The following policies have been drafted and introduced to the Handbook as part of the Organisation’s commitment to protecting any personal data / sensitive personal data under its control and the General Data Protections Regulations (GDPR).
The Data Protection Acts 1988 and 2003 (“the Acts”) provide rules which apply to the collection, use, disclosure and transfer abroad of information about individuals which includes employee and customer personal data. The Acts set out the principles that The Donnelly Group must follow when processing personal data about individuals and also gives individuals certain rights in relation to personal data that is held about them.
The aims of this policy are:
- To assist The Donnelly Group in meeting its obligations under the Acts.
- To regulate The Donnelly Group’s use of information relating to employees and others who work for The Donnelly Group; and
- To ensure that employees and others working for The Donnelly Group are aware of both their rights in relation to the personal data that The Donnelly Group holds about them, and their responsibilities as regards personal data they may process about customers and other individuals as part of their job.
For ease of reference, this policy refers to “employees”, but it applies equally to others working for The Donnelly Group.
Data Protection Principles
The Acts place an obligation on data controllers, such as The Donnelly Group, to observe the data protection principles. In summary these include that personal data must:
- Be obtained and processed fairly.
- Be used and disclosed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes.
- Be adequate, relevant and not excessive.
- Be accurate, complete and up-to-date.
- Not be kept for longer than is necessary for the purpose(s) for which it was obtained.
- Be processed in line with the rights given to individuals under the Acts.
- Be kept safe and secure; and
- Not be transferred to countries without adequate levels of data protection.
All employees have an obligation to comply with these principles where appropriate. Failure to comply could lead to disciplinary action up to and including dismissal.
What is Personal Data?
Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data processer. The data protection principles apply to any sort of personal data which is either electronically processed (e.g. on a database) or which is held or intended to be in a structured filing system (e.g. a set of personnel files).
Certain personal data is classified as “sensitive personal data”. This is personal data relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, physical or mental health, sexual life or any criminal offence or related proceedings. For example, The Donnelly Group may, where necessary in connection with employment, collect and process sensitive personal data in respect of your health.
The Donnelly Group Obligations
“Processing” includes the obtaining, recording, keeping and disclosing of data. Generally, processing of employee personal data may only be done with your consent. However, such consent is not required in certain circumstances, for example where the processing is necessary for compliance with a legal obligation or where the processing is necessary for the performance of a contract to which you are party e.g. your employment contract.
Nature of Employee Information
The Donnelly Group holds and processes certain information constituting personal data about you as part of its general employee records, which may include your address, contact details, payroll details, educational history, position, etc. Employee information is also held on HR and operational databases. In some cases, your manager might also hold employee information in their own files.
Sensitive personal data may include records of sickness absence, medical certificates and medical reports. The purpose of processing this type of information is generally to manage the application process, to administer benefit plans, to monitor and manage sickness absence and to comply with health and safety legislation. If sensitive personal data relating to you is being processed for reasons other than those set out above or otherwise permitted by law, your explicit consent will be sought.
Purpose of Processing General Employee Information
The Donnelly Group needs to collect and use personal data about employees for a variety of personnel, administration, work and general business management purposes. These include administration of the payroll system, pension scheme, life insurance, the administration of employee benefits (such as leave entitlements), facilitating the management of work and employees, carrying out appraisals, performance and salary reviews, operating and checking compliance with The Donnelly Group employment rules and policies, operating The Donnelly Group IT and communications systems, checking for unauthorised use of those systems and to comply with record keeping and other legal obligations.
Keeping Employee Information
The Donnelly Group will take steps to ensure that the employee information it holds is accurate and up-to-date. For example, you are asked to inform The Donnelly Group of any changes which we need to make to update your employee information (such as a change of address). From time to time you will be asked to supply updated personal information as part of a review of personal data held to ensure that The Donnelly Group meets its data protection obligations. The Donnelly Group will also take steps to ensure that it does not keep any information about employees for longer than is necessary.
Transfer of Employee Information
The Donnelly Group may make some information about you available to The Donnelly Group advisers and / or data processors such as lawyers, accountants, payroll administrators, benefits providers (for example, pension scheme providers), to those providing products or services to The Donnelly Group (such as IT and other outsourcing providers) and to government and / or regulatory authorities. These recipients may be located outside the European Economic Area. In such cases, The Donnelly Group will, as far as is possible, ensure that the recipients of the information, both within and outside The Donnelly Group, comply with the contents of this policy. Information about an employee may also be transferred to another company within the Group solely for the purposes connected with career development or the management of the business.
Your Rights under the Data Protection Rules
The Acts give you (and anyone else about whom personal data is held) specific rights in relation to the information that is held about you. Some of these rights are summarised below.
Under the Acts, you are able to:
- Obtain confirmation that The Donnelly Group holds personal information about you, as well as a written description of the information, the purposes for which it is being used, the sources of the information and the details of any recipients.
- Obtain access to the personal information which is held about you.
- You may request, in writing, a copy of your personal information held by The Donnelly Group or any member of the Group by writing to the Human Resources Department.
It is important to note that this is not an absolute right to review all the information that is held about you, as there are various exceptions to this right contained in the Acts. These include:
- Where personal data is kept for the purpose of preventing, detecting or investigating offences and related matters; and
- Where the data is an expression of opinion about you given by another person in confidence.
- In certain circumstances, you can ask for the deletion or rectification of information which we hold about you which is not accurate or request that your personal information be used for specific purposes.
Your Responsibilities under the Data Protection Rules
As well as having rights under the Acts, all employees, when processing personal data, must comply with the data protection rules set out in this policy. Failure to comply with the rules and requirements in relation to data protection may result in disciplinary action being taken against you up to and including dismissal.
Your Personal Information
In order to assist The Donnelly Group in ensuring that your personal information is kept up to date, you should inform your manager of any changes in the following information:
- Address and other contact details.
- Emergency contact name.
- Bank account details; and
- Marital status.
Personal Information Relating to Others
If, as part of your job, you hold any personal information about other employees of The Donnelly Group or about anyone else then you also need to take steps to ensure that you are following the guidelines set out below. Please note that the following guidelines apply equally to documents containing personal information which are kept in files, as well as information which is kept electronically;
- You should not keep personal information about people which you no longer need, or which is out of date or inaccurate. You should therefore review any personal information that you hold from time to time, bearing these principles in mind.
- All personal information must be kept securely and should remain confidential.
- If you receive a request from someone to give them any personal data about an employee (or other individual) you should refer them to your manager. The Donnelly Group needs to verify the identity of the person making such a request and has to balance various considerations when deciding whether and how to respond to such request, including compliance with the Acts.
- Accessing, disclosing or otherwise using employee records or other