· web viewprimarily for security purposes although we may also use the cctv footage when...
TRANSCRIPT
Employee Record of Processing – relating to individuals who apply to the company for work, whether as an employee, worker, contractor agency worker, consultant or direction (“Job Applicants)
Data Controller (name of person in business and contact details)Data Processing Lead (name of person in business and contact details, if different from controller)Ordinary Personal DataCategory of Personal Data
Purpose of Processing
Lawful basis for processing
Retention Period
Categories of recipients to whom sent
Transferred outside the EEA
Technical and organisational security measures adopted
Biographical details (including name, title, contact details, DOB, gender, emergency contacts, photograph)
Administration of the contract, emergency contact details so we can look after Employee welfare in an emergency, gender for equal opportunities monitoring, DOB for checking rates of pay and BHA stable employee information, photograph for BHA stable employee information
Legal Obligation
Performance of the Contract
Legitimate interest to hold emergency contact details in order to inform an Employee nominated person in an emergency situation
As a legitimate interest for safeguarding in relation to overnight racecourse stays, photograph for stable identity pass, gender for
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients. This template includes some suggestions as to recipient for businesses to amend and add to as appropriate.
British Horseracing Board and Weatherbys under contract to the BHA
Other racing jurisdictions if employee
N/A or [insert details of country/countries to which data is transferred – consider if you have runners outside of the EEA what personal information you have to transfer in connection with that)
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 1
stable employee industry record and for overnight racecourse stays
accompanying horses racing outside of UK
Recruitment information (inc correspondence/references/right to work checks and related documents)
Administration of the contract and to aid and demonstrate that Employees have the legal right to work in the UK
Legal Obligation
Performance of the Contract
Legitimate interest to maintain relevant and appropriate records of recruitment for business administration and administration of employment
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred]
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Employment details (inc start date, contractual terms, location, job title, career history)
Administration of the contract
Managing our relationship with Employee on an ongoing basis
Details about role/experience etc may be used in communications with customers and potential
Legal Obligation
Performance of the Contract
Legitimate interest to manage ongoing relationships and to promote goods/services to customers and potential customers
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
Consider if likely to be shared with NARS or other trade union, RIABS
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 2
customers Payroll and tax/NI and bank details
Paying employees, deducting tax and NI as appropriate, keeping appropriate records
Legal Obligation
Performance of the Contract
NI number for BHA Stable Employee Records
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
HMRC Payroll providerWeatherbysBHA
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Working hours and arrangements
Paying employees correctly
Complying with legal obligations regarding working time
Managing attendance, day to day operational management and dealing with requests to alter hours
Arrangements – if employee under 18 to seek consent to overnight stays away whilst accompanying horses racing
Legal obligation
Performance of the contract
Legitimate interests to manage working hours/arrangements to ensure effective business operations
Legitimate interest to safeguard young workers and in line with BHA safeguarding advice
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipientsHMRCHSEInformation on working hours may be shared with NARS or other trade union if correspondence from them is received Employee under 18, seeking consent from parent or carer to overnight stays at racecourses
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Pay and benefits including pensions and RIABS
Providing employees with agreed pay, benefits and expenses, making decision about
Legal Obligation
Performance of the Contract
Legitimate
See Employee Data Retention Process [if
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 3
future compensation, tracking and reviewing pay, benefits, expenses, making strategic decisions about compensation, auditing and reporting on company financial position
interest to analyse pay, benefits and expenses and make decisions about appropriate compensation on an individual and company level
possible insert envisaged time limit for erasure of this category of data]
Performance and career progression (including appraisals, performance management, target/objective setting, consideration of new duties)
Ensuring employees perform in accordance with their contract and the standards required, and considering future duties/roles, setting performance related pay increases, determining eligibility for performance bonuses
Performance of the Contract Legitimate interest to manage performance and duties/roles to ensure effective business operations (and set appropriate levels of remuneration)
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Qualifications (including educational, vocational, driving licenses where appropriate) and training
Ensuring Employees are appropriately qualified and trained for current or potential roles
Legal Obligation
Performance of the Contract
Legitimate interest to ensure that there are appropriate qualifications and training for
