Employee Privacy Notice
Processing your personal data
What categories of personal data does the British Red Cross Society ("British Red Cross") collect about me and why?
"Personal data" means any information relating to you. As your employer, the British Red Cross will collect, process, and use your personal data for a range of different purposes.
What is personal data?
- Identification - your name, staff ID, nationality, national insurance number, bank details
- Contact details
- Dependent details
- Job details - including your salary and benefits
- Performance and disciplinary information
- Absence and working time information
- Organisational data including IDs for IT systems
- Working time data - including time recording systems data
- CCTV images, telephone, email, and internet usage records
- Travel such as journeys made for work purposes including overseas travel, train journeys, and car journeys.
Why?
- To pay you and arrange your benefits
- To operate our IT systems and keep them secure
- To manage our workforce and keep track of your career
- To comply with the law and our obligations as your employer
- To ensure our employees are complying with the British Red Cross policies and procedures
- To communicate with you and with other the British Cross employees and third parties
- To comply with our financial and regulatory obligations
- To meet the British Red Cross Carbon emission obligations
- To better understand our people and the way they interact with us, whether they are staff, volunteers, supporters, or service users.
It is important to know that the British Red Cross may also need to process sensitive personal data about you such as health and medical data, criminal records data, and race or ethnicity data.
Read the detailed Employee Privacy Notice
Who might the British Red Cross share my personal data with, and what happens if it is transferred out of the UK?
We might also need to transfer your data to other third parties - e.g., potential business partners, acquiring entities, suppliers, customers, or government bodies. Our policy is to limit who has access to that data as much as we can. If we need to transfer data out of your jurisdiction, the British Red Cross will take all necessary measures to ensure your data is adequately protected.
Find out who your data is shared with
How long will the British Red Cross keep my personal data for?
We will not keep your personal information longer than we need to. We will keep your information either to comply with the law or to ensure that we are complying with our obligations to you and other third parties.
How long will the British Red Cross keep my data for?
What rights do I have in respect of my personal data?
You have a number of rights in relation to your personal data. These include:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
Read about your rights in more detail
Who can I contact if I have questions?
If you have concerns or questions regarding your personal data, please contact the Information Governance Team:
Email: dataprotection@redcross.org.uk
Phone: 0344 871 1111
Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL
The British Red Cross Society Employee Privacy Notice
The British Red Cross Society, of 44 Moorfields, London, EC2Y 9AL ("British Red Cross") has prepared this Employee Privacy Notice ("Notice") to be provided to its employees.
In connection with your employment, we have to process your personal data. We think that it is very important that you understand how we use your personal data, and we take our obligations in this regard very seriously. The purpose of this Notice is therefore to give you information about how the British Red Cross collects, processes, stores and otherwise uses information about you, and your rights in relation to that information.
The British Red Cross needs to process your personal data in order to enter into a contract of employment with you and to continue to perform crucial aspects of your contract of employment such as paying you and providing you with benefits.
There are also statutory requirements and other contractual requirements we have to comply with in relation to your employment as well as business and operational needs we have to meet.
If we are not able to carry out the processing activities, we describe in this Notice we may not be able to comply with your contract of employment, and in certain very exceptional cases, may not be able to continue your employment. Of course, we hope it would never come to that, and this is simply information we are required by law to provide to you as part of this Notice.
In certain limited circumstances we may need to ask for your specific consent to process your personal data in a particular way. Where we do so, you will be entitled to withdraw your consent at any time by contacting us as set out at the end of this Notice. However, in most cases we will process your personal data for the reasons set out in this Notice and it will not be appropriate or necessary for you to provide consent.
When we say, "British Red Cross", "we" or "us" in this document, we mean the entity you are employed by. As with many other the British Red Cross policies, this document is not part of your contract of employment, and we may update it from time to time, for example if we implement new systems or processes that involve the use of personal data.
In this Notice you will see reference to "GDPR" - that refers to the European Union General Data Protection Regulation which is a European law governing your rights in relation to your personal data, and how organisations should protect it. This law has been enacted in the UK by the Data Protection Act 2018.
Index
To help you find information quickly on any particular question you might have, we have set out an index.
What categories of personal data does the British Red Cross collect about me?
Who might the British Red Cross share my information with?
How long will the British Red Cross keep my personal information for?
What rights do I have in respect of my personal information?
What categories of personal data does the British Red Cross hold about me?
