1.0. PURPOSE
The purpose of this statement is to lay out the commitment of Atom Services Ltd (ATOM) to protecting the privacy and security of all personal information we hold. It’s very important to us to ensure the personal information provided to us is treated with the utmost respect and your data privacy rights are safeguarded, all in accordance with this GDPR Privacy Statement
2.0. SCOPE
The Policy applies to all personal data held by ATOM. At this juncture it applies only to employees training candidates and job applicants..
This GDPR Privacy Statement explains how personal information may be collected, what we do with the data, the measures we take to keep it secure as well as the rights and choices those affected have over their personal information. It applies to the personal data of all employees and job applicants.
3.0. RESPONSIBILITY
It is the responsibility of the Directors to ensure that this statement is communicated to all relevant parties.
4.0. STATEMENT
ATOM must process personal data (which may include sensitive personal data – now known as “special data”) so that it can provide its services to clients – in doing so, ATOM acts as a Data Controller so we are obliged to ensure we only process personal data where we have legal grounds to do so.
Personal details may be provided directly by you, such as on an application form, or we may collect them from another source such as referees or medical providers. For the purposes of providing information relating to your role we will only use your personal data in accordance with this GDPR Privacy Statement.
We take care to protect the privacy of all personal data we hold which, at all times, will be in compliance with current data protection laws.
As a Data Controller, we must have a legal basis to process your personal data. The legal grounds we rely upon are one or more of the following:
- Where we have a legitimate interest.
- To comply with a legal obligation that we have.
- To fulfil a contractual obligation that we have with you.
ATOM has a legitimate interest to process your data provided it is reasonable and does not go against what you would reasonably expect. Where ATOM has relied on a legitimate interest to process your personal data our legitimate interests are as follows:
- Managing our computer and hard copy records to keep them up to date
- Maintaining contact details to ensure work-related information may be communicated to you
- Ensuring employees have the correct records to allow them to work on our contracts
4.1. How we collect and use data
We hold relevant personal data that you have provided to us, or information that other parties, such as your referees have provided to us. However we will always ensure the processing of any other data remains consistent with the purpose and legal basis that we already rely on under our GDPR Privacy Statement
We use data for the purposes of:
- Arranging payments to employees
- Putting employees forward for inclusion on projects
- Arranging training
- Complying with legislation
- Providing our clients with employee qualifications and experience details.
- Complying with client requirements including during the course of client or other external audits
4.2. Statutory requirements
ATOM has certain legal and contractual requirements to collect personal data (e.g. to comply with immigration and tax legislation).Our clients may also require this personal data, and/or we may need your data to enter into a contract with you.
4.3. Recipients of data
ATOM will process some or all of your personal data as necessary, with the following recipients:
- Clients
- Referees who may include former employers, or other persons from whom we may seek references.
- Our bank if we need to process payments to employees
- Pension providers
- HMRC or other government authorities
- Our own third party service providers including but not limited to our accountants, insurers, auditors, legal advisors and IT service providers
- Employee’s nominated emergency contacts. Only in the event of an important or emergency situation we may pass on the nominated emergency contacts details to the emergency services if necessary and appropriate at the time.
We take great care to ensure your information is kept securely and all appropriate checks are carried out by us to ensure those third parties have and maintain similar standards of data protection.
4.4. Categories of Data
ATOM collects some or all of the following personal data on you:
Personal Data
- Personal details: full name, gender, marital/family status, date of birth/age Images of you
- Contact details: postal address, personal email address, home and mobile telephone numbers, IP address if you are a website user
- Immigration status: nationality/citizenship/place of birth/ID Confirmation (usually by means of obtaining copies of your full Birth Certificate, Passport, Visas or Identity Card)
- Other ID information such as Driving Licence
- Education, qualifications, certificates and employment history, including your work performance, absence and disciplinary record
- Current remuneration & benefits
- National Insurance number
- Bank details
- Third party contact information, specifically your emergency contacts and referee details
- Correspondence, including meeting notes, contemporaneous note of conversations and feedback
Special categories of data & information on Criminal Convictions/Offences:
- Health or fitness information including whether you have a disability
- Details of unspent convictions or spent convictions that must be declared for specific roles you have applied for
Where we hold special data – we are bound by stricter rules. This could be information about your gender, age, sexual orientation, religion, social-economic background and other information such as health-related data. We currently only collect and process such special data where there are legal grounds to do so (e.g., Health & Safety measures, in compliance with the Equality Act with reference to disability access rights). If there is any other wish or need during the course of our working relationship for us to process your special data we will only do so with your explicit consent.
