Achieving for Children is registered as a controller with the Information Commissioner’s Office (ICO). Registration number ZA04506. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
The privacy notice applies to all employees, former employees, agency staff, contractors and non executive directors. The information we process enables us to manage the employment relationship and will vary depending on your specific role and personal circumstances. The privacy notice should be read in conjunction with other corporate policies and procedures.
Information we collect about you
- personal identifiers and contacts such your name, address , photograph, including email address date of birth, gender, nationality, national insurance number, copies of documentation proving your right to work such as your passport or visa and contact details;
- job information such as your job title, department, start date, hours, contract type, salary, annual leave, sick leave, sabbatical and bank details for pay and expenses purposes.
- performance information including annual appraisals, performance reviews and ratings, performance improvement plans, promotions, details of any disciplinary or grievance procedures in which you have been involved, any warnings issued to you and related correspondence.
- education and employment history including qualifications, skills, experience, employment history, references given and received.
- In certain circumstances we will also hold limited information about your spouse, partner or civil partner or other individuals for example where you name them as an emergency contact or where shared parental leave is requested.
- information about your activities in Achieving for Children, including use of information and communication systems such as access times from your ID card or an IP address if you access information from a device.
- We may also process more sensitive information about you which is classed as “special category data” and receives additional protection under data protection law. This includes information about your health, medical conditions or disabilities, religion or beliefs, ethnicity, political opinions, sexual orientation, trade union affiliations.
- information about your past criminal convictions, working with children or vulnerable adults and or your fitness to practice in certain regulated professions.
Although some of the personal information that you are asked to provide is statutory or contractual, some information may be requested on a voluntary basis. You will be informed whether the requested information is mandatory or voluntary.
How we collect your personal data
Achieving for Children collects your personal information in a variety of ways. Examples include when you:
- submit a successful application for a job with Achieving for Children
- complete your new starter and payroll form and start working with us
- update your personal record with Human Resources during your employment
- supply emergency contact details, in which case we will then assume that the person whose details you give us are happy for these details to be shared with us by you
- request shared parental leave, in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer
- share it during the course of your employment, for example during correspondence with you, during the annual appraisal process, if you need to take sick leave or if your role changes
If we do not receive information directly from you, we either generate it ourselves (such as your AfC Work ID and username), or we receive it from third parties, such as:
- HM Revenue and Customs (HMRC)
- Pensions scheme providers
- Disclosure and Barring Service
- Organisations we appoint to conduct background checks on our behalf
- Individuals or organisations that you named as a referee
- Historic records from our commissioning councils
Lawful basis for processing your personal data
In order to be able to process your data lawfully, we must rely on a specific lawful basis, depending on the main reason why we need the data. Below we will explain these lawful bases and when they might be used.
- It is necessary to comply with a legal obligation such as complying with UK legislation in the areas of employment for tax purposes, Equality Act, or laws around health and safety in the workplace.
- It is necessary to carry out the contract of employment we have with you, ensure you can work in the UK, pay you a salary and keep records of disciplinary, complaint or grievance proceedings.
- It is necessary to protect your vital interests for example, in emergency situations we may need to access or share your information in order to protect your life or that of another person.
- Where you have given your explicit consent for a specific purpose.
To process special category data, Achieving for Children relies on the following:
- Processing is necessary to carry out our obligations or exercise our (or your) rights under employment law, social security and social protection. For example to keep a record of reasonable adjustments to meet our obligations under the Equality Act.
- Processing is necessary for the purposes of preventive or occupational medicine and to assess the working capacity of an employee. We may seek advice from occupational health with regards to making adjustments to your working practices due to a health condition.
- Processing is necessary for the establishment, exercise or defence of legal claims against Achieving for Children.
- Where you have received your explicit consent to process your data for a specific purpose.
- Processing is necessary for statistical purposes, such as compiling statistics for equal opportunities initiatives.
Who we share your personal information with
As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need.
Your information will be shared internally within Achieving for Children and with our external Human Resources / recruitment service providers including members of the RBK and RBWM HR and Payroll Service, your line manager, AfC managers in the business area in which you work and RBK and RBWM IT staff if access to the data is necessary for performance of their roles.
We will share your data with other third parties only where it is fair, transparent and lawful and in accordance with the General Data Protection Regulation and the Data Protection Act 2018.
Some of the third parties with whom information about staff may be shared include (list is non exhaustive):
- HMRC, the Office for Standards in Education, Children's Services and Skills (Ofsted) or Care Quality Commission (CQC) or Health and Safety Executive (HSE) to meet statutory reporting obligations
- Royal Borough of Kingston upon Thames Human Resources and Payroll Service
- Royal Borough of Windsor and Maidenhead Human Resources and Payroll Service
- External pensions providers to administer staff pensions
- uCheck, AfC appointed data processor for DBS checks purposes
- Licence Bureau, AfC appointed data processor for drivers’ licence checks and vetting purposes
- Matrix SCM, AfC appointed provider for agency staff
- Law enforcement agencies for the prevention or detection of crime
- External auditors
- Achieving for Children Legal advisors and court of law as necessary
- Emergency response services as necessary to protect your vital interests or those of another person.
We will not transfer your data to countries outside the European Economic Area.
How long will we keep your information
As a principle, information about you will not be kept for longer than it is needed for the purpose it was collected.
Achieving for Children has a published retention schedule which documents how long different information is required, and this is available on the intranet. These are currently in the process of being updated, so may not contain the most up to date information.
Keeping your information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
Achieving for Children’s email service has been configured to Government Digital Service and we encrypt and authenticate email in transit using Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC). We will ensure that when we send emails containing your personal information they are sent using appropriate security measures to encrypt the data in transit. This may involve the use of a third party encryption tool where appropriate.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Your rights and access to information
Under data protection legislation you have the right to request access to the information that we hold about you. To request a copy of your data, please read the Individual Rights Requests page on this website and then submit your request using your preferred method of contact.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- have inaccurate personal data rectified, blocked, erased or destroyed
- prevent processing for the purpose of direct marketing object to decisions being taken by automated means
- in certain circumstances have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to seek redress, either through the ICO, or through the courts
If you have any questions or concerns about the way we process personal data, or would like to discuss anything in this privacy notice, please contact our Data Protection Officer: email@example.com
If you want to make a complaint about how we handle your personal data, we ask that you give our Data Protection Officer the opportunity to respond in the first instance but you are not obliged to do this. You can make a complaint directly to the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/