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 4
current or potential roles
Holiday and other leave
Managing statutory and non-statutory holiday and leave
Legal Obligation
Performance of the Contract
Legitimate interest to ensure leave is taken is compatible with business requirements and that any consequence operational adjustments are made
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
Information on holiday and other leave may be shared with NARS or other union if a query from them is received
N/A or [insert details of country/countries to which data is transferred
Disciplinary, conduct and grievance matters about or involving Employees
Investigating and dealing with disciplinary, conduct and grievance matters related to or otherwise involving Employees
Legal Obligation
Performance of the Contract
Legitimate interest to deal effectively with disciplinary, conduct or grievance matters, whether Employees are subject to them or otherwise connected to the issues raised
Public interest in detecting or preventing unlawful acts
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
Information may be shared with NARS or other union if a query from them is received
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Employee representation Establishing and facilitating
Legal ObligationSee Employee
N/A or [insert details of country/countries
See the [Information Security Policy] OR
Record of Processing Employee Data 5
consultation with staff on relevant matters
Legitimate interest to engage with appropriate Employee representative on relevant matters
Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
to which data is transferred
[[insert details of measures relevant to this category of data]
Record of Processing Employee Data 6
Health and Safety Conducting risk assessments; establishing safety measures to mitigate identified risks; providing a safe working environment; keeping required records
Legal obligation
Legitimate interest to ensure Employees are able to performance their duties in a safe environment for the efficient operation of the businessLegitimate interest relating BHA requirements on health and safety
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Changing terms of employment or termination of employment
Administration of the contract, making changes to the terms of employment to fit business requirements managing relationships with Employees on an ongoing basis including during notice, promotions, role changes, and other career progression, termination of working relationship however instigated, managing post employment
Legal Obligation
Performance of the Contract
Legitimate interest to manage, alter and where relevant to terminate the contractual relationship or respond to resignations and deal effectively with post employment issues
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 7
issues
CCTV footage
Primarily for security purposes although we may also use the CCTV footage when investigating allegations of misconduct by employees
Legal Obligation
Performance of the Contract
Legitimate interest to deal effectively with allegations of misconduct and to maintain the security of our premsies
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Information about Employee’s use of business equipment, technology and systems including our computers/telephones/mobile phones/software/applications/social media [door entry systems/clocking in and out system/time recording]
Maintaining the operation, security and integrity of our business communication systems (e.g. protection from hackers, malware), providing IT and communications systems support, preventing excessive personal use, keeping premises secure, manging time record
Performance of the contract
In our legitimate interest to maintain, operation, security and integrity of communication systems, prevent excessive use of business resources for personal purposes, to record time worked
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Personal data produced by employees in the course of carrying out their job (e.g. job-related emails, minutes of meetings, written reports, business social media presence, etc)
Performance of job duties by Employees, carrying on the business of the company, monitoring business social media presence
Performance of the contractIn our legitimate interest to carry out the company business
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
Record of Processing Employee Data 8
to ensure expected standards are complied with
Personal data, which may include any of the types of data set out in this appendix that is relevant to our strategic decision-making processes, to planning business operations, actual and potential legal claims, corporate reporting and business risk analysis
To carry out the company business, analyse current business performance, plan for the future, present information in reports to relevant audiences such as shareholders where applicable, protect the company from legal claims, seek professional advice as and when required in the course of running our business
Legal obligationPerformance of the contractIn our legitimate interest to carry out the company business including taking strategic decisions in the interest of the business, communicating about the business with relevant audiences and seeking professional advice where appropriate
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Personal data, which may include any of the types of data set out above, that is relevant to strategic decision making process, to planning business operations, actual and potential legal claims, corporate reporting and business risk analysis
To carry out the company business, analyse current business performance, plan for the future, present information in reports to relevant audiences such as shareholders, protect the contact from legal claims, seek professional
Legal obligation
Performance of the contract
