WeThrive is a UK based software and technology company specialising in employee experience and performance management. As part of our employment and recruitment functions, we, WeThrive (the “Company”), process special category data in accordance with the requirements of Article 9 of the General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’) and criminal offences data in accordance with Article 10 of the GDPR and Schedule 1 of the DPA 2018.
This ‘appropriate policy document’ sets out how we will protect special category data. We have this document in place to explain the basis on which we process this data and to demonstrate that our processing is compliant with principles set out in the GDPR and DPA 2018. This document covers instances where WeThrive are the data controller and does not cover circumstances where WeThrive act as the data processor.
Special Categories Data
What is Special Category Data?
Special Category Data under Article 9 of the UK GDPR covers processing in relation to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying a person, data concerning health, or a person’s sex life or sexual orientation. This is collectively referred to as ‘special category data’. This definition is also read to include nationality and disability information.
Special Category Data We Process
We process some special category data as part of our recruitment processes and, where necessary, in the course of employment to meet our obligations under laws such as the Equality Act 2010, or to verify that candidates are suitable for employment or continued employment. This type of data includes information relating to ‘right to work’ criteria (residency status etc.), needs, adaptations, and adjustments.
Special category data may be shared with the pension provider in the form of health information, disability information, and nationality/ residency/ citizenship information where this is required for the fair, lawful, and accurate provision of the pension product.
Special category data in the form of health information will be processed as part of sick pay and maternity pay.
Relevant special category data may be used as part of conduct and capability and disciplinary processes.
Criminal Offences Data
What is Meant by Criminal Offences Data?
Criminal Offences Data under Article 10 of the UK GDPR covers processing in relation to data revealing criminal convictions information, Disclosure and Baring Service (DBS) checks and reports, allegations data, observations (e.g., CCTV) that reveals that offences may have been committed. This is collectively referred to as ‘criminal offences data’.
Criminal Offences Data We Process
We process some criminal offences data as part of our recruitment processes and, where necessary, in the course of employment to meet our obligations, or to verify that candidates are suitable for employment or continued employment. This type of data includes information relating to ‘right to work’ criteria DBS checks, references from other employers, and the like.
Criminal offences data may be captured as part of allegations of wrongdoing on the part of the company, its employees, or others. It may be included in CCTV and other surveillance, in investigation reports, complaint forms, disciplinary processes, reports to law enforcement, the courts, or insurance providers. Some criminal offences data may be shared back with complainants.
This Appropriate Policy Document
The Data Protection Act 2018 Schedule 1 Paragraph 39 requires an appropriate policy document to be in place for the processing of special category data for the purposes of employment setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.
This document exists to fulfil our obligations in relation to Schedule 1 Parts 1, 2, and 3.
This information supplements our Privacy Notice.
Conditions for Processing Special Category Data
We process special category data under Article 9 of the GDPR. Examples of our processing of such data include pre-employment checks and declarations by an employee in line with contractual obligations. The lawful bases we rely on to process such data are Article 6(b) performance of contract and Article 6(c) complying with our legal obligations to carry out statutory checks and in case the data is taken in the course of recruitment.
The conditions that we rely on under Schedule 1 of the Data Protection Act 2018 include:
Schedule 1 Part 1 – Employment, social security and social protection: We process the data for the purposes of performing or exercising Employment, social security and social protection our obligations or rights under employment law.
Schedule 1 Part 2
Equality of opportunity or treatment
Preventing or detecting unlawful acts
Protecting the public against dishonesty
Suspicion of financing terrorism or money laundering
Schedule 1 Part 3 – Consent: We may also process such data with the consent of the individual if it fulfils the requirements of a valid consent such as being freely given, informed, specific.
How We Comply with the Data Protection Principles
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
The appointment of a data protection officer.
Taking a ‘data protection by design and default’ approach to our activities.
Maintaining documentation to support our processing activities.
Adopting and implementing data protection policies.
Ensuring we have contracts in place with our data processors.
Implementing appropriate security measures in relation to the personal data we process.
Carrying out data protection impact assessments for our high-risk processing.
We regularly review our accountability measures and update or amend them when required.
Procedures for Ensuring Compliance with the Principles
When processing data, we meet the requirements of the data protection principles, as set out in data protection legislation:
Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
We will process special category data only if we have a legal basis for processing and, in addition, if one of the specific processing conditions specified in the Schedule 1 of the DPA 2018 relating to special category data, applies.
In the case where we seek consent, we abide by the strict rules governing gaining and recording consent. No data subject will be compelled to provide written consent. Giving consent will always be an affirmative decision made by free will and will not be a contractual condition. Consent will be recorded as the condition for processing, and it may be withdrawn at any time.
We will inform the data subjects on how special category data is used when the data is collected. This information is set out in the Privacy Notice.
Principle 2 - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We process special category offence data for the purposes outlined above and in compliance with the legal conditions for processing. We do not use personal data for purposes that are incompatible with the original purpose.
Principle 3 - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We collect and retain the minimum amount of information necessary to achieve the purposes outlined above. The information we process is necessary for and proportionate to our purposes. We do not collect any personal data that is irrelevant to, or over and above our identified need.
Principle 4 - Personal data shall be accurate and, where necessary, kept up to date.
We take the reasonable steps to ensure that the personal data we hold is up to date and accurate. Special category data will be obtained directly from applicants, staff and other data subjects or from external sources that we are entitled to assume will provide accurate information, such as the Disclosure and Barring Service.
We will erase or rectify inaccurate data that we hold without delay in accordance with our Data Protection Policy where an individual notifies us that their personal data has changed or is otherwise inaccurate, or if it is otherwise found to be inaccurate. If we decide not to erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Principle 5 - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We only keep personal data for as long as we need it, and then we dispose of it securely. These retention periods are detailed in the Company’s Retention Schedules. At the end of the relevant retention period, the Company erases or securely destroys special category data.
Principle 6 - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against personal data breaches.
The Company has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data.
Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Our electronic systems and physical storage have appropriate access controls applied.
The Company has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Retention and Erasure Policies
Our retention and erasure practices concerning special category data are set out in the Company’s Retention Schedule.
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually or revised more frequently if necessary. Where necessary, this policy will be amended to ensure that it remains up to date and accurately reflects the Company’s approach to processing special category data.
If you require further information or have a question about our handling of special category data, you can contact the Customer Success Manager.
· Email: firstname.lastname@example.org
· Phone no: 01273 921788
· Address: We Thrive, 44-46 Old Steine, Brighton, East Sussex BN1 1NH