Employee Privacy Notice

As your employer, Kitson & Trotman LLP (Kitson & Trotman) is aware of its obligations under the Data Protection Act 2018, which incorporates the General Data Protection Regulation (GDPR), and takes your privacy very seriously. We are committed to collecting only the minimum information necessary and processing1 it securely. We want you to know and be in control of how and why your personal information is used by us. If you have any queries or would like further information, just ask. Please note we are not responsible for any third parties with whom your data is shared e.g. HMRC, although you may receive a similar privacy notice from such third parties which will provide similar information.

This particular Privacy Notice tells you, in general terms, how and why we process your personal information as our employee. It also tells you your Data Protection Rights and how you can exercise them. This privacy notice deals with personal information held about current and former employees, workers and self-employed contractors and also to prospective employees etc. to the extent that the matters listed are relevant.

As well as collecting personal information from you, we may receive such information from another party, such as a reference from a former employer. Where it is lawful, appropriate, practicable, and proportionate to do so, we will make you aware that such information has been provided (unless you are already aware of this fact) and give you the relevant details, including the source. If you provide us with personal information about another person, in some cases, we may have to tell them we hold this information and provide them with a Privacy Notice too. Please let us know, at the time, if informing them in this way is likely to cause you any problems or difficulties.

In relation to your personal data as an employee, we will:

If you want more specific information about how your personal data has been processed including with whom it has been shared, then please let us know using the contact details below. Our full privacy notice will be on our website which can be found at https://kitsonandtrotman.co.uk or https://ktlaw.co.uk.

1: 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

1. Our Contact Details for Data Protection Matters

Kitson & Trotman is the Controller, under data protection law, for all the personal information about you that it processes, unless otherwise stated. Data protection and privacy matters are handled by our Compliance Officer for Legal Practice (COLP) and for day to day matters by the Compliance Lead; both of whom can be contacted in the following ways:

2. Types of data we process:

We may hold many types of data about you, as one of our employees, including:

3. How we collect employee data:

We collect data about our employees in a variety of ways and this will start, usually, when we undertake a recruitment exercise where we would collect data from you as an applicant, directly. This information could include, for example, an application form or CV with perhaps a covering letter; or notes made by the interview panel during a recruitment interview.

Further information would be collected from you, directly, if appointed, at the start of your employment when you might be asked to complete ‘starter forms’, for example, giving bank details, referees and, perhaps, next of kin details. Other information may be collected directly from you in the form of official documentation such as driving licence, passport, or other right to work evidence.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.

Personal data is kept in personnel files or within the Firm’s HR and IT systems.

If you were unsuccessful, we might keep your information on file for a while in case another opportunity arose for which we thought you might be suitable, otherwise please see our retention section.

4. Why we process employee data:

The law on data protection allows us to process your data for certain reasons only:

Generally, we will rely on the first three reasons set out above to process your personal data as an employee (or prospective/former employee).

For example, we need to collect your personal data to ensure you are paid; that the correct amount of tax and National insurance is deducted and that the correct pension contributions are made; we need your personal data to carry out legal checks in relation to your rights to work hinder; to make reasonable adjustments to enhance your ability to work effectively if you have a disability; to be able to take action to support you if you are struggling to meet the required standard, and to keep records of such meetings etc.

We also collect data so that we can carry out activities which are in the legitimate interests of the firm. We have set these out below but the list is not exhaustive:

5. Special categories of data

These types of data need special care. Special categories of data are data relating to an employee’s:

Where we process such data, we must process it in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

We will use special category data also:

We do not need your consent if we use your special category personal data to carry out our legal obligations or exercise specific rights under employment law. We may ask for your consent, however, to allow us to process certain particularly sensitive data, particularly if there is no other legal basis which would allow us to do so. If we do need your consent, we will make you aware, fully, of the reasons for the requested processing and why it is so necessary so you can make an informed decision.

As with all cases of seeking consent, you will have full control over your decision to give or withhold consent. Consent, once given, may be withdrawn at any time by letting us know There will be no consequences where consent is withdrawn however actions taken before the consent was withdrawn will stand but we will take reasonable steps to minimise the impact once we have been made aware of your decision e.g. if a disabled employee had agreed to their picture being used on leaflets to show that we employ people with disabilities but then withdrew their consent, we would not have to gather back all the leaflets despatched but would not order any more to be printed.

6. Criminal conviction data:

We will only process criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however may also be collected during employment too.

7. If you do not provide your data to us:

We will tell you if providing some personal data is optional including if we need your consent to use it. Where the legal basis for processing your personal information is, solely, your consent then, as explained above, you may withdraw that consent at any time by letting us know. Where providing personal information is a statutory or contractual requirement, or essential to progress the matter in hand, then, we will explain the consequence of failing to provide the information requested, so you can make an informed decision. Please note that any actions we may have taken before your consent was withdrawn will remain valid.

One of the reasons for processing data is to allow us to carry out our duties in line with our contract of employment with you. If you do not provide us with the data needed to do this, we will be unable to perform those duties e.g. ensuring you are paid correctly.

We may also be prevented from confirming, or continuing with, your employment with us, if you do not give us the personal information we are required to collect by law, e.g.to confirm your rights to work in the UK or, where appropriate, to confirm your legal status for carrying out a particular role via a criminal records check or a check with the relevant professional body etc.

8. Sharing your personal data

Your information may be shared, internally, with colleagues within the firm where it is necessary for them to undertake their duties. This sharing includes, for example, with your supervisor so they can manage your employment.

