Privacy Policy
Privacy Notice – Staff and Potential Staff
Under Articles 13 and 14 of the General Data Protection Regulations organisations are required to provide people with information about the intended purposes for
processing personal data and the lawful basis, or bases, for the processing.
General:
Overview of the Group's data controlling and processing activities in relation to all data subjects.
Who are Data Controllers and Data processors?
To be able to protect your data we must have control systems in place to ensure this happens and we must register as a data controller with the independent governing
authority - The Information Commissioner’s Office.
The Data Controllers with ICO registration numbers are:
• Aspirations Care Ltd Z8717214
• Aspirations (Midlands) Ltd ZA791850
• New Start Supported Housing Ltd. ZA245627
The contact details are:
Controller’s representative,
Laura Davies, Director of Quality
Email: Laura.davies@aspirationscare.com
(Aspirations Care Ltd, Aspirations (Midlands) Ltd and New Start Supported Housing Ltd are not required to appoint a Data Protection Officer).
In most cases we would be considered the controller however Data protection legislation also refers to data processors, in relation to personal data; this means
any person (other than an employee of the data controller) who processes the data on behalf of the data controller. “Processing”, in relation to information or data,
means obtaining, recording or holding the information or data.
There are three main processing areas whereby data would be processed by companies other than ourselves. This is because we outsource three main functions,
please see below:• Our payroll is outsourced to Hazelwood’s Accountants (payroll services) and as such they process elements of employees data relating to pay- such as
bank details, N.I numbers, e-mail addresses.
• Our IT support function is external, through a partner called Wood ITC. They oversee the management of secure
servers and data back-up systems, e- mails, computer account controls, the provision of hardware and software systems. This would include processing
basic data in terms of names, work e- mails, set up and secu rity of servers and remote IT support to resolve any individual technical issues. They also
securely destroy any hardware and electronic systems such as laptops, desktops and hard drives.
• Archiving and hard copy destruction is undertaken through Crown Records Management. Therefore, at any given time they may hold archived documents
for the following categories of people- for the length of our published retention schedules as set out within out GDPR compliant Confidentiality and Data
Protection policy. These archived records may relate to the following groups:
o Contractors/Suppliers
o Deputies / Attorneys / Appointees
o Employees
o Landlords
o Service user
o Successful candidates
o Unsuccessful candidates
o Past employees
Crown premises are secured CCTV controlled locations with strict ID, authorisation and sign in processes. Archived data stored is within logged barcoded boxes and
destroyed on site when retention limits have been reached and authorised by us. Destruction of day to day paper waste holding data is undertaken under licence at
office sites. It is done by a company called ‘Printwaste’. Locked data boxes, containing hardcopy print waste are emptied straight to a lorry where they are
shredded there and then and a certificate of destruction issued. These processing and support functions are undertaken under contract and Data
Processing Agreements, to ensure that any data shared for processing is done so securely, legally and protected.
General Data Protection Regulations (GDPR)
The General Data Protection Regulations came into force on the 25 May 2018. It is important to know that the GDPR is legislation created by the European Parliament;
however, it affects all member states of the EU. In the simplest terms it aims to create consistency within the EU in regards to how data is managed, controlled and
processed internally and across borders, by each member state’s existingInformation Commissioning Authorities. In the UK it is the ICO - The Information
Commissioner’s Office. This is an independent authority that currently ensures organisations uphold the existing UK Data Protection Legislation.
How does the GDPR sit within UK law?
The GDPR doesn’t supersede the current UK Data Protection Acts; however, what it does require is that the member states’ legislation is also adapted to comply with the
GDPR. As a result the Data Protection Act 2018 added to the UK’s existing legislation in order to comply. Its main provisions commenced on 25 May 2018. The
new act aimed to modernise data protection laws to ensure they are effective in the years to come. Since the GDPR gives member states limited opportunities to make
provisions for how it applies in their country, it is therefore be important that the
GDPR and the Act are read side by side and policies reflect this.
The Data Protection Act also contains a section dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies
GDPR standards but it has been amended to adjust those that would not work in the national context; but largely we cannot pick and choose the parts of the GDPR we
want.
The General Data Protection Regulations provide the following rights for individuals:
3.1.1 The right to be informed
Aspirations must provide “fair processing information” and be transparent over how we use your data.
3.1.2 The right of access
Under GDPR individuals have the right to obtain:
confirmation that their data is being processed;
access to their personal data; and
other supplementary information (generally the information contained in a privacy notice).
3.1.3 The right to rectification
If personal data held is inaccurate or incomplete, individuals have the right to have it rectified. This must be done within one month; this can be extended to
two months if the request for rectification is complex. If inaccurate or incomplete data has been shared with third parties, Aspirations must contact
those third parties to inform them of the rectification; if requested, Aspirations must also tell the individual who they have shared inaccurate or incomplete
information with.
3.1.4 The right to erasure
This is also known as “the right to be forgotten”. An individual has the right to request that personal data is deleted or removed in specific circumstances.
Those circumstances might include:
where the personal data is no longer necessary in relation to the purpose forwhich it was originally collected / processed
when the individual withdraws consent
when the individual objects to the processing and there is no overriding legitimate interest for continuing with processing
the personal data was unlawfully processed and was in breach of GDPR
the personal data has to be erased in order to comply with a legal obligation
the personal data is processed in relation to the offer of information society services to a child.
Aspirations can refuse to comply with a request for erasure for the following reasons:
to exercise the right of freedom of expression and information
to comply with a legal obligation for the performance of a public interest task or exercise of official authority
for public health purposes in the public interest
archiving purposes in the public interest, scientific research, historical research or statistical purposes or
the exercise or defence of legal claims.
If data, which is later deleted, has been shared with third parties, Aspirations
must contact those third parties to inform them of the erasure; if requested,
Aspirations must also tell the individual who they have shared information with that it was later erased.
3.1.5 The right to restrict processing
Individuals have the right to “block” or suppress processing of personal data.
When processing is restricted, Aspirations can continue to store the personal data but not process it any further. Aspirations will retain just enough
information about the individual to ensure that the restriction is respected in future.
Aspirations will restrict the processing of personal data in the following circumstances:
where an individual has contested the accuracy of the personal data we will restrict processing until the accuracy has been verified
where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests)
and Aspirations are considering whether its legitimate grounds override those of the individual
where processing is unlawful and the individual opposes erasure and requests restriction instead
where Aspirations no longer needs the data but the individual requires the data to establish, exercise or defend a legal claim.
If data, which is later restricted, has been shared with third parties, Aspirations must contact those third parties to inform them of the restriction; if requested,
Aspirations must also tell the individual who they have shared information, that was later restricted, with.3.1.6 The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The right to
data portability only applies:
to personal data an individual has provided to a controller
where the processing is based on the individual’s consent or for the performance of a contract and
when processing is carried out by automated means.
3.1.7 The right to object
Individuals have the right to object on “grounds relating to his or her particular situation” to:
processing based on legitimate interests or the performance of a task in the public interest / exercise of official authority (including profiling)
direct marketing (including profiling) and
processing for purposes of scientific / historical research and statistics.
Aspirations will stop processing personal data unless:
we can demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the individual or
the processing is for the establishment, exercise or defence of legal claims.
3.1.8 Rights in relation to automated decision-making and profiling
The GDPR has provisions on:
automated individual decision making (making a decision solely by automated means without any human involvement and
profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making
process.
*Aspirations does not carry out either automated decision making or profiling.
However not all rights relate to all types of data
Data Protection principles
Under the General Data Protection Regulations, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that
personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals:
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statisticalpurposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed purely for archiving purposes in the public interest, scientific or historical research or
statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and
freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Lawful basis for processing
Organisations must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is “better” or
more important than any other; the most appropriate basis will depend upon the purpose of the processing and Aspirations’ relationship with the individual.
Organisations needs to determine the lawful basis for processing in advance of processing and the basis needs to be documented; it is not possible to change to a
different lawful basis at a later date unless there is a good reason. It is possible that more than one basis applies to the processing and, where this is the case, it must be
clearly stated from the start. Aspirations Privacy Notice will include the lawful basis / bases for processing as well as the purposes of the processing.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed:
a) Consent: the individual has given clear consent for their personal data to be processed for a specific purpose
b) Contract: the processing is necessary for a contract Aspirations has with an individual or because the individual has asked Aspirations to take specific steps
before entering into a contractc) Legal obligation: the processing is necessary to enable Aspirations to comply with the law (not including contractual obligations)
d) Vital interests: the processing is necessary to protect someone’s life
e) Public task: the processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law
f) Legitimate interests: the processing is necessary for Aspirations legitimate interest or the legitimate interests of a third party unless there is a good reason to
In most cases, Aspirations will reply upon “Contract”, “Legal obligation”, “Vital Interest” , “Public Interest” and “Consent” as the lawful bases of processing. In a
limited number of cases Aspirations will rely upon “Legitimate Interest” as the basis of processing.
The purpose of processing is employment of employee and in this case the
lawful bases of processing are Contract and Legal obligation Personal data for these purposes may include:
o Name, contact details, date of birth, Next of kin details
o Medical information, bank details, NI number, Tax details, Attachment
of Earnings
o Qualifications and training, salary details
o Sickness, Maternity, Paternity, Adoption and Annual Leave
o Supervisions, Appraisals and Disciplinary matters
o Accidents and Incidents
o Gender, marital or civil partner status, nationality, ethnic or national origin, disability
o Criminal offences and convictions
This list is indicative and not exhaustive
• Personal data may be shared between Group companies, our outsourced IT payroll, archiving partners and law enforcement/government authorities
• Personal data is not transferred to third countries
• Personal data is not used or shared for marketing purposes; in the event that Aspirations wishes to feature a member of staff in marketing or publicity
material an explicit, specific consent form will be obtained
• Personal data will be retained for a minimum of 6 years following termination of the employer / employee relationship- rentention schedules arec available
on request
• If you are not appointed to the role for which you have applied personal data will be retained for a minimum of 6 months after you are advised of theoutcome
Special category data is collected under Schedule 1, Part 1, 1 – Employment
If organisations process sensitive personal data, such as ethnicity or details of a disability – known as special category data – an additional basis for processing must
be identified under Article 9. These are:
a) explicit consent by the data subject
b) obligations of the controller under employment, social security or social protection law
c) to protect the vital interest of the data subject or another person where the data subject is unable to give consent
d) by foundations, associations or not for profit bodies where processing relates solely to members or former members and data is not disclosed outside that body
without the subject’s consent
e) where the data has been made public by the data subject
f) where processing is to establish, exercise or defend legal claims
g) where processing is necessary for reasons of public interest and has the basis in law of the EU or member state
h) for preventative or occupational medicine, provision of health or social care or treatment or the management of health or social care systems and has the basis in
law of the EU or member state
i) in the interest of public interest in public health, quality and safety of health care and medicinal products or devices and has the basis in law of the EU or member
state
j) for archiving purposes in the public interest, scientific research purpose, historical research purposes or statistical purposes and has the basis in law of the EU or
member state
In most case, Aspirations will rely upon “obligations of the controller under employment, social security or social protection law” when processing this data
relating to both employees and prospective employees and “for preventative or occupational medicine, provision of health or social care or treatment or the
management of health or social care systems and has the basis in law of the EU or member state” when processing this data for Service Users.
Criminal Offences and Conviction data
If organisations process criminal conviction data or data about offences, it is necessary to identify both a lawful basis for general processing and an additional
condition for this processing under Schedule 1, Part 3 of the Data Protection Bill.
1. Processing with the consent of the data subject.
2. Protecting individual’s vital interests
3. Processing by not-for-profit bodies
4. Personal data in the public domain
5. Legal claims
6. Judicial acts7. Administration of accounts used in commission of indecency offences involving children
8. Extension of certain conditions under Schedule 1, Part 2
9. Extension of insurance conditions
• In most case, Aspirations will rely upon “Protecting individual’s vital interests” when processing this data relating to employees, prospective employees and
Service Users.
• You have the right to lodge a complaint with The Information Commissioner’s Office. Their contact details are:
Address: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Fax: 01625 524 510
website: www.ico.org.uk
• Your personal data originates from yourself, as the employee, internal sources, related to your employment, and government authorities. Data is not
obtained from publicly available sources
• Provision of your personal data is a contractual requirement and is mandatory. Failure to provide the personal data would mean your employment could not commence or continue
Changes to personal data advised by government authorities will be advised to you