Human Resources Privacy Notice

We collect and process personal information about you as far as necessary when you apply for an employment role at the organisation, and to manage the terms of your employment agreement and to comply with legal obligations to which we are subject. This includes: 

• the information that you provided to us during the recruitment process, including your CV, application form, disclosure form, work history, education, degrees, academic records, languages and qualifications, references and any professional licenses, memberships, or certifications. 
• your basic contact information, including your name, address, telephone numbers (home, mobile, work), email address, citizenship/nationality and date and of birth.
• your government issued identifiers subject to the conditions of applicable law, such as your national ID details, tax identification number, social security or national insurance number, passport number.
• your bank and financial details for salary/payroll purposes, such as your salary, other remuneration, your IBAN number or bank account number, bank name and details. 
• information about your job and position, including the employee identification number, job title and description, department and manager, reporting lines, work location, cost centre, business unit or group, work status such as full time or part time, working hours, probation period if applicable, and employment contract terms. 
• information for use of company network and devices if applicable, such as username, password, contact details, work telephone number and device data (computer, telephone, tablet ID number). 
• information about your working hours and leave entitlements, including attendance, holiday/vacation, leaves or absences, travel and mobility.
• economic and financial information for compensation and benefits, including your banking and account details for remuneration and compensation, information on raises and bonuses, your benefits package and information and details associated with pensions or insurance programs that may be offered as part of your employment.
• information related to your work evaluations and performance, including regular evaluation details, reviews and feedback, details about performance plans, and information associated with professional development such as training (both internal and external), courses, seminars and conferences, and succession planning information.
• information collected for travel and expense purposes, such as credit card, bank details (account number, IBAN, etc.), booking and itinerary details, passport information (number, expiration, issuing authority, etc.) and visa and immigration information, and travel preferences. 

We rely on contractual obligation to process your personal information as an employee, and legitimate interest to process any information relating to job applicants, trustees or volunteers.  

Throughout your employment or engagement, we also may be required to collect special category data to comply with our legal requirements in the field of employment.  

We will use your information relating to leaves of absence which may include sickness absence or family related leaves, to comply with employment and other laws. 

We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits. 

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.  In limited circumstances we may approach you for your written consent to allow us to process certain particularly special category data.  If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.  You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. 

We may also collect special categories of information for equal opportunities monitoring. 

It is important that the personal information we hold about you is accurate and current. Please note that you are required to keep us informed if your personal information changes during your employment with us. Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
• Request the transfer of your personal information to another party.

If you would like to exercise any of these rights, please contact Data Protection Officer in writing. 

Central YMCA relies on third-party service providers and vendors that provide products and services; your Personal Data will be disclosed to these third parties only where necessary for the purpose of achieving the objectives outlined in this privacy notice. These include accountants, law firms and legal service providers, tax or financial professionals, payroll and benefits providers, pension and insurance companies, human resources specialists, consultants, contractors, IT support and storage providers. 

Sometimes we may be required to share your personal information with third parties in order to meet our lawful obligations, for example, certain public authorities and law enforcement agencies. 

Our third-party service providers may have access to your personal information to perform certain functions or may host your personal information as part of a “cloud based” solution used by employees. Central YMCA uses third-party service providers that ensure sufficient guarantees for the protection of your Personal Data. All suppliers are to undergo a supplier risk assessment. Central YMCA requires third-party service providers by contract to implement appropriate data security and confidentiality obligations, in accordance with applicable law.  

Whilst we retain ultimate responsibility for the protection of your Personal Data, we have comprehensive data processing agreements in place with each of these third-party service providers imposing obligations to maintain the security of your data in line with legislative requirements. Where a processor fails to fulfil its data protection obligations, in most circumstances we remain responsible to you for the performance of those obligations. 

Our third-party providers may change over time, but we will notify you in the event of any change. If you would like further details, or to object to us sharing your data for these purposes, please notify us at data.protection@ymca.co.uk  and we will provide you with detailed information and respond to your request. 

We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions. 

Law enforcement 

Under certain circumstances, we may be required to disclose personal in response to valid requests by public authorities, including to meet national security or law enforcement requirements. 

Data Protection Laws prohibits the transfer of Personal Data belonging to UK and European Union (EU) residents outside of the UK/European Economic Area (EEA), unless there are appropriate safeguards in place to guarantee the security of that data. 

Where we use third-party service providers outside of the UK, EEA or Switzerland, we ensure that these organisations provide sufficient guarantees to implement appropriate technical and organisational measures for the protection of Personal Data. Where necessary, we require that any such third-party service providers execute the relevant Standard Contractual Clauses or adhere to any certification procedures issued by the Commissioner for transfer of personal data to a third country. Where a third-party service provider fails to fulfil its data protection obligations, in most circumstances we remain responsible to you for the performance of those obligations. 

If you require further information about these protective measures, you can request it from data.protection@ymca.co.uk  

We have put in place appropriate security measures to prevent your personal information from being accidently lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal information to those employees, agents, contractors and other suppliers who have a business need to know.  They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. 

We have procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

We also implement access controls to ensure that access to Personal Data is limited to Company Personnel who need to have access to perform their duties.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.   

Details of retention periods for different aspects of your personal information are available in our retention policy.   

To determine the appropriate retention period for Personal Data we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

This Employee Privacy Notice is reviewed annually, taking into account changes to legal, regulatory or contractual requirements, changes in working practice or structure to the business. 

Changes to the Privacy Notice may be as a direct result of inputs from audits, security incidents, risk assessments, improvement actions and new objectives that may have been set by Central YMCA management. 

Any suggestions on how to improve the Privacy Notice can be sent to Data Protection Officer on data.protection@ymca.co.uk