RAC is proud to have established a reputation built on trust and respect. We acknowledge the fact that colleagues, customers and partners are at the heart of everything we have achieved and are essential to our ongoing success - people are our business. We are, therefore, committed to respecting the fundamental rights and privacy of our colleagues, customers and partners. We are also committed to being concise, clear and transparent about how we obtain and use personal information relating to our workforce, and how (and when) we delete that information once it is no longer required.
This policy sets out RAC's commitment to, and arrangements for the appropriate processing and protection of personal information relating to our workforce - rights that are enshrined in the General Data Protection Regulations ('GDPR') and its supporting legislation. Its purpose is also to ensure that colleagues understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.Scope
This policy applies to all colleagues, former colleagues, apprentices, volunteers, job applicants and those who work on behalf of, or in partnership with RAC. This includes third parties, such as contractors, consultants and agency workers, with authorised access (physical or logical) to RAC systems.
For the purposes of data protection legislation, RAC is classed as a "data controller" and, as such, collects and processes personal information relating to its workforce.
The Data Privacy Team is responsible for data protection compliance within RAC. If you have any questions or comments about the content of this policy or if you need further information, you should contact the Data Protection Team by emailing them at email@example.com.
Personal information /sensitive personal information
Personal information means information relating to an individual who can be identified (directly or indirectly) from that information. This includes details such as name, address, email address, financial information, CCTV images, MAC and IP addresses, location data, aliases, preferences and profiles, amongst other things.
Sensitive personal information (sometimes known as 'special categories of personal data' or 'sensitive personal data') means personal information about an individual's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual's health or sexual orientation.
How we use your personal information
Your personal information will only be processed in accordance with data protection law and regulation. Your personal information is stored and used to enable us to carry out the administration and management of your employment with RAC and the running of our business. This is so that we can ensure that you are receiving pay and other benefits or leave to which you are entitled, maintain and promote equality in the workplace, coordinate workforce management and activities, exercise your (and our) specific rights, and comply with statutory requirements (such as the completion of appropriate security checks).
RAC needs to process data to enter into an employment relationship with you and to meet its obligations under your employment contract. For example, it needs to process your data to be able to pay you and to administer benefit, pension and insurance entitlements.
In some cases, your personal information is used to make sure that we are complying with legal obligations. For example, your entitlement to work in the UK, the deduction of tax, compliance with health and safety laws and to enable you to take periods of leave to which you are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that colleagues are permitted to undertake the role in question.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows RAC to:
- run recruitment and promotion processes;
- run pre-employment screening such as reference checks, right to work checks and criminal conviction checks;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of your contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
- operate and keep a record of colleague performance, training and development, and related processes, to plan for career development, and for succession planning and workforce management purposes;
- administer all core and flexible benefits including bonus schemes, company car and car allowance schemes, season ticket loans, group income protection and life assurance, salary sacrifice schemes and flexible working (which includes in some cases processing the personal data of next of kin, family or friends);
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that you are receiving the pay or other benefits to which you are entitled;
- administer remuneration payments including payroll, tax and national insurance and any similar pay-related liabilities or obligations;
- administer pension payments;
- ensure security;
- obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that you are receiving the pay or other benefits to which you are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that RAC complies with duties in relation to leave entitlement, and to ensure that you are receiving the pay or other benefits to which you are entitled;
- ensure effective general HR and business administration;
- apply RAC's policies and other terms and conditions of employment;
- provide references on request for current or former employees;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace.
Sensitive personal data/special categories of data require a higher level of protection. Most often we may process this special category of data where:
- we need to carry out our legal obligations or exercise rights in connection with employment;
- the processing is necessary for the assessment of your working capacity, occupational health or obtaining a medical diagnosis or where it is needed in the public interest (such as equal opportunities monitoring); or
- in exceptional circumstances we may process this data with your explicit consent.
This information will be held electronically and manually, e.g. in your personnel file, RAC's HR information systems and in other IT systems (including RAC's email system). Personal information (and sensitive personal information) will be kept securely in accordance with RAC's Information Security Policy. If you require a copy please contact firstname.lastname@example.org.
RAC collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments, and from any details you subsequently provide us We will also keep records of, for example, your absence history, your regular performance reviews and any actions or decisions taken as a result of applying any of our policies (in accordance with the terms of the relevant policy).
In some cases, RAC collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Please note that a refusal by you to provide the Company with the relevant personal data required to carry out the purposes listed above, will significantly hinder the Company's ability to provide you with your employment rights and benefits and/or to comply with a legal obligation.