"Personal data" means any information relating to you. The British Red Cross will collect, process, and use the following categories and types of personal data about you:
- Identification data, such as your name, signature, marital status, employee/Staff ID, your photo (if voluntarily provided by you), payroll ID, business email address, business address, business landline, business mobile number, citizenship, nationality, visa status, passport/ID data, bank details, background check information CV, application form, drivers' licence information, national insurance number
- Personal information, such as your date and place of birth, emergency contact details, next of kin details, gender
- Contact details, such as your home address, telephone number and email address
- Information about your job, such as your position, business title, employee type, management level, time type (full or part time and percentage), working time information, work location, division, department, position level, manager (name & ID), support roles, start and end date, contract status reference, job history (including position history, title history, effective dates and past pay groups), education history and qualifications, work history (including log-files of changes in HR databases) and reason for leaving
- Information about your salary and benefits, such as your basic salary, raise amounts and percentages, allowances, insurance benefits (including information about you and your dependants that we provide to the insurer), pension plans, tax code, your bank account details and payment dates, accrued salary information, employee pay group, information relating to your pension
- Time, and systems / buildings access monitoring information, such as CCTV images, swipe card access, time recording software, internet, email, and telephone usage data
- Performance and disciplinary information, such as performance reviews, evaluations and ratings, information about disciplinary allegations (including service user or supporter complaints), the disciplinary process and any disciplinary warnings, details of grievances and any outcome
- Absence information, such as dates of leave of absence/vacation, maternity/paternity/shared parental leave, confirmation of a birth of a child, training/educational leave, family care leave, medical leave, sick leave
- Organisational data including IDs for IT systems, company details, cost centre allocations, and organisations
- Travel data such as journeys made for work purposes including overseas travel, train journeys, and car journeys.
together "Employee Data".
In addition to the collection, processing and use of the Employee Data, the British Red Cross collects, processes and uses the following special categories of personal information about you which we describe as "Sensitive Employee Data":
- Health and medical data, such as psychological assessments, the number of sick days and the information contained in a doctor's certificate/medical certificate for purposes of enabling medical clearance for international travel, salary payment, workforce planning, and compliance with legal obligations; information on work-related accidents for purposes of insurance compensation, work safety and compliance with legal obligations (such as reporting obligations); information on disability for purposes of accommodating the work place and compliance with legal obligations; information on maternity leave for purposes of workforce planning and compliance with legal obligations
- Criminal records data, in the event that the British Red Cross has conducted or received the results of criminal records background checks in relation to you, where relevant and appropriate to your role
- Race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes, and information which you have voluntarily provided to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives
- Sexual life data such as marital status where this has been provided voluntarily to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives.
Inter-Agency Scheme for the Disclosure of Safeguarding-related Misconduct
Sensitive Employee Data (in particular criminal records data and sexual life data) may also be processed as part of the British Red Cross' participation in the Inter-Agency Scheme for the Disclosure of Safeguarding-related Misconduct in Recruitment Process within the Humanitarian and Development Sector (the “Misconduct Disclosure Scheme”).
The purpose of the Misconduct Disclosure Scheme is to enable participating humanitarian, development, and other civil society organisations to share upon request relevant information about people who have found to have been involved in or committed sexual exploitation, sexual abuse or sexual harassment during employment or in a governing role, for the purpose of making informed recruitment/appointment decisions. More details about the Misconduct Disclosure Scheme are available on the Steering Committee for Humanitarian Response website.
If, during or after your employment with us, you seek a role with another organisation, we may need to respond to requests for references under the Misconduct Disclosure Scheme from that other organisation. This would involve us processing your personal data, and potentially also Sensitive Volunteer Data, as outlined above.
Find out more about the British Red Cross's assessment of the privacy impacts of the Misconduct Disclosure Scheme, including the lawful basis for processing relied upon.
- Download the SCHR Misconduct Disclosure Scheme Data Protection Interest Assessment
- Download the SCHR Misconduct Disclosure Scheme Legitimate Interest Assessment
Why does the British Red Cross need to collect, process, and use my Employee Data and Sensitive Employee Data and what is the legal basis for doing so?
We collect and use Employee Data and Sensitive Employee Data for a variety of reasons linked to your employment. To help clarify these we have set out below a list of reasons why we collect and use this data (the "Processing Purposes"). However, we can only collect and use this data if we have a valid legal basis for doing so, and we are required to explain the various legal bases that we rely on to you.
To give you the full picture, we have set out each of the reasons why we collect and use Employee Data, i.e., the Processing Purposes, and mapped these against the different legal bases that allow us to do so. We appreciate that this is quite a lot of information to take in, so please bear with us.
Processing Purposes
1. Administering and providing compensation, including payroll, expenses and other applicable incentives which involves the processing of identification data, contact details, information about your job, salary and benefits and performance and disciplinary information; absence information and organisational data.
Legal Bases
- Necessary for performing a contract with you as the data subject
- Legitimate interests of the British Red Cross
- Compliance with legal obligations which the British Red Cross is subject to in relation to employment law and tax law.
2. Administering and providing applicable benefits and other work-related allowances, including reporting of benefit entitlements and take-up of benefits which involves the processing of identification data, contact details, information about your job, salary and benefits performance and disciplinary information; absence information and organisational data.
