Select which cookies you accept

Leightons Group Staff Privacy Notice

Introduction

This privacy notice explains how Leightons Holdings and Leightons’ Group companies (“we”, “us”, “our”) collect, use, store and share personal data relating to job applicants, employees and former employees.

The personal data we process about you will vary depending on whether you are applying for a role, are currently employed by us, or were previously employed, as well as your role and individual circumstances. This notice provides information required under Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR).

The relevant Leighton’s Group Company is the data controller for this information unless this notice specifically states otherwise.

Our Data Protection Officer is Amicis Data t/a Clinical DPO, their contact details are:

Email: leightonsdpo@clinicaldpo.com, or by

Telephone: 0203 411 2848.

Your privacy matters to us and we are committed to the highest data privacy standards, patient confidentiality and adherence with the Data Protection Act 2018 and UK GDPR, including the six core principles of data protection.

How do we get your information?

We may collect personal data from the following sources:

• Directly from you (for example, during recruitment or throughout your employment).

• From an employment agency.

• From referees, either external or internal.

• From Occupational Health, your GP and other health providers.

• From Pension administrators and other government departments (for example HMRC).

• CCTV systems operated on our premises

• Relevant professional or regulatory bodies

• Processing of DBS Checks

What personal data we process and why?

We use the following information to carry out the contract we have with you, provide you with access to business services required for your role and manage our human resources processes:

• Personal contact details, including name, address, telephone number(s), personal email addresses.

• Date of Birth, gender, and NI number

• A copy of your passport or similar photographic identification, work permit and / or proof of address documents.

• Emergency contact/next of kin and their contact information

• Employment and education history, including qualifications, job application, references, right to work information and details of any criminal convictions that you declare.

• Location of employment

• Information relating to salary and pension including sick leave, bank details, payroll records and tax status.

• Performance records including disciplinary records.

• Health and wellbeing information declared by you and accident records.

• Photographs & Images captured on our CCTV System

We treat all personal data as sensitive but acknowledge that we also process special category data.

Lawful basis for processing your personal data

We process your personal data for the following purposes and lawful bases:

Contract – Article 6(1)(b) UK GDPR

• Recruitment and selection

• Issuing and administering contracts of employment

• Payroll, benefits and pension administration

• Performance management and training

• Managing absence and leave

Legal obligation – Article 6(1)(c) UK GDPR

• Right to work checks

• Tax, National Insurance and pension obligations

• Health and safety compliance

• Employment law obligations

• Safeguarding and DBS requirements (where applicable)

Legitimate interests – Article 6(1)(f) UK GDPR

• Internal HR administration

• Workforce planning and management

• IT systems security and monitoring

• Business continuity and organisational management

We have assessed that our legitimate interests are not overridden by your rights and freedoms.

Special category data

We process special category data in accordance with Article 9 UK GDPR, relying primarily on:

• Article 9(2)(b) – employment, social security and social protection law

• Article 9(2)(h) – occupational health and assessment of working capacity

Criminal convictions data

Criminal convictions and DBS information are processed in accordance with Article 10 UK GDPR and Schedule 1 of the Data Protection Act 2018, only where legally permitted and necessary for the role.

How long we keep your personal data?

We keep your data for as long as we need it for the purposes it was collected.

• Employee records are retained for the duration of employment and for a period afterwards in line with legal and regulatory requirements.

• Applicant data for unsuccessful candidates is retained for 12 months from the date of application, unless you consent to a longer period or retention is required for legitimate purposes.

Full details are set out in our Data Retention Schedule, which is available on request.

Your rights in relation to this data processing

Under the UK GDPR, you have the following rights:

• The right to be informed

• The right of access, commonly referred to as subject access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights related to automated decision-making including profiling

Some rights are not absolute and may be subject to legal exemptions.

To exercise your rights, contact our Data Protection Officer using the details above.

Securing and processing of your personal data

We take appropriate technical and organisational measures to protect your personal data, including:

• Secure digital systems and access controls

• Physical security at our premises

• Password protection and user authentication

• Staff confidentiality training and policies

In the event of a personal data breach that poses a risk to you, we will notify you and, where required, report the incident to the Information Commissioner’s Office (ICO).