Source of the personal data:
ATOM sources your personal or special data from:
- Employees directly, by means of their CV or other forms that they have provided to us
- A client who the employee is working or have worked for or where the employeeis known to our client
- A referee whose details have been previously provided to us
- A friend, colleague, or employer
- Appropriate authorities to verify details that have provided, check qualifications, rights to work, and to check suitability for the your role (this includes work references and DBS checks)
- HMRC or other government bodies
4.5. Data retention
ATOM will retain your personal data only for as long as is necessary for the purpose we collect it. Different laws may also require us to keep different data for different periods of time.
We must also keep your payroll records, holiday pay, sick pay and pensions auto- enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation. Our payroll, including holiday and sick pay, and pension records are held for 6 tax years plus the current tax year.
4.6. Employee Rights
Please be aware that you have the following data protection rights:
The right to be informed about the personal data the IRS Group processes on you (Achieved by means of this GDPR Privacy Statement)
The right of access to the personal data ATOM processes on you
If you make a Subject Access Request under your access rights you should note that we may ask you for more information to verify your identity and provide greater detail about your request before we comply. If we are legally permitted to do so we may decline your request, in which case we will explain to you why this is the case
The right to rectification of your personal data
You can ask us to rectify any inaccurate information we hold. Where appropriate we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to so you can take action to inform them of any rectification you require
The right to erasure of your personal data in certain circumstance
Where we agree with the request we will delete your data securely but will generally assume that you would prefer us to keep a note of your name and date of birth on our register of individuals that would prefer not to be contacted (this is aimed at minimising the chances of you being contacted in the future where your data is collected in some other unconnected circumstances). If you disagree with us holding your name for this purpose you are free inform us in writing on receipt of which the data will be deleted.
The right to restrict processing of your personal date
Your rights apply in the event you dispute the accuracy of the personal data or you object to our processing of your personal data on the grounds of our legitimate interests or if you consider our processing of your data unlawful
The right to data portability
In certain circumstances, this being in the event that your personal data has been provided to us by you, and has been processed by us based on your consent or in order to fulfill the requirements of a contract;
The right to object to the processing of your personal data that was based on a public or legitimate interest
Generally, we will only disagree with you if certain limited conditions apply, being that we can show compelling grounds for processing that overrides your interests or we are processing your data for the establishment, exercise or in defence of a legal claim.
The right to withdraw consent at any time where we have relied on consent as a legal basis for processing your data
Where you have consented to ATOM processing your personal data/special data you have the right to withdraw that consent at any time by contacting the Operations Administrator. Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.
There may be circumstances where ATOM will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.
If you believe that any of your data that the ATOM processes is incorrect or incomplete, please c the Operations Administrator and we will take reasonable steps to check its accuracy and correct it where necessary.
You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.
We will seek to deal with your request as quickly as we can and within 30 days (unless we have reason and are allowed to extend this period).
- Sale of business
If the ATOM business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business. We will ensure that all such parties are GDPR compliant prior to such disclosure.
- Data Security
We are passionate about protecting your information so we have put in place appropriate measures that are designed to prevent unauthorised access to and/or misuse and/or loss of your personal data.
We have done this by putting in place sound technical and organisational measures which include a process on how we deal with any suspected breach, ensuring firewalls, anti-virus, encryption and limited access by means of secure passwords apply to our systems. We also endeavour to use secure electronic methods of transferring documents between us, for example the forms that we use to collect and store your personal data.
Only employees who need the information to perform a specific job (for example, consultants, our accounts and payroll or our marketing personnel) are granted access to your information.
ATOM uses all reasonable efforts to safeguard your personal information. However, you should be aware that the use of email/the Internet is not entirely secure and for this reason the IRS Group cannot guarantee the security or integrity of any personal information which is transferred from you or to you via such media.
If you share a device with others we recommend that you do not select the “remember my details” function when that option is offered. If you have any questions about the security at our website, you can contact the Operations Administrator.
- Changes to this privacy statement
We will update this GDPR Privacy Statement from time to time. We will post any changes on the statement with revision dates on our website(s). If we make any material changes, we will notify you.
- Complaints or queries
If you wish to complain about this GDPR Privacy Statement or any of the procedures set out in it please contact the Operations Administrator.
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.