Employee Privacy Policy

Dated: 28 Apr 2022


TrueLayer Limited (“TrueLayer”, “we” or “us”) is committed to protecting the privacy and security of your personal data. References to your “personal data” will, as the context requires, include “special categories of personal data”, which involves more sensitive information about you.This privacy notice describes how we are or will be processing personal data about you before, during and after your working relationship with us. “Processing” covers such actions as collecting, using, storing, disclosing, erasing or destroying your personal data.This notice applies to all prospective employees, employees, workers and contractors. It does not form part of any contract of employment or other contract to provide services.

Identity and contact details of the data controller and the data protection officer

TrueLayer is a “data controller”. This means that we are responsible for deciding how we process personal data about you.The contact details of TrueLayer are: www.truelayer.com, [email protected]We have appointed a data protection officer (“DPO”) whose contact details are as follows: Tom Trundle-Martin, [email protected].The DPO is responsible for overseeing compliance with this privacy notice and for handling any data protection queries or issues involving TrueLayer.

What type of personal data do we process about you?

We may process the following categories of personal data about you:
  • If you require a visa to work for TrueLayer, we or our appointed representatives may be legally required to obtain a great deal of information about you, about which you will be notified separately.
  • Copies of right to work verification details, including Passport details and work permits provided by you to us.
  • Other recruitment information (including third party references and other information held on CV or your cover sheet).
  • Previous employment history, including education background information.
  • Personal contact details such as name, title, address, telephone numbers, and personal email address.
  • Your date of birth, gender, marital status and details of dependants.
  • Next of kin and emergency contact information.
  • Your bank account details, payroll records, tax status information and your National Insurance number.
  • Salary, annual leave, pension and benefits information.
  • Copy of your driving licence.
  • Current employment records (including job titles, work history, working hours, place of work, start date, training records, qualifications and professional memberships and professional body membership numbers).
  • History of pay, bonus, LTIP information, student loan information, other benefits.
  • Details of performance and appraisals and where applicable, disciplinary and grievance information.
  • CCTV footage and other information obtained through electronic means such as swipecard records.
  • Information about your use of our information and communications systems.
  • Photographs and biographies.
  • Reason for leaving and confidential references provided by us, alongside information required in order to provide reference information.
  • Details of any payments made on termination.
We may also process the following “special categories” of more sensitive personal data:
  • Information about your race or ethnicity, religious beliefs and sexual orientation.
  • Information about your health, including any medical condition, health and sickness records.
  • Information about criminal convictions and offences including CRB Check information.
  • Information about political party membership or political affiliations.
  • Information about your trade union membership or that of a companion at a disciplinary/grievance meeting.

How do we collect your personal data?

We typically collect personal data about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency. We may sometimes collect additional information from third parties including former employers (in the form of references). There are a multitude of forms that you may, during the course of your employment, complete and on which you provide personal data, and these forms are collected and processed by the HR team.We will collect additional personal data in the course of job-related activities throughout the period of your working for us. For instance, if you complete an Equality and Diversity Monitoring form, this will reveal certain information about your race or ethnicity, whether you consider yourself to be disabled, your sexual orientation, religion and belief and gender monitoring.

If you fail to provide personal data

If you fail to provide certain information when requested, and we are unable to obtain it from a third party or publicly available source, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). Depending on the nature and importance of the information requested, we may either have to cease employing or engaging you or withdraw an offer of employment or engagement.

How we use special categories of personal data

"Special categories" of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:
  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy and related policies (such as managing sickness absence, complying with health and safety obligations).
  • Where it is needed in the public interest, such as for equal opportunities monitoring (where such information is provided by you).
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
We may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.We will use your special categories of personal data in the following ways:
  • We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and the health and safety of others and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits. We may obtain information relating to your physical and mental health from medical and occupational health professionals we engage and from our insurance benefit administrators.
  • We will use information about your race or national or ethnic origin, religious or other beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so.We may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

With whom might we share your personal data?

We may have to share your data with third parties, including third-party service providers and any sub-contractors of those service providers. See below for further details.We require third parties to respect the security of your data and to treat it in accordance with the law. If they need to transfer your data outside the UK or EEA, we will ensure this is only upon our instruction and that it is protected in line with UK/EEA law.If we need to transfer your personal data outside the EU we will ensure that a lawful basis is used for doing so.Why might we share your personal data with third parties?We may share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We have indicated above some situations in which disclosure will be appropriate or necessary.Which third-party service providers process my personal data?"Third parties" includes third-party service providers (including contractors and sub-contractors), including pension provider, benefits providers (life assurance, private medical insurance provider) online external HR case management systems, recruitment management systems, CRB and employee background check providers.How secure is your information with third-party service providers?All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes unless they are data controllers in their own right in relation to your personal data. Where they operate as our “data processors” (ie they process your personal data on our behalf and acting only on our instructions), we only permit them to process your personal data for specified purposes and in accordance with our instructions.What about disclosure to other third parties?We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of TrueLayer. We may also need to share your personal data with a regulator, to external legal or other professional advisers, or to otherwise comply with the law.

How long will we retain your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal data in accordance with our retention policy.

What are your rights and obligations as a data subject?

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your rights in connection with personal data

Under certain circumstances, by law you have the right to:
  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data, but only where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact the DPO in writing.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive or should you need to request further copies of your data following a request. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

What are your rights to lodge a complaint about the way in which your personal data are being processed?

Firstly we would urge you to contact the DPO in writing. If you are not satisfied with the DPO’s response, you may contact the Information Commissioner’s Office (“ICO”) on 0303 113 1113.You are free to contact the ICO at any time. However, the DPO may be able to answer your concerns or questions more quickly.

Personal data received from someone other than you

If we obtain personal data from someone other than you (such as a referee, or information from a regulator), we will provide you with information as to the source of such personal data and, if applicable, whether it came from publicly available sources.

What data security measures are in place to protect my personal data?

We have put in place measures to protect the security of your information. Details of these measures are available upon request. There are locked cupboards with employee/contractor/candidate personal data held securely within the HR department. Electronic data of this nature is held securely on our systems and any special category data is password protected. You are also referred to TrueLayer’s Security Incident Policy and Procedure which sets out the information security framework in operation at TrueLayer.Third party data processors will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.If you have any questions about this privacy notice, please contact the DPO at [email protected]