes that they are authorised to process your personal data.
Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may share only your employee number and not your name (pseudonymisation) or we will anonymise it where practical.
There may be occasions when we transfer your personal data outside the EEA, for example, if we communicate with you using a cloud based service provider that operates outside the EEA, or if we seek a reference from a person outside the EEA. Such transfers will only take place if one of the following applies:
It is important to note that we may display your name and/or email address, telephone number and limited employment history information on our website, which may be accessible to internet users, including those in countries outside the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We are putting in place procedures that deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
It is important that the personal data we hold about you is accurate and current.
Under certain circumstances, by law you have the right to:
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact HR in writing.
If you would like a copy of the personal data that Diamond holds about you or if you are a Diamond employee and you receive such a request from an individual, please send the request to email@example.com with the words "Subject Access Request" in the subject line and include specific details of the data requested. Please keep in mind that Diamond has a maximum of 30 days to respond.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact HR. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
This notice should be read in conjunction with any related privacy notices that Diamond may bring to your attention.
At Diamond we understand that there are differences amongst our employees in terms of the protected characteristics contained within the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage & civil partnerships, pregnancy & maternity, race, religion or belief, sex (gender) and/or sexual orientation). We therefore aim to deliver policies, documents and services which are efficient and effective, accessible to all, and which meet our employee’s different needs. If you need any help to understand this document or require any appropriate support please contact HR.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
Date last revised: 25 May 2018
Click here for a printable version of this Privacy Notice.
Diamond Light Source is the UK's national synchrotron science facility, located at the Harwell Science and Innovation Campus in Oxfordshire.
Copyright © 2020 Diamond Light Source
Diamond Light Source Ltd
Harwell Science & Innovation Campus