Sharing of Personal Data

Access to your personal data is restricted to staff who need it for their role.

We may share your personal data with:

• Government bodies (such as HMRC)

• Regulators or law enforcement agencies where legally required

• External auditors

• Service providers who act as data processors on our behalf and process data only in accordance with our instructions

A list of our current data processors is provided in Annex A.

If our business, or any part of it, is sold, transferred, merged, restructured or acquired, personal data relating to employees, former employees and job applicants may be disclosed to a prospective buyer, seller, new owner or their professional advisers where this is necessary for the purposes of the transaction.

Any such disclosure will be limited to what is necessary, will be subject to appropriate confidentiality and security safeguards, and will be carried out in accordance with UK data protection law. Where a transaction completes, your personal data may be transferred to the new owner or controlling organisation, who will become the data controller and will be required to inform you how your personal data will be used.

We rely on our legitimate interests in managing and developing our business for this processing, and we ensure that your rights and interests are not overridden.

Transfers of personal data

We may transfer staff personal data outside the UK where this is necessary for legitimate business purposes, such as use of IT systems. Where we do so, we ensure that appropriate safeguards are in place to protect the data and to ensure it is treated to the same standard of protection as required under UK data protection law. These safeguards may include adequacy regulations, standard contractual clauses, or other lawful transfer mechanisms.

Further information

Staff surveys

Survey responses are usually anonymous. Please avoid including identifiable information in free-text responses if you wish to remain anonymous.

Whistle-blowers

Personal data processed under our whistleblowing policy will be handled confidentially, subject to the nature of any investigation.

Equal opportunities monitoring

Equality data is used for monitoring purposes and is not used in recruitment decision-making.

Occupational health

During the offer and recruitment process a health questionnaire is completed and also during employment you may be referred for occupational health support following a request to HR by you or your line manager. This may result in a telephone or video appointment, a face-to-face consultation with an occupational healthcare professional and/or a medical report from a GP or specialist medical practitioner.

We use Staywell, ELAS Occupational Health and UNUM to provide our occupational health service, or an alternative provider that you will be advised of. The information you provide will be held by the given provider, who will provide us with a report containing their recommendations.

Monitoring and CCTV

ICT systems may be monitored in line with our Acceptable Use and Social Networking policies. CCTV operates at certain premises for safety and security. Further information is available in our CCTV policy.

Requests for references

We will obtain your consent before providing references where required.

How to contact us?

For all data protection matters or questions relating to how we manage your data, or if you are concerned about how your data is being handled, you can contact our Data Protection Officer with the details above.

For complaints, please include the following where possible:

• Your name and contact information

• A description of your concern or the data protection issue

• Any relevant supporting information.

 

Complaints will be acknowledged within 30 days. We aim to fully respond and resolve the matter without undue delay. If your issue requires more time or clarification, we will keep you informed throughout.

If you are dissatisfied, you have the right to complain to the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk/make-a-complaint/

• Phone: 0303 123 1113

• Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

--

Annex A – Data Processors

Data processors are third parties who provide certain parts of our staff services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors are listed below.

Iris Open Payslips - Payroll Employee Portal

Iris Earnie Payroll - Payroll software

TeamTailor - System for Processing Recruitment Applications

Kallidus Learn - Digital Learning and Development Suite

People XD - Online HR and Payroll IT service

BUPA - Private Health Insurance

ELAS - Occupational Health Services

Staywell - Occupational Health Services

UNUM - Permanent Health Insurance

Pleo - Employee Expense Claim processing and payments

ReAssure - Group Company Personal Pension Provider

CBS - Umbrella Company to process DBS checks

Aviva - Legacy Final Salary Pension Scheme Provider

Daelriada - Manage legacy final salary pension scheme

Sign-In App - Safety Monitoring for employees at Clarendon House

Great Plains - Accounting Software, also used for Expense payments

Alphabet Connect - App from Alphabet Company Car Fleet provider to support company car drivers in car maintenance service and repairs

Recruitment Agencies - Support the Recruitment of new Staff – Contact us for specific information

Nest - Group Company Personal Pension Provider

Optix PMS - PMS – information to reset password