- Necessary for performing a contract with you as the data subject
- Legitimate interests of the British Red Cross
- Compliance with legal obligations which the British Red Cross is subject to in relation to employment law and tax law.
3. Administering our workforce and managing the employment relationship including managing work activities, tracking working hours, tracking internet, email and telephone usage, providing performance evaluations and promotions, producing and maintaining corporate organisation charts, entity and intra-entity staffing and team management, managing and monitoring business travel, carrying out workforce analysis, conducting talent management and career development, leave management/approvals, providing references, and administering ethics and compliance training which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information organisational data; and recruitment for other roles both during and after the end of your employment.
- Legitimate interests of the British Red Cross
- Compliance with legal obligations which the British Red Cross is subject to
- Necessary for performing a contract with you as the data subject.
4. Providing IT systems and support to enable you and others to perform their work, to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure which involves processing almost all categories of Employee Data.
- Necessary for performing a contract with you as data subject
- Legitimate interests of the British Red Cross
- Compliance with legal obligations which the British Red Cross is subject to in relation to data protection law.
5. Complying with applicable laws, regulatory, and employment-related requirements along with the administration of those requirements, such as income tax, national insurance deductions, health and safety, employment, data protection and immigration laws, which involves the processing of identification data, contact details, information about your job, performance and disciplinary information; absence information and organisational data - including in response to requests from you for the exercise of your rights as a data subject.
Processing purposes 5 to 6:
- Compliance with legal obligations which the British Red Cross is subject to, particularly in relation to tax law, employment law, data protection law, social security law and immigration law
- Legitimate interests of the British Red Cross.
6. Complying with applicable laws, regulatory, and employment-related requirements along with the administration of those requirements, such as income tax, national insurance deductions, health and safety, employment, data protection and immigration laws, which involves the processing of identification data, contact details, information about your job, performance and disciplinary information; absence information and organisational data - including in response to requests from you for the exercise of your rights as a data subject.
7. communicating with you, other British Red Cross employees and third parties (such as existing or potential business partners, suppliers, customers, supporters, volunteers, service users or government officials), which involves the processing of identification data, contact details, information about your job and organisational data;
- Necessary for performing a contract with you as data subject
- Legitimate interests of the British Red Cross
- Compliance with legal obligations which the British Red Cross is subject to.
8. Communicating with your designated contacts in the case of an emergency which involves the processing of contact details, information about your job and organisational data;
- Necessary to protect your vital interests as a data subject
- Legitimate interests of the British Red Cross.
9. Responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country which involves the processing of identification data, contact details, information about your job, salary and benefits, performance, and disciplinary information; absence information and organisational data;
Processing purposes 9 to 10:
- Compliance with legal obligations which the British Red Cross is subject to
- Legitimate interests of the British Red Cross.
10. Complying with corporate financial and regulatory responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control which involves the processing of identification data, contact details, information about your job, salary, and benefits, performance, and disciplinary information; absence information and organisational data.
Below are the Processing Purposes and corresponding Legal Bases for Sensitive Employee Data:
Processing Purpose
1. Salary payment, workforce planning, compliance with legal obligations, insurance compensation and providing accommodating workplace may require health and medical data, such as the number of sick days and the information contained in a doctor's certificate/medical certificate, information on work-related accidents, information on disability, and information on maternity or paternity leave.
Legal Bases
- Necessary to carry out the obligations and to exercise specific rights of the British Red Cross or for you in the field of employment and social security and social protection law as permitted by the data protection law.
2. Criminal records and other background checks (including under the Misconduct Disclosure Scheme), in relation to you, where relevant and appropriate to your role.
- Your explicit consent as allowed by the data protection law
- Necessary to carry out the obligations and to exercise specific rights of the British Red Cross or for you in the field of employment and social security and social protection law as permitted by the data protection law
- Necessary for reasons of substantial public interest as permitted by the data protection law.
3. Right to work checks or visa and immigration checks may involve us using race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes.
- Necessary for reasons of substantial public interest as permitted by the data protection law
- Your explicit consent as allowed by the data protection law.
We appreciate that there is a lot of information there, and we want to be as clear with you as possible over what this means. Where we talk about legitimate interests of the British Red Cross or third parties, this can include:
- Management of employment relations including performance, disciplinary and grievance issues
- Assessing your suitability for other roles within the British Red Cross;
- Allocating resource and monitoring workload
- Protecting your health and safety in the workplace, as well as the health and safety of others
- Implementation and operation of an organisational information sharing
- Right to freedom of expression or information, including the media and the arts
- Prevention of fraud, misuse of company IT systems, or money laundering
- Operation of a whistleblowing scheme
- Physical security, IT and network security
- Internal Investigations
- Analysing of data to better understand our people, and the way they interact with us, whether they are staff, volunteers, supporters, or service users.
