As your employer, Kitson & Trotman LLP (Kitson & Trotman) is aware of its obligations under the Data Protection Act 2018, which incorporates the General Data Protection Regulation (GDPR), and takes your privacy very seriously. We are committed to collecting only the minimum information necessary and processing1 it securely. We want you to know and be in control of how and why your personal information is used by us. If you have any queries or would like further information, just ask. Please note we are not responsible for any third parties with whom your data is shared e.g. HMRC, although you may receive a similar privacy notice from such third parties which will provide similar information.
This particular Privacy Notice tells you, in general terms, how and why we process your personal information as our employee. It also tells you your Data Protection Rights and how you can exercise them. This privacy notice deals with personal information held about current and former employees, workers and self-employed contractors and also to prospective employees etc. to the extent that the matters listed are relevant.
As well as collecting personal information from you, we may receive such information from another party, such as a reference from a former employer. Where it is lawful, appropriate, practicable, and proportionate to do so, we will make you aware that such information has been provided (unless you are already aware of this fact) and give you the relevant details, including the source. If you provide us with personal information about another person, in some cases, we may have to tell them we hold this information and provide them with a Privacy Notice too. Please let us know, at the time, if informing them in this way is likely to cause you any problems or difficulties.
In relation to your personal data as an employee, we will:
- Process it fairly, lawfully and in a clear, transparent way;
- Collect data only for legitimate reasons and use it in ways that have been explained to you or about which you ought reasonably be aware e.g. income tax and National Insurance requirements;
- Only use it in ways compatible with our employer/employee relationship;
- Ensure it is correct and up to date (always providing you inform us of any changes);
- Keep your employee personal data, in a form which allows identification, only for as long as we need it;
- Process it securely
If you want more specific information about how your personal data has been processed including with whom it has been shared, then please let us know using the contact details below. Our full privacy notice will be on our website which can be found at https://kitsonandtrotman.co.uk or https://ktlaw.co.uk.
1: 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
1. Our Contact Details for Data Protection Matters
Kitson & Trotman is the Controller, under data protection law, for all the personal information about you that it processes, unless otherwise stated. Data protection and privacy matters are handled by our Compliance Officer for Legal Practice (COLP) and for day to day matters by the Compliance Lead; both of whom can be contacted in the following ways:
- By post at our Beaminster office: The Champions Beaminster Dorset DT8 3AN
- By telephone on 01308 862313;
- By e-mail at email@example.com;
- Using the website form on https://kitsonandtrotman.co.uk/ or https://ktlaw.co.uk
2. Types of data we process:
We may hold many types of data about you, as one of our employees, including:
- Personal details including name, address, date of birth, email address, phone numbers;
- Marital status;
- Dependants, next of kin and their contact details;
- Medical or health information including whether or not an employee has a disability;
- Information used for equal opportunities monitoring about sexual orientation, religion or belief and ethnic origin;
- Information included on employee CVs/application documents including references, education history and employment history and qualifications;
- Documentation relating to rights to work in the UK;
- Driving licence;
- Bank details;
- Tax codes;
- National Insurance number;
- Current and previous job titles, job descriptions, pay grades and pension entitlement, hours of work and other terms and conditions relating to your employment with us;
- Letters of concern, formal warnings and other documentation with regard to any disciplinary proceedings or capability procedures;
- Internal performance information including appraisal forms, measurements against targets, formal warnings and related documentation with regard to capability procedures;
- Leave records including annual leave, family leave, sickness absence etc.;
- Details of employee criminal records;
- Training details including certificates/qualifications gained;
- CCTV footage
3. How we collect employee data:
We collect data about our employees in a variety of ways and this will start, usually, when we undertake a recruitment exercise where we would collect data from you as an applicant, directly. This information could include, for example, an application form or CV with perhaps a covering letter; or notes made by the interview panel during a recruitment interview.
Further information would be collected from you, directly, if appointed, at the start of your employment when you might be asked to complete ‘starter forms’, for example, giving bank details, referees and, perhaps, next of kin details. Other information may be collected directly from you in the form of official documentation such as driving licence, passport, or other right to work evidence.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Personal data is kept in personnel files or within the Firm’s HR and IT systems.
If you were unsuccessful, we might keep your information on file for a while in case another opportunity arose for which we thought you might be suitable, otherwise please see our retention section.
4. Why we process employee data:
The law on data protection allows us to process your data for certain reasons only:
- to perform the employment contract to which we are a party;
- to carry out legally required duties, particularly those under employment law;
- for our legitimate interests as a law firm (although we have to take your rights and interests into account when we do so);
- to protect your vital interests and
- if it is in the public interest.
Generally, we will rely on the first three reasons set out above to process your personal data as an employee (or prospective/former employee).
