Dated: March 2020
TrueLayer Limited (“TrueLayer”, “we” or “us”) is committed to protecting the privacy and security of your personal data. References to your “personal data” will, as the context requires, include “special categories of personal data”, which involves more sensitive information about you.
This privacy notice describes how we are or will be processing personal data about you during and after your working relationship with us. “Processing” covers such actions as collecting, using, storing, disclosing, erasing or destroying your personal data.
This notice applies to all employees, workers and contractors. It does not form part of any contract of employment or other contract to provide services.
Identity and contact details of the data controller and the data protection manager
TrueLayer is a “data controller”. This means that we are responsible for deciding how we process personal data about you.
We have appointed a data protection manager (“DPM”) whose contact details are as follows: Shefali Roy, firstname.lastname@example.org.
The DPM is responsible for overseeing compliance with this privacy notice and for handling any data protection queries or issues involving TrueLayer.
What type of personal data do we process about you?
We may process the following categories of personal data about you:
- If you require a visa to work for TrueLayer, we or our appointed representatives may be legally required to obtain a great deal of information about you, about which you will be notified separately.
- Copies of right to work verification details, including Passport details and work permits provided by you to us.
- Other recruitment information (including third party references and other information held on CV or your cover sheet).
- Previous employment history, including education background information.
- Personal contact details such as name, title, address, telephone numbers, and personal email address.
- Your date of birth, gender, marital status and details of dependants.
- Next of kin and emergency contact information.
- Your bank account details, payroll records, tax status information and your National Insurance number.
- Salary, annual leave, pension and benefits information.
- Copy of your driving licence.
- Current employment records (including job titles, work history, working hours, place of work, start date, training records, qualifications and professional memberships and professional body membership numbers).
- History of pay, bonus, LTIP information, student loan information, other benefits.
- Details of performance and appraisals and where applicable, disciplinary and grievance information.
- CCTV footage and other information obtained through electronic means such as swipecard records.
- Information about your use of our information and communications systems.
- Photographs and biographies.
- Reason for leaving and confidential references provided by us, alongside information required in order to provide reference information.
- Details of any payments made on termination.
We may also process the following “special categories” of more sensitive personal data:
- Information about your race or ethnicity, religious beliefs and sexual orientation.
- Information about your health, including any medical condition, health and sickness records.
- Information about criminal convictions and offences including CRB Check information.
- Information about political party membership or political affiliations.
- Information about your trade union membership or that of a companion at a disciplinary/grievance meeting.
How do we collect your personal data?
We typically collect personal data about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency. We may sometimes collect additional information from third parties including former employers (in the form of references). There are a multitude of forms that you may, during the course of your employment, complete and on which you provide personal data, and these forms are collected and processed by the HR team.
We will collect additional personal data in the course of job-related activities throughout the period of your working for us. For instance, if you complete an Equality and Diversity Monitoring form, this will reveal certain information about your race or ethnicity, whether you consider yourself to be disabled, your sexual orientation, religion and belief and gender monitoring.
What are the legal bases and the purposes for which we process your personal data?
We will only use your personal data as permitted by law. We will typically use your personal data in any of the following circumstances:
- Where we have your consent to do so.
- Where we need to perform our obligations under the employment contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where the processing is necessary to perform a task in the public interest.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We are required to specify what the legitimate interests are (see below for further details).
The examples given below do not form an exhaustive list of purposes for which your personal data will be processed, and we reserve the right to add to them at any time.
The following purposes fall under this category:
- Profile Photographs of you on internal facing and external facing systems (e.g. on the Company Website).
- Biographies of you on external facing systems (e.g. on the Company Website).
Use of your personal data in this way for these purposes is entirely voluntary and you can withdraw your consent at any time.
Necessary for the performance of a contract with you
The following purposes come under this category:
- Ensuring you are paid and that you have the correct tax and NICs and any other appropriate deductions (season ticket loans, student loans etc) deducted from any payments.
- Management and planning, including accounting and auditing.
- Administering your contract (eg by reviewing your working hours to check holiday and rest break entitlement, checking your start date for eligibility for age-related benefits).
- Making decisions about salary and other payment reviews.
- Assessing your suitability for the role, including decisions about promotions or other role changes.
- Where applicable, providing you with benefits including holiday, pension (including liaising with your pension provider/administrator), private medical insurance (for yourself and/or family members, as applicable), life assurance and season ticket loans, where such benefits form part of your contract.
- Ensuring (as far as possible) that your wishes are met regarding death in service payments and that your next of kin are contacted in the event of an emergency (hence the need for third party information, usually comprising details of partners and/or dependants).
- For enabling you to apply for flexible working or other family rights (such as maternity, paternity, parental leave) – this requires details of your partner/dependants.
Necessary to comply with a legal obligation
The following purposes come under this category:
- Checking that you are legally entitled to work in the UK. – your nationality and immigration status and information from related documents, such as your passport and other identification such as driving licence and immigration documentation.
- Handling any legal disputes involving you or third parties, including accidents at work.
- To prevent fraud.
Necessary to perform public interest task
- The completion of equality and diversity monitoring forms in order to redress diversity imbalance in the workplace.
Necessary for our legitimate interests or those of a third party
Compensation and Benefits:
- Provision of benefits that may not be deemed to be contractual, such as LTIP awards.
- The legitimate interest is to ensure you receive and we administer benefits which are not necessary for the performance of your contract.