Legitimate interest to carry out the company business, including making strategic decisions in the interest of the business, communicating about the
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 9
advice as and when required in the course of running our business
business with relevant audiences and seeking professional advice where appropriate
Special Category Data
Category of personal data Purpose of processing
Lawful basis for processing
Additional lawful basis for processing and safeguards for special categories of personal data or data relating to criminal convictions and offences
Retention Period
Categories of recipients to whom disclosed
Transferred outside EEA
Technical and organisational security measures adopted
Sickness absence and medical information (including records relating to absence and its management, information about any medical condition and doctor’s reports and notes)[drug and alcohol testing if applicable]
Payment of company and statutory sick pay, providing employment benefits, managing absence and ensuring appropriate cover
Legal obligation
Performance of contract
Legitimate interest to manage Employees with health conditions, maintain a safe working environment, and to manage sickness absence of the workforce and ensure appropriate cover
Legal obligation/right in relation to employmentAssessment of working capabilityIn exceptional circumstances, to protect your or someone else’s interests where consent cannot be given
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Family leave (including maternity, paternity,
Facilitating the taking of family
Legal obligationPerformance of
Legal obligation right in relation to
See Employee
N/A or insert recipients
N/A or [insert
See the [Informatio
Record of Processing Employee Data 10
adoption and shared parental leave, parental leave and time off for depends (which could include information about Employee health, religious beliefs, sexual life or sexual orientation)
related leave, payment of maternity, paternity, adoption and shared parental, pay, managing absence and ensuring appropriate cover
the contractIn our legitimate interest to manage absences and ensure appropriate cover
employment
Assessment of working capacity
Data is retained and erased in accordance with the Employee Data Retention Process
Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
details of country/countries to which data is transferred
n Security Policy] OR [[insert details of measures relevant to this category of data]
Trade Union Membership
Facilitating meetings with union representatives for collective bargaining purposesCompliance with legal obligations to allow time off for trade union activities, training etc.
Legal obligation
Legitimate interest to engage with trade union representatives and manage and facilitate time off, etc., for trade union representatives where applicable
Legal obligation/right in relation to employment
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Equal opportunities and diversity which could include information about Employee race or ethnicity, religious beliefs, sexual orientation or health
To monitor equality of opportunity and diversity in our organisation, comply with company policies
legitimate interest to understand how our organisation is doing with regard to diversity and equal opportunities
Public interest in monitoring equal opportunities within the workforce
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
[Biometric data used to identify Employees (e.g. finger print laptop
[To ensure security of laptops]
Legitimate interest in the security of the
[(Employee’s explicit consent (given voluntarily – if there
See Employee Data Retention Process [if
N/A or insert recipients
N/A or [insert details of country/countries to
Record of Processing Employee Data 11
recognition or finger print banking recognition)
business is no consent then alternative means of access to laptops will be made available). If there is consent, Employees have the right to withdraw consent at any time, in which case alternative means of access will be made available]
Data is retained and erased in accordance with the Employee Data Retention Process
possible insert envisaged time limit for erasure of this category of data]
which data is transferred
Criminal convictions/offences/if you have disclosed that you are known to a local authority as being a risk or potential risk to young people/ and or adults at risk, or that you are subject to disciplinary investigations or sanctions by any organisation due to concerns about your behaviour towards young people or adults at risk
If a criminal conviction comes to light or a safeguarding concern is identified, to investigate and assess the impact, if any, on your continued employment (see the company Disciplinary Policy)
Legal obligation
Performance of the contract
Legitimate interest to determine whether to employee individuals with criminal convictions in particular roles
Employee has manifestly made the information public
Establishing, exercising or defending legal claims
Legal right in connection with health and safety
Public interest in detecting or preventing unlawful acts
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 12
Job Applicant Record of Processing – relating to individuals who apply to the company for work, whether as an employee, worker, contractor agency worker, consultant or direction (“Job Applicants)
Data Controller (name of person in business and contact details)Data Processing Lead (name of person in business and contact details, if different from controller)Category of personal data
Purpose of Processing
Lawful basis for Processing
Additional lawful basis for processing and safeguards for special categories of personal data or data relating to criminal convictions and offences
Retention Period
Categories of recipients to whom disclosed
Transferred outside EEA?