When relying on the legitimate interests basis for processing your personal data, we will balance the legitimate interest pursued by us and any relevant third party with your interests and fundamental rights and freedoms in relation to the protection of your personal data to ensure it is appropriate for us to rely on legitimate interests and to identify any additional steps we need to take to achieve the right balance.
The British Red Cross may transfer personal data to third parties, including to entities within and outside the British Red Cross located in any jurisdictions, for the Processing Purposes as follows:
- Communication with third parties. As necessary in connection with business operations, work contact details and communication contact details may be transferred to existing or potential business partners, suppliers, customers, supporters, volunteers, service users, or government officials and other third parties.
- Regulators, authorities, and other third parties. As necessary for the Processing Purposes described above, personal information may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), insurance providers, pensions, and benefits providers, internal compliance, and investigation teams (including external advisers appointed to conduct internal investigations).
- Data processors. As necessary for the Processing Purposes described above, personal data may be shared with one or more third parties, whether affiliated or unaffiliated, to process personal information under appropriate instructions ("Data Processors").
The Data Processors may carry out instructions related to workforce administration, IT system support and maintenance, payroll and compensation, training, compliance, and other activities, and will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal information, and to process the personal information only as instructed.
For a full list of third parties that we may share your data with, please contact us as set out below.
As you may expect, some of the recipients we may share Employee Data and Sensitive Employee Data with may be located in countries outside of Europe. In some cases, this may include countries located outside the European Union and/or European Economic Area ("EAA").
Some countries where recipients may be located already provide an adequate level of protection for this data (e.g., those within the EEA). Nonetheless, for transfers to entities outside of the EEA, the British Red Cross will be bound by the International Data Transfers Agreement and Addendum, to ensure that your data is protected adequately.
If recipients are located in other countries without adequate protections for personal data, the British Red Cross will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the International Data Transfers Agreement and Addendum.
You can ask for a copy of such appropriate safeguards by contacting us as set out below (Who can I contact about this stuff?).
How long will the British Red Cross keep my data for?
It is our policy not to keep personal information for longer than is necessary. We may, for example, keep your personal information for a reasonable time after you have left to ensure that the British Red Cross has the records it needs in the event of a dispute or regulatory investigation and to ensure that any ongoing obligations can be complied with, such as complying with requests from regulators, and to contact you about future work opportunities at the British Red Cross.
Where personal information is kept, that period will be determined based on the applicable local law. For further information, please refer to the British Red Cross Records Management Policy or the Records Retention Schedule or contact us as set out below to request further details on how long the British Red Cross will retain different categories of personal information.
What rights do I have in respect of my personal information?
You have a number of rights in relation to your Employee Data and Sensitive Employee Data. These can differ by country, but can be summarised in broad terms as follows:
(i) Right to be informed
You have the right to be informed as to why your personal data is needed for processing, how we will use the data and what will be done with it.
(ii) Right of access
You have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy, we may charge a fee.
(iii) Right to rectification
You may have the right to rectify inaccurate or incomplete personal data concerning you.
(iv) Right to erasure (right to be forgotten)
You may have the right to ask us to erase personal data concerning you.
(v) Right to object to processing and rights relating to automated decision-making
Under certain circumstances you may have the right to object to the processing of your personal data including any profiling being carried out on your personal data. This can include requesting human intervention with regards to an automated decision that was made, so that you can express your view and contest the decision.
(vi) Right to data portability
You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and you may have the right to transmit that data to another entity.
(vii) Right to restrict processing
In limited circumstances, you may have the right to request that we restrict processing your personal data, however where we process your Employee personal and sensitive data for the Processing Purposes, we think that we have a legitimate interest in processing which may override a request that you make.
(viii) Right to object to automated decision-making
Under certain circumstances you may have the right to object to the processing of your personal data including any profiling being carried out on your personal data. This can include requesting human intervention with regards to an automated decision that was made, so that you can express your view and contest the decision.
To exercise any of these rights, please contact us as stated below (Who can I contact about this stuff?).
You also have the right to lodge a complaint with the competent data protection supervisory authority, which in the UK is the Information Commissioner's Office (the "ICO"). If you would like to make a complaint in relation to how we have handled your personal information, please follow our complaints procedure. If you are not happy with the response you receive, then you can raise your concern with the ICO:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Alternatively, you can visit their website.
We are registered with the Information Commissioner’s Office as a Data Controller under number Z5379882.
Who can I contact about this stuff?
If you have concerns or questions regarding this Notice or if you would like to exercise your rights as a data subject, you can get hold of the right person below. Please contact the Information Governance Team:
Email: dataprotection@redcross.org.uk
Phone: 0344 871 1111
Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL
Do you have a question about this page or want to give us feedback? Visit our Contact us page.