For example, we need to collect your personal data to ensure you are paid; that the correct amount of tax and National insurance is deducted and that the correct pension contributions are made; we need your personal data to carry out legal checks in relation to your rights to work hinder; to make reasonable adjustments to enhance your ability to work effectively if you have a disability; to be able to take action to support you if you are struggling to meet the required standard, and to keep records of such meetings etc.
We also collect data so that we can carry out activities which are in the legitimate interests of the firm. We have set these out below but the list is not exhaustive:
- Making decisions about whom to appoint, and subsequent internal appointments, promotions etc.;
- Making decisions about salary and other benefits;
- Providing contractual benefits to you as one of our employees;
- Maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence and appropriate contact points in the event of an emergency;
- Effectively monitoring of your conduct and performance and undertaking procedures with regard to both of these matters if the need arises;
- Offering a method of recourse for you against decisions made about you;
- Assessing your training needs and meeting such needs;
- Implementing an effective sickness absence management system including monitoring the amount of sick leave and any subsequent actions taken in response including the making of reasonable adjustments;
- Gaining expert medical opinion when making decisions about your fitness for work;
- Managing statutory leave and pay systems including gender specific ones such as maternity leave and pay;
- Facilitating business planning and restructuring exercises where necessary;
- Dealing with legal claims made against us;
- Preventing fraud and malpractice;
- Ensuring our administrative and IT systems are secure and robust against unauthorised access and that we have systems in place to protect the personal data we process
5. Special categories of data
These types of data need special care. Special categories of data are data relating to an employee’s:
- Sex life
- Sexual orientation
- Ethnic origin
- Political opinion
- Trade union membership
- Genetic and biometric data.
Where we process such data, we must process it in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:
- An employee has given explicit consent to the processing
- We must process the data in order to carry out our legal obligations as an employer
- We must process data for reasons of substantial public interest
- An employee has already made the data public
We will use special category data also:
- For the purposes of equal opportunities monitoring and to carry out any actions flowing from such results and our Equality and Diversity or Social Responsibility Policy
- In our sickness absence management procedures
- To determine reasonable adjustments e.g. in the case of disabilities
We do not need your consent if we use your special category personal data to carry out our legal obligations or exercise specific rights under employment law. We may ask for your consent, however, to allow us to process certain particularly sensitive data, particularly if there is no other legal basis which would allow us to do so. If we do need your consent, we will make you aware, fully, of the reasons for the requested processing and why it is so necessary so you can make an informed decision.
As with all cases of seeking consent, you will have full control over your decision to give or withhold consent. Consent, once given, may be withdrawn at any time by letting us know There will be no consequences where consent is withdrawn however actions taken before the consent was withdrawn will stand but we will take reasonable steps to minimise the impact once we have been made aware of your decision e.g. if a disabled employee had agreed to their picture being used on leaflets to show that we employ people with disabilities but then withdrew their consent, we would not have to gather back all the leaflets despatched but would not order any more to be printed.
6. Criminal conviction data:
We will only process criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however may also be collected during employment too.
7. If you do not provide your data to us:
We will tell you if providing some personal data is optional including if we need your consent to use it. Where the legal basis for processing your personal information is, solely, your consent then, as explained above, you may withdraw that consent at any time by letting us know. Where providing personal information is a statutory or contractual requirement, or essential to progress the matter in hand, then, we will explain the consequence of failing to provide the information requested, so you can make an informed decision. Please note that any actions we may have taken before your consent was withdrawn will remain valid.
One of the reasons for processing data is to allow us to carry out our duties in line with our contract of employment with you. If you do not provide us with the data needed to do this, we will be unable to perform those duties e.g. ensuring you are paid correctly.
We may also be prevented from confirming, or continuing with, your employment with us, if you do not give us the personal information we are required to collect by law, e.g.to confirm your rights to work in the UK or, where appropriate, to confirm your legal status for carrying out a particular role via a criminal records check or a check with the relevant professional body etc.
8. Sharing your personal data
Your information may be shared, internally, with colleagues within the firm where it is necessary for them to undertake their duties. This sharing includes, for example, with your supervisor so they can manage your employment.
We share data with third parties in order to obtain references as part of the recruitment process, process payroll, receive specific HR advice and support, process pensions and gather medical information as part of a medical referral. Third parties who process data on our behalf include The People’s Pension who administer the pension scheme, external HR consultants to provide HR advice and support and any occupational health provider to provide medical information required for a referral case.
We may also share data with third parties as part of a company sale or restructure, or for other reasons to comply with a legal obligation upon us.
Where we use another service provider to provide services to us, e.g. IT or internet providers and that involves the processing of your personal data, we take reasonable steps to ensure that such data is processed in line with the relevant law; and, where necessary, is subject to a legal agreement containing suitable security measures.