Technical and organisational security measures adopted
Information contained in application forms/CVs/covering letters or otherwise provided to the Company by the Job Applicant, including name, title, contact details, employment history, experience, skills, qualifications, training including educational vocational, driving licences where appropriate, referees’ names and contact details
Processing application and corresponding with Job Applicant about itAssessing whether Job Applicant has the skills, experience, qualifications and training for a role
Making informed recruitment decisionVerifying information provided by Job Applicant
Entry into a contract
Legal obligation
Legitimate interest to review and consider Job Applicants’ personal data in order to select the most appropriate candidate for the job
N/A
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 14
Keeping appropriate records of the recruitment process
Publicly available information about Job Applicants, such as their business social media presence
Processing application and corresponding with Job Applicant about it
Assessing whether Job Applicant has required skills, experience, qualifications and training for a role
Making informed recruitment decisions
Verifying information provided by Job Applicant
Keeping appropriate records of the recruitment process
Entry into a contract
Legal obligation
Legitimate interest to review and consider Job Applicants’ personal data in order to select the most appropriate candidate for the job
N/A
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Selection information, including correspondence, interview notes, internal notes, results of any written, online or practical selection tests
Processing application and corresponding with Job Applicant about it
Assessing whether Job Applicant has
Entry into a contract
Legal obligation N/A
See Employee Data Retention Process [if possible insert envisaged
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
Record of Processing Employee Data 15
required skills, experience, qualifications and training for a role
Making informed recruitment decisions
Verifying information Provided by Job Applicant
Keeping appropriate records of recruitment process
Legitimate interest to review and consider Job Applicants’ personal data in order to select the most appropriate candidate for the job
time limit for erasure of this category of data]
Pre-employment check information, including references and verification of qualifications
Processing application and corresponding with Job Applicant about it
Assessing whether Job Applicant has required skills, experience, qualifications and training for a role
Making informed recruitment decisions
Verifying information Provided by Job Applicant
Keeping
Entry into a contract
Legal obligation
Legitimate interest to review and consider Job Applicants’ personal data in order to select the most appropriate candidate for the job
N/A
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 16
appropriate records of recruitment process
Complying with BHA rules of racing requirement to take up a reference on the previous trainer if previously employed in racing
Right to work checks and related documentation
Processing application and corresponding with Job Applicant about it
Assessing whether Job Applicant has required skills, experience, qualifications and training for a role
Making informed recruitment decisions
Checking and demonstrating that Job Applicant has right to work in UKVerifying information provided by the Job Applicant
Keeping appropriate
Entry into a contract
Legal obligation
Legitimate interest to ensure we are compliant with obligation not to employ individuals who do not have a legal right to work in the UK
N/ASee Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 17
records if recruitment process
Equal opportunities and diversity which could include information about race or ethnicity, religious beliefs, sexual orientation or health
To monitor equality of opportunity and diversity in our organisation, comply with company policies
In our legitimate interest to understand how our organisation is doing with regard to diversity and equal opportunities
Public interest in monitoring equal opportunities within the workplace
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Information relevant to the request by the Job Applicant for adjustments to recruitment process as a result of medical condition/disability
To carry out a fair, non-discriminatory recruitment process by considering/making reasonable adjustments to the process as appropriate
Entry into a contract
Legal obligation
Legitimate interest to make appropriate adjustments to ensure recruitment process is accessible and allows Job Applicants to fully engage with it
Legal obligation/right in relation to employment
Data is retained and erased in accordance with the Employee Data Retention Process
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
[Pre-employment health questionnaires/medicals]
(see separate guidance notes)
[To assess whether successful Job Applicant is fit to do the job with adjustments, to consider/arrange suitable adjustments, and to comply with
[Entry into a contract
Legal obligation
Legitimate interest to ensure that successful Job Applicants are
[Legal obligation/right in relation to employment
Data is retained and erased in accordance with the
See Employee Data Retention Process [if possible insert envisaged time limit
See the [Information Security Policy] OR [[insert details of measures relevant to this
Record of Processing Employee Data 18
health and safety requirements]
fit to do their job and any necessary adjustments are put in place]
Employee Data Retention Process]
for erasure of this category of data]
category of data]
Criminal convictions/offences/if you have disclosed that you are known to a local authority as being a risk or potential risk to young people/ and or adults at risk, or that you are subject to disciplinary investigations or sanctions by any organisation due to concerns about your behaviour towards young people or adults at risk
To assess suitability for the role and verify information provided by the Job Applicant
Legitimate interest to determine whether to employ individuals with criminal convictions in particular roles
[Job Applicant has given consent]
[OR in limited circumstances, see separate notes: Legal obligation/right in relation to employment [safeguarding]]
Data is retained and erased in accordance with the Employee Data Retention Process
See Employee Data Retention Process [if possible insert envisaged time limit for erasure of this category of data]
N/A or insert recipients
N/A or [insert details of country/countries to which data is transferred
See the [Information Security Policy] OR [[insert details of measures relevant to this category of data]
Record of Processing Employee Data 19