Learning and Development:
- Personal data provided by you on training forms, book request forms, graduate forms, conference application forms, high performance forms, various study and exam booking forms, supplier forms – the legitimate interest is to ensure your continuing learning and development needs are addressed and documented.
- Personal data provided by you on new starter forms or temporary new starter forms, specifically your gender, mobile phone number, next of kin details – the legitimate interests are: for identity and reporting, for emergency contact/disaster recovery.
- Personal data provided by you on your CV and cover sheet – the legitimate interests are: to ascertain your suitability for employment/engagement.
- Personal data obtained through our external background screening providers (which may include address history, employment history, education background, criminal records information (see below for more details), credit history and employment history – the legitimate interests are: for verifying the information provided by you on your CV, to verify the relevant qualifications/requirements for the role, to verify your employee declaration and as necessary for compliance and as required by regulatory bodies, and to ensure that there are no issues with your credit history that could place unnecessary risks on TrueLayer or third parties.
- Personal data obtained in relation to grievance and disciplinary issues – the legitimate interest is to address issues and concerns from either side in the employment relationship.
- Personal data obtained in relation to performance and appraisal processes – the legitimate interest is to ensure your performance is assessed so that if there are improvements required they can be addressed and all levels of performance can be identified and, if appropriate, rewarded.
- Personal data obtained in relation to the monitoring of our IT systems – the legitimate interest is to ensure compliance with our IT policies and to ensure the integrity of our IT systems, to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
- Personal data obtained through CCTV – the legitimate interest is the protection of health and safety (including the identification of individuals on premises in the event of a fire or other serious incident) and the prevention and detection of criminal acts.
- Personal data obtained through swipecard technology – the legitimate interest is to ensure only authorised members of staff or authorised visitors are on site, thereby safeguarding systems and property from unauthorised access, destruction or theft. This information may also be used to provide evidence in relation to any issues regarding timekeeping and attendance.
- Reference information – it is our normal policy to provide only basic factual information about ex-employees (or departing employees) to prospective new employers. However, where we have legitimate concerns which, if not disclosed to a prospective new employer, could place TrueLayer in breach of its duty of care to that prospective new employer, such information as TrueLayer reasonably considers necessary will be disclosed in order to satisfy that duty.
If you fail to provide personal data
If you fail to provide certain information when requested, and we are unable to obtain it from a third party or publicly available source, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). Depending on the nature and importance of the information requested, we may either have to cease employing or engaging you or withdraw an offer of employment or engagement.
How we use special categories of personal data
”Special categories” of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations and in line with our data protection policy and related policies (such as managing sickness absence, complying with health and safety obligations).
- Where it is needed in the public interest, such as for equal opportunities monitoring (where such information is provided by you).
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
We may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will use your special categories of personal data in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and the health and safety of others and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits. We may obtain information relating to your physical and mental health from medical and occupational health professionals we engage and from our insurance benefit administrators.
- We will use information about your race or national or ethnic origin, religious or other beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so.
We may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
With whom might we share your personal data?
We may have to share your data with third parties, including third-party service providers and any sub-contractors of those service providers. See below for further details.
We require third parties to respect the security of your data and to treat it in accordance with the law.
If we need to transfer your personal data outside the EU we will ensure that a lawful basis is used for doing so.
Why might we share your personal data with third parties?
We may share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We have indicated above some situations in which disclosure will be appropriate or necessary.
Which third-party service providers process my personal data?
”Third parties” includes third-party service providers (including contractors and sub-contractors), including pension provider, benefits providers (life assurance, private medical insurance provider) online external HR case management systems, CRB and employee background check providers.
How secure is your information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes unless they are data controllers in their own right in relation to your personal data. Where they operate as our “data processors” (ie they process your personal data on our behalf and acting only on our instructions), we only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about disclosure to other third parties?
We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of TrueLayer. We may also need to share your personal data with a regulator, to external legal or other professional advisers, or to otherwise comply with the law.
How long will we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal data in accordance with our retention policy.
What are your rights and obligations as a data subject?
Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
Your rights in connection with personal data
Under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data, but only where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact the DPM in writing.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive or should you need to request further copies of your data following a request. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
What are your rights to withdraw consent to processing?
You may withdraw your consent to allow us to continue processing your personal data, but only where consent was sought as a lawful means of processing your personal data.
In the limited circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the DPM. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
What are your rights to lodge a complaint about the way in which your personal data are being processed?
Firstly we would urge you to contact the DPM in writing. If you are not satisfied with the DPM’s response, you may contact the Information Commissioner’s Office (“ICO”) on 0303 113 1113.
You are free to contact the ICO at any time. However, the DPM may be able to answer your concerns or questions more quickly.
Personal data received from someone other than you
If we obtain personal data from someone other than you (such as a referee, or information from a regulator), we will provide you with information as to the source of such personal data and, if applicable, whether it came from publicly available sources.
What data security measures are in place to protect my personal data?
We have put in place measures to protect the security of your information. Details of these measures are available upon request. There are locked cupboards with employee/contractor/candidate personal data held securely within the HR department. Electronic data of this nature is held securely on our systems and any special category data is password protected. You are also referred to TrueLayer’s Security Incident Policy and Procedure which sets out the information security framework in operation at TrueLayer.
Third party data processors will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
Final sentence, please change to: "If you have any questions about this privacy notice, please contact the DPM at email@example.com