Colleague Privacy Statement

BMS Section 2 : Colleague Employment and Training CET 215/01



As your employer, the Company needs to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of the Company and protect our legal position in the event of legal proceedings.

This Privacy Statement outlines how the company will manage the information that is provided by our colleagues within the requirements of the General Data Protection Requirements 2018.


Data sources

Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees or your GP.


Types of Data

The sort of information we hold includes;

From the recruitment process – your CV, application form and references, your contract of employment and any amendments to it;

Correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company or landlord confirming your salary;

Information needed for payroll, benefits and expenses purposes, for example bank details, home address;

Contact and emergency contact details;

Records of holiday, sickness and other absence;

Records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records;

Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes.


What is the legal basis for processing the information?

Information and documentation to establish your right to work is processed by us as we are legally obliged to do so.

We will process your personal data, including financial information, for the purpose of you entering into a contract to fulfil your role and to enable us to pay you.

In respect of medical information, this will be used in order to comply with our health and safety and occupational health obligations, including to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay.


Sharing and Storing your Data

We will only disclose information about you to third parties if we are legally obliged to do so;

  • TrustID – for the purposes of meeting our obligation in regards to the Right to Work checks required for all colleagues.
  • HMRC – for tax purposes

or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension or health insurance schemes.

Your personal data will be stored centrally on the secure, cloud based storage system Dropbox and in our company database Indicater.

Details of how long we will keep your data can be found in our Data Management Procedure BM126, and will vary dependent on the type of data.

If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.


Your rights

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data.

You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data.


Identity and contact details data protection officer

If you have any concerns as to how your data is processed, if you wish to withdraw your consent for us to store your data or if you would like to request a change to your data you can contact:

Claire Huish, Data Protection Officer at

or you can write to the Data Protection Officer at the company registered office;

One Friar Street

Related Documents

BM 126 Data Management Procedure

at vel, Praesent ipsum elit. libero massa