We may also share personal data about you with inspectors, assessors, auditors, accountants etc. who need to view files and documents (usually on a random basis) as part of the quality and regulatory checks necessary to ensure good governance and for the firm to gain or retain quality or other assurance certification e.g. Lexcel (the Law Society’s quality assurance scheme). These processes help ensure we provide a quality service from the firm and that any anomalies, deficiencies or errors are picked up and resolved.
9. Protecting data:
We use reasonable and proportionate measures to safeguard your personal information such as raising staff awareness to the risks of holding data/information and encryption of the information where appropriate. You should be aware, however, that the use of the Internet e.g. via email or a website, is not secure and, for this reason, although we take reasonable steps to protect the information we send you, we cannot guarantee its security.
In line with good practice, we back up the data that we hold electronically, to prevent its inadvertent loss e.g. through a power outage during thunder storms. The store is ‘in the cloud’ however the ‘cloud’ is based in the European Economic Area (EEA) and conforms to the required security standards or otherwise meets EU adequacy requirements.
In addition, we have implemented processes to guard against data breaches, including:
- Secure passwords for accessing IT systems;
- Securing documentation in a lockable cabinet;
- Ensuring IT equipment has anti-virus software;
- Any personal information is shredded by a professional company;
- Obtaining cyber security certification for our IT systems
- Training for all staff on data protection issues;
- Prompt and effective reporting and action to mitigate any breaches that do occur.
Where we share data with third parties, we provide written instructions to them to ensure that data is held securely and in line with data protection requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of data too.
We do not market to staff unless you are or become our client too, in which case, please see the privacy notice, relating to the type of matter in which you are or have instructed us for details of our marketing approach.
If we did decide to start any marketing programme which included staff, we would ask you to ‘opt into’ such a programme before sending you any of the details and would then send any such material to your work email, rather than your home one, unless you asked us to do otherwise. You would be free to ask us to stop at any time.
11. Overseas Transfers
In the normal course of business, we do not transfer your personal data overseas unless it is at your request; it is necessary to carry out a legitimate business requirement; if we need to use experts or lawyers in other countries; where the internet or other IT service provider e.g. Microsoft is based or stores information overseas, and is reasonable in the circumstances. We take reasonable care to ensure that such transfers are secure. Where we become aware that any information has been or is to be transferred overseas, other than as is set out above, we will inform you and give you more details of the security measures in place to protect it, provided it is lawful and proportionate to do so.
12. Retention of your Personal Data
In line with data protection principles, we only keep data for as long as we need it, which will be at least for the duration of employment with us and up to 6 years afterwards you leave our employment, depending upon the likelihood of issues arising which justify a longer retention period.
Personal data relating to prospective but unsuccessful candidates will be kept for 2 years unless they ask us to destroy it sooner and always assuming we do not need to retain it for some other legitimate reason such as their request in case another opportunity might arise.
13. Your Data Protection Rights
Your rights in law are listed below. Please let us know - see section 1 above - if you want more information or if you wish to exercise any of your rights. Please note that not all the rights apply in all circumstances.
- The right to be informed about how we process your personal data. This right means that we must tell you how we use your data and this is the purpose of this privacy notice;
- The right to have your personal data corrected if its inaccurate or completed if it is incomplete;
- The right to request access to your personal data and information about how we process it. You have the right to access the data that we hold about you. To do so, you should make a subject access request;
- The right to object to our processing of your data;
- The right to restrict how we process your personal data;
- The right to have your personal data erased (the “right to be forgotten”);
- The right to move, copy or transfer your personal information (“data portability”);
- Rights in relation to automated decision-making including profiling. N.B We do not use automated decision making nor do we profile our staff so this right will not be applicable;
- The right to lodge a complaint with the Information Commissioner who can investigate and deal with failures to follow the law’s requirements.
Where you have provided consent to us using your personal data, you have the unrestricted right to withdraw that consent at any time too (see above for more details of how to do so and its limits).
14. Complaints about how we handle your information
We do hope you are happy in your employment with us but if you are unhappy, about any aspect of your employment, please let us know, first, so we have a chance to investigate and put things right. Richard King is the partner who handles HR matters but you may contact any of the partners if you prefer.
If you believe that we have breached your privacy rights, please tell us by contacting Jason Hodnett or the Compliance Lead as soon as possible, with the details, so we can take steps to investigate and deal with the matter.
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you are not happy with our response, you can contact the ICO to complain and their details can be found at www.ico.org.uk or ask us.
15. Changes to this privacy notice
We will amend this privacy notice from time to time to make sure it is up to date and accurately reflects how and why we use your personal information. Please let us know if you have any queries or spot any mistakes.