WeThrive is a UK based software and technology company specialising in employee experience and performance management. As part of our employment and recruitment functions, we, WeThrive (the “Company”), process special category data in accordance with the requirements of Article 9 of the General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’) and criminal offences data in accordance with Article 10 of the GDPR and Schedule 1 of the DPA 2018.

This ‘appropriate policy document’ sets out how we will protect special category data. We have this document in place to explain the basis on which we process this data and to demonstrate that our processing is compliant with principles set out in the GDPR and DPA 2018. This document covers instances where WeThrive are the data controller and does not cover circumstances where WeThrive act as the data processor.

Special Category Data under Article 9 of the UK GDPR covers processing in relation to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying a person, data concerning health, or a person’s sex life or sexual orientation. This is collectively referred to as ‘special category data’. This definition is also read to include nationality and disability information.

We process some special category data as part of our recruitment processes and, where necessary, in the course of employment to meet our obligations under laws such as the Equality Act 2010, or to verify that candidates are suitable for employment or continued employment. This type of data includes information relating to ‘right to work’ criteria (residency status etc.), needs, adaptations, and adjustments.

Special category data may be shared with the pension provider in the form of health information, disability information, and nationality/ residency/ citizenship information where this is required for the fair, lawful, and accurate provision of the pension product.

Special category data in the form of health information will be processed as part of sick pay and maternity pay.

Relevant special category data may be used as part of conduct and capability and disciplinary processes.

Criminal Offences Data under Article 10 of the UK GDPR covers processing in relation to data revealing criminal convictions information, Disclosure and Baring Service (DBS) checks and reports, allegations data, observations (e.g., CCTV) that reveals that offences may have been committed. This is collectively referred to as ‘criminal offences data’.

We process some criminal offences data as part of our recruitment processes and, where necessary, in the course of employment to meet our obligations, or to verify that candidates are suitable for employment or continued employment. This type of data includes information relating to ‘right to work’ criteria DBS checks, references from other employers, and the like.

Criminal offences data may be captured as part of allegations of wrongdoing on the part of the company, its employees, or others. It may be included in CCTV and other surveillance, in investigation reports, complaint forms, disciplinary processes, reports to law enforcement, the courts, or insurance providers. Some criminal offences data may be shared back with complainants.

The Data Protection Act 2018 Schedule 1 Paragraph 39 requires an appropriate policy document to be in place for the processing of special category data for the purposes of employment setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.

This document exists to fulfil our obligations in relation to Schedule 1 Parts 1, 2, and 3.

This information supplements our Privacy Notice.

We process special category data under Article 9 of the GDPR. Examples of our processing of such data include pre-employment checks and declarations by an employee in line with contractual obligations. The lawful bases we rely on to process such data are Article 6(b) performance of contract and Article 6(c) complying with our legal obligations to carry out statutory checks and in case the data is taken in the course of recruitment.

The conditions that we rely on under Schedule 1 of the Data Protection Act 2018 include:

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

We regularly review our accountability measures and update or amend them when required.

When processing data, we meet the requirements of the data protection principles, as set out in data protection legislation:

We will process special category data only if we have a legal basis for processing and, in addition, if one of the specific processing conditions specified in the Schedule 1 of the DPA 2018 relating to special category data, applies.

In the case where we seek consent, we abide by the strict rules governing gaining and recording consent. No data subject will be compelled to provide written consent. Giving consent will always be an affirmative decision made by free will and will not be a contractual condition. Consent will be recorded as the condition for processing, and it may be withdrawn at any time.

We will inform the data subjects on how special category data is used when the data is collected. This information is set out in the Privacy Notice.

We process special category offence data for the purposes outlined above and in compliance with the legal conditions for processing. We do not use personal data for purposes that are incompatible with the original purpose.

We collect and retain the minimum amount of information necessary to achieve the purposes outlined above. The information we process is necessary for and proportionate to our purposes. We do not collect any personal data that is irrelevant to, or over and above our identified need.

We take the reasonable steps to ensure that the personal data we hold is up to date and accurate. Special category data will be obtained directly from applicants, staff and other data subjects or from external sources that we are entitled to assume will provide accurate information, such as the Disclosure and Barring Service.

We will erase or rectify inaccurate data that we hold without delay in accordance with our Data Protection Policy where an individual notifies us that their personal data has changed or is otherwise inaccurate, or if it is otherwise found to be inaccurate. If we decide not to erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

We only keep personal data for as long as we need it, and then we dispose of it securely. These retention periods are detailed in the Company’s Retention Schedules. At the end of the relevant retention period, the Company erases or securely destroys special category data.

The Company has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data.

Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Our electronic systems and physical storage have appropriate access controls applied.

The Company has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Our retention and erasure practices concerning special category data are set out in the Company’s Retention Schedule.

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed annually or revised more frequently if necessary. Where necessary, this policy will be amended to ensure that it remains up to date and accurately reflects the Company’s approach to processing special category data.

If you require further information or have a question about our handling of special category data, you can contact the Customer Success Manager.

· Email: support@wethrive.net

· Phone no: 01273 921788

· Address: We Thrive, 44-46 Old Steine, Brighton, East Sussex BN1 1NH