RAC will make every effort to ensure that the information held about each member of Staff is accurate and, where necessary, kept up to date. It is your responsibility to ensure that your information contained in the HR database is accurate and kept up to date.
You may have access to the personal information of other members of staff, suppliers and customers of the Company in the course of your employment or engagement. If so, the Company expects you to help meet its data protection obligations to those individuals.
Who has access to your personal information?
Your information will be shared internally with only those roles that need access to and have authority to access this information as part of their legitimate duties. This includes members of the HR team, your line manager, managers in the business area in which you work and IT colleagues if access to the data is necessary. RAC takes steps to ensure that access to your personal information is only given to those who need such access. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
RAC shares your data with third parties in order to obtain pre-employment references, background checks from third-party providers and necessary criminal records checks from the Disclosure and Barring Service. RAC may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
RAC also shares your data with third parties that process data on our behalf, e.g. in connection with payroll, the provision of benefits and the provision of occupational health services, or where this is required by law (to regulators and to government departments).
Where RAC uses external organisations to process personal information on its behalf, additional security arrangements are implemented in contracts with those organisations to safeguard the security of personal information.
RAC and our third party suppliers do not process any employee personal data outside of the EEA.
Your Legal Rights
You have a number of legal rights established by privacy law in relation to your personal information that you can choose to exercise at any time. To claim any of the rights listed below or to discuss any aspect of this please contact your line manager.
You have a right to:
- access personal data we process about you;
- obtain a description of the personal data, purposes of the processing, and persons we have shared your personal data with as well as to receive other supplementary information. We must provide this information to you within 30 days unless your request is complex in which case we may request an extension of this time period;
- object to us using your personal data for profiling and automated decision making.
This is defined as; automated processing of personal data, for example to analyse or predict aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
RAC does not, however, base employment decisions solely on automated decision making. Profiling is used, instead, to help inform the decision making process. If this changes we will inform you and if appropriate request your explicit consent to additional profiling purposes;
- rectify inaccurate information, in most cases you can do this simply by logging onto MyView, via the intranet, to access the self-service facility;
- restrict processing. If we fail to keep your information accurate or if you believe we are not processing your information lawfully you have the additional right of requesting us to cease processing your personal data for a period or until you are happy that we have met our legal obligation;
- erase your data (Right to be forgotten) if we no longer have a legitimate, legal or regulatory basis for processing it, you can request that we erase any personal data that can be used to identify you;
- port data to another data controller or to yourself in a structured, commonly used and machine-readable format.
We have provided a basic overview of those rights here, but if you'd like to find out more or exercise any of these rights you can contact email@example.com.
RAC takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by colleagues in the performance of their legitimate duties. These arrangements are underpinned by the following principles:
- You have a personal responsibility to ensure that you understand and comply with the requirements of this policy - we all have a role in the protection of personal information.
- If you have any queries or concerns about the protection and use of personal information, please raise them, in the first instance, with your manager or HR.
- Any concerns or queries about compliance with data protection legislation and the requirements of this policy should be referred to the Data Protection Officer ("DPO") - by email at firstname.lastname@example.org for guidance on reporting actual or suspected breach.
- Alternatively, you can report any concerns which you believe to be in the public interest about actual or suspected wrongdoing, by using the Whistleblowing Procedure - call 08000 922398 from any internal or external phone. If you wish to withhold your number and remain anonymous, please prefix the number with 141, i.e. 14108000 922398; or email email@example.com.
- In the development of any new procedure or amendment of existing procedure which has the potential to affect the processing or storage of personal information, a privacy impact assessment must be considered, and completed where appropriate, to ensure compliance with data protection principles and legislation.
- You are required to complete mandatory learning on matters relating to data protection and to undertake refresher training modules on an annual basis
- In order to safeguard against unauthorised access to RAC personal information:
- all data held in paper form must be stored securely in lockable cupboards and a clear desk policy maintained.
- documents containing personal information must be password protected in accordance with RAC password standards,
- Where RAC engages third parties to process personal data on our behalf, they must:
- provide assurance on the appropriateness of their arrangements as part of our due diligence checks and ongoing performance management and governance processes, and
- do so on the basis of written instructions, under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
After you leave our employment, we will retain your personal information for the purposes stated in line with our Data Retention Policy and in accordance with legal and regulatory requirements. We keep your information for no longer than is necessary for the purposes for which the personal information is processed. Further information on this can be requested from firstname.lastname@example.org.Marketing
We will not use your personal data for marketing purposes, the only exception to this maybe where you have specifically requested marketing information about any RAC products. You can change your mind at any time by selecting Unsubscribe at the bottom of any such emails.