RAC is proud to have established a reputation built on trust and respect. We acknowledge the fact that colleagues, customers, contractors and partners are at the heart of everything we have achieved and are essential to our ongoing success - people are our business. We are, therefore, committed to respecting the fundamental rights and privacy of our colleagues, customers and partners. We are also committed to being concise, clear and transparent about how we obtain and use personal information relating to our workforce, and how (and when) we delete that information once it is no longer required.
This policy sets out RAC's commitment to and arrangements for the appropriate processing and protection of personal information relating to our workforce - rights that are enshrined in the General Data Protection Regulations (GDPR) and its supporting legislation. Its purpose is also to ensure that colleagues understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.Scope
This policy applies to all colleagues, former colleagues, apprentices, volunteers, job applicants, and those who work on behalf of, or in partnership with RAC. This includes third parties, such as Direct Sales Force ("DSF") agents, contractors, consultants and agency workers, with authorised access (physical or logical) to RAC systems.
For the purposes of data protection legislation, RAC is classed as a "data controller" and, as such, collects and processes personal information relating to its workforce.
The Data Privacy Team is responsible for data protection compliance within RAC. If you have any questions or comments about the content of this policy or if you need further information, you should contact the Data Protection Team by emailing them at firstname.lastname@example.org.
Personal information /sensitive personal information
Personal information means information relating to an individual who can be identified (directly or indirectly) from that information. This includes details such as name, address, email address, financial information, CCTV images, MAC and IP addresses, location data, aliases, preferences and profiles, amongst other things.
Sensitive personal information (sometimes known as 'special categories of personal data' or 'sensitive personal data') means personal information about an individual's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual's health or sexual orientation.
How we use your personal information
Your personal information will only be processed in accordance with data protection law and regulation. Your personal information is stored and used to enable us to carry out the administration and management of your contract with RAC and the running of our business. This is so that we can ensure that you are receiving commission, maintain and promote equality in the workplace, exercise your and our specific rights, and comply with regulatory and statutory requirements (such as the completion of appropriate security checks).
RAC needs to process data to enter into a contractual relationship with you and to meet its obligations under your contract. For example, it needs to process your data to be able to pay you.
In some cases, your personal information is used to make sure that we are complying with legal obligations. For example, your entitlement to work in the UK, regulatory compliance and health and safety laws. For certain contracts, it is necessary to carry out criminal records checks to ensure third party suppliers are permitted to undertake the role in question.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the relationship. Processing personal data allows RAC to:
- run recruitment processes;
- run due diligence screening such as reference checks, right to work checks, criminal conviction checks, CIFAS and credit checks;
- maintain accurate and up-to-date personal records and contact details (including details of who to contact in the event of an emergency), and records of your contractual and statutory rights;
- ensure that you are receiving the commission to which you are entitled;
- ensure security;
- ensure effective operational and business administration;
- apply RAC's policies and other terms and conditions relating to your contract;
- provide references on request for current or former DSF Agents/ Contractors;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace.
Sensitive personal data/special categories of data require a higher level of protection. Most often we may process this special category of data where:
- we need to carry out our legal obligations or exercise rights in connection with your contract;
- where the processing is necessary for the assessment of your working capacity, occupational health or obtaining a medical diagnosis or where it is needed in the public interest (such as equal opportunities monitoring); or
- in exceptional circumstances we may process this data with your explicit consent.
This information will be held electronically and manually, e.g. in your personnel file, RAC's HR information systems and in other IT systems (including RAC's email system). Personal information (and sensitive personal information) will be kept securely in accordance with RAC's Information Security Policy.
In some cases, RAC collects personal data about you from third parties, such as references supplied by former employers/clients, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Please note that a refusal by you to provide the Company with the relevant personal data required to carry out the purposes listed above, will significantly hinder the Company's ability to provide you with your contractual rights and benefits and/or to comply with a legal obligation.
RAC will make every effort to ensure that the information held about you is accurate and, where necessary, kept up to date. It is your responsibility to ensure that your information is accurate and kept up to date.
You may have access to the personal information of other colleagues, suppliers and customers of the Company in the course of your contract. If so, the Company expects you to help meet its data protection obligations to those individuals.
Who has access to your personal information?
