2. What Information Do We Collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name, title, photographs, gender, National Insurance number, identity document data (e.g., driving licence);
- Contact Data includes address, email address and telephone numbers;
- Career Data includes curriculum vitae, education details, employment history, links to your professional profiles available in the public domain, e.g. LinkedIn, Twitter, business Facebook or corporate website, and referee details;
- Immigration Status Data includes passport or visa details;
- Financial Data includes bank account, tax-related details, details about your current or previous employment remuneration, pensions and benefits arrangements;
- Payroll Data includes details about payments to and from you;
- Employment Data including records of attendance, history, terms and conditions, training, disciplinary action, and records of role changes;
- Family Data includes family member identity data for background checks, family health data as it pertains to your employment;
- Criminal Data includes criminal convictions and offences;
- Health Data includes disabilities, details of long- and short-term illnesses, and details of accidents occurring while you are conducting your role duties;
- Additional Data which you may choose to share with us that you think is relevant.
The source of the personal data above will be either yourself, your referees, internal company management, trusted third parties such as recruitment agencies and vetting organisations, government departments or publicly accessible sources.
Where we collect information about your health and criminal convictions and offences, these are considered Special Categories of Personal Data. We may also use biometric data (fingerprints) for identification and access to personal devices issued only to you where the data is not stored elsewhere and is not available to anyone else; however, as alternative means are available (usernames, passwords, PINS, etc.) as will be explained at the time, if you chose to use biometric data we consider this as your explicit consent to do so.
We do not collect or process any other Special Categories of Personal Data
3. If You Fail to Provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract that we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have, or are trying to enter into, with you, for example, to begin employment. In this case, we may have to cancel the offer of employment you have with us, but we will notify you if this is the case at the time.
4. When is Your Personal Data Collected?
We collect data from and about you during onboarding when you join the organisation, or prior to joining the organisation, and during the course of your employment with us. You will provide us with your personal data by completing the relevant onboarding forms including security background check forms and payroll details, and other forms at such times as the information is required.
5. How Do We Use Your Personal Data?
The law on data protection sets out a number of different reasons for which a company may collect and process personal data. Our uses of your personal data comply with the law, and include the following lawful bases:
- To allow us to enter into and/or perform our contract with you, and enable us to comply with our legal obligations, such as employing you as a member of Commissum staff;
- If the law requires us to, we may need to collect and process your data, for example to HMRC for tax purposes, or where people are involved in fraud or other criminal activity affecting Commissum, we may be required to share personal data with law enforcement;
- In specific situations we may require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. These legitimate interests include the use of biometric data for fingerprint authentication to computing devices.
6. Sharing Your Data with Third Parties We Instruct
We sometimes share your personal data with trusted third parties. For example, third party suppliers providing services on our behalf such as background checks and payroll.
When we do share your data with third parties we only provide the information they need to perform the service. They may only use your data for the exact purpose we specify to them and we work closely with them to ensure your privacy is secure and respected.
7. International Transfers of Your Personal Data
We are a global business and some of our offices and service providers are located in countries outside of the UK. As a result, personal data that we collect from you may be transferred to, accessed and/or stored outside the UK in order to provide our services.
- Adequate data protection measures are in place for the destination country, as determined by the ICO
- ICO-approved model clauses are in place between us and any joint controller or processor
For further details, please get in touch using the information provided in the ‘Contacting Us’ section.
8. How Long Will We Keep Your Personal Data?
At the end of that period, your data will either be deleted or completely anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
For example, staff data is kept as long as the individual is employed by Commissum plus 6 years. When you cease employment with Commissum we will retain your data for 6 years to comply with legal and contractual obligations.
9. Ensuring Your Data is Up to Date and Correct
It is important that the personal information we hold about you is accurate and current. If your details should every change, please advise a member of HR so your details can be updated.
11. Your Rights
Data protection laws provide you with the following rights to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information, this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- Request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and
- Request the transfer of your personal information to another party in specific circumstances;
- Request not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect or similar significant consequence; note Commissum does not process any personal information in this way.
You also have the right to object to the processing of your personal information where we are relying on your consent, or a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded, excessive, or is a duplicate of a previous request you’ve submitted. Alternatively, we may refuse to comply with the request in such circumstances.
We may also need to request specific information from you to help us confirm your identity and ensure your right to exercise any of your rights. This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
12. Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact them by calling 0303 123 1113. Or go online to www.ico.org.uk/concerns.
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
13. Contacting Us
- By email at email@example.com
- By post at Data Protection Officer, Commissum Associates Ltd, 5 Mitchell Street, Edinburgh, EH6 7BD