We share data with third parties in order to obtain references as part of the recruitment process, process payroll, receive specific HR advice and support, process pensions and gather medical information as part of a medical referral. Third parties who process data on our behalf include The People’s Pension who administer the pension scheme, external HR consultants to provide HR advice and support and any occupational health provider to provide medical information required for a referral case.

We may also share data with third parties as part of a company sale or restructure, or for other reasons to comply with a legal obligation upon us.

Where we use another service provider to provide services to us, e.g. IT or internet providers and that involves the processing of your personal data, we take reasonable steps to ensure that such data is processed in line with the relevant law; and, where necessary, is subject to a legal agreement containing suitable security measures.

We may also share personal data about you with inspectors, assessors, auditors, accountants etc. who need to view files and documents (usually on a random basis) as part of the quality and regulatory checks necessary to ensure good governance and for the firm to gain or retain quality or other assurance certification e.g. Lexcel (the Law Society’s quality assurance scheme). These processes help ensure we provide a quality service from the firm and that any anomalies, deficiencies or errors are picked up and resolved.

9. Protecting data:

We use reasonable and proportionate measures to safeguard your personal information such as raising staff awareness to the risks of holding data/information and encryption of the information where appropriate. You should be aware, however, that the use of the Internet e.g. via email or a website, is not secure and, for this reason, although we take reasonable steps to protect the information we send you, we cannot guarantee its security.

In line with good practice, we back up the data that we hold electronically, to prevent its inadvertent loss e.g. through a power outage during thunder storms. The store is ‘in the cloud’ however the ‘cloud’ is based in the European Economic Area (EEA) and conforms to the required security standards or otherwise meets EU adequacy requirements.

In addition, we have implemented processes to guard against data breaches, including:

Where we share data with third parties, we provide written instructions to them to ensure that data is held securely and in line with data protection requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of data too.

10. Marketing

We do not market to staff unless you are or become our client too, in which case, please see the privacy notice, relating to the type of matter in which you are or have instructed us for details of our marketing approach.

If we did decide to start any marketing programme which included staff, we would ask you to ‘opt into’ such a programme before sending you any of the details and would then send any such material to your work email, rather than your home one, unless you asked us to do otherwise. You would be free to ask us to stop at any time.

11. Overseas Transfers

In the normal course of business, we do not transfer your personal data overseas unless it is at your request; it is necessary to carry out a legitimate business requirement; if we need to use experts or lawyers in other countries; where the internet or other IT service provider e.g. Microsoft is based or stores information overseas, and is reasonable in the circumstances. We take reasonable care to ensure that such transfers are secure. Where we become aware that any information has been or is to be transferred overseas, other than as is set out above, we will inform you and give you more details of the security measures in place to protect it, provided it is lawful and proportionate to do so.

12. Retention of your Personal Data

In line with data protection principles, we only keep data for as long as we need it, which will be at least for the duration of employment with us and up to 6 years afterwards you leave our employment, depending upon the likelihood of issues arising which justify a longer retention period.

Personal data relating to prospective but unsuccessful candidates will be kept for 2 years unless they ask us to destroy it sooner and always assuming we do not need to retain it for some other legitimate reason such as their request in case another opportunity might arise.

13. Your Data Protection Rights

Your rights in law are listed below. Please let us know - see section 1 above - if you want more information or if you wish to exercise any of your rights. Please note that not all the rights apply in all circumstances.

Where you have provided consent to us using your personal data, you have the unrestricted right to withdraw that consent at any time too (see above for more details of how to do so and its limits).

14. Complaints about how we handle your information

We do hope you are happy in your employment with us but if you are unhappy, about any aspect of your employment, please let us know, first, so we have a chance to investigate and put things right. Richard King is the partner who handles HR matters but you may contact any of the partners if you prefer.

If you believe that we have breached your privacy rights, please tell us by contacting Jason Hodnett or the Compliance Lead as soon as possible, with the details, so we can take steps to investigate and deal with the matter.

The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you are not happy with our response, you can contact the ICO to complain and their details can be found at www.ico.org.uk or ask us.

15. Changes to this privacy notice

We will amend this privacy notice from time to time to make sure it is up to date and accurately reflects how and why we use your personal information. Please let us know if you have any queries or spot any mistakes.

The Champions
Beaminster, Dorset DT8 3AN
Mon-Thurs 9am - 5:30pm / Fri 9am - 5pm
t: 01308 862313
f: 01308 862033
e: beaminster@ktlaw.co.uk
9 Chancery Lane
Bridport, Dorset DT6 3PX
Mon-Thurs 9am - 5:30pm / Fri 9am - 5pm
t: 01308 427436
f: 01308 420335
e: bridport@ktlaw.co.uk
57/58 Broad Street
Lyme Regis, Dorset DT7 3QF
Mon-Thurs 9am - 5:30pm / Fri 9am - 5pm
t: 01297 442580
f: 01297 444810
e: lymeregis@ktlaw.co.uk
5 St Albans Chambers
St Alban Street, Weymouth, Dorset DT4 8PY
Mon-Thurs 9am - 5:30pm / Fri 9am - 5pm
t: 01305 341400
f: 01305 767644
e: s.jones@ktlaw.co.uk / jjudkins@ktlaw.co.uk

Authorised and regulated by the Solicitors Regulation Authority (SRA number 634822)
Kitson & Trotman Est. 1756