Your information will be shared internally with only those roles that need access to and have authority to access this information as part of their legitimate duties. This includes members of the HR team, your manager, managers in the business area in which you work and IT colleagues if access to the data is necessary. RAC takes steps to ensure that access to your personal information is only given to those who need such access. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
RAC shares your data with third parties in order to obtain pre-contract checks references, background checks from third-party providers and necessary criminal records checks from the Disclosure and Barring Service. RAC may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
RAC also shares your data with third parties that process data on our behalf, e.g. in connection with payroll, the provision of benefits and the provision of occupational health services, or where this is required by law (to regulators and to government departments).
Where RAC uses external organisations to process personal information on its behalf, additional security arrangements are implemented in contracts with those organisations to safeguard the security of personal information.
RAC and our third party suppliers do not process any employee personal data outside of the EEA.
Your Legal Rights
You have a number of legal rights established by privacy law in relation to your personal information that you can choose to exercise at any time. To claim any of the rights listed below or to discuss any aspect of this please contact your line manager.
You have a right to:
We must provide this information to you within 30 days unless your request is complex in which case we may request an extension of this time period.
Object to us using your personal data for profiling and automated decision making
This is defined as; automated processing of personal data, for example to analyse or predict aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
RAC does not, however, base recruitment decisions solely on automated decision making. Profiling is used, instead, to help inform the decision making process. If this changes we will inform you and if appropriate request your explicit consent to additional profiling purposes.
Rectify inaccurate information, for example by logging onto MyView, via the intranet, to access the self-service facility or for DSF Agents by emailing details of any changes needed to email@example.com.
Restrict processing. If we fail to keep your information accurate or if you believe we are not processing your information lawfully you have the additional right of requesting us to cease processing your personal data for a period or until you are happy that we have met our legal obligation.
Erase your data (Right to be forgotten) if we no longer have a legitimate, legal or regulatory basis for processing it, you can request that we erase any personal data that can be used to identify you.
Port data to another data controller or to yourself in a structured, commonly used and machine-readable format. We have provided a basic overview of those rights here, but if you'd like to find out more or exercise any of these rights you can contact firstname.lastname@example.org.
RAC takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by colleagues in the performance of their legitimate duties. These arrangements are underpinned by the following principles:
- You have a personal responsibility to ensure that you understand and comply with the requirements of this policy - we all have a role in the protection of personal information.
- If you have any queries or concerns about the protection and use of personal information, please raise them, in the first instance, with your manager or HR.
- Any concerns or queries about compliance with data protection legislation and the requirements of this policy should be referred to the Data Protection Officer ("DPO") - email@example.com for guidance on reporting actual or suspected breach.
- Alternatively, you can report any concerns which you believe to be in the public interest about actual or suspected wrongdoing, by using the Whistleblowing Procedure - call 08000 922398 from any internal or external phone. If you wish to withhold your number and remain anonymous, please prefix the number with 141, i.e. 14108000 922398; or email firstname.lastname@example.org.
- In the development of any new procedure or amendment of existing procedure which has the potential to affect the processing or storage of personal information, a privacy impact assessment must be considered, and completed where appropriate, to ensure compliance with data protection principles and legislation.
- You are required to complete mandatory learning on matters relating to data protection and to undertake refresher training modules on an annual basis
- In order to safeguard against unauthorised access to RAC personal information:
- all data held in paper form must be stored securely (e.g. in lockable cupboards and a clear desk policy maintained, where relevant for office based colleagues);
- documents containing personal information must be password protected in accordance with RAC password standards,
- Where RAC engages third parties to process personal data on our behalf, they must:
- provide assurance on the appropriateness of their arrangements as part of our due diligence checks and ongoing performance management and governance processes; and
- do so on the basis of written instructions, under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
After the end of your contract, we will retain your personal information for the purposes stated in line with our Data Retention Policy and in accordance with legal and regulatory requirements. We keep your information for no longer than is necessary for the purposes for which the personal information is processed. Further information on this can be requested from email@example.com.Marketing
We will not use your personal data for marketing purposes, the only exception to this maybe where you have specifically requested marketing information about any RAC products. You can change your mind at any time by selecting Unsubscribe at the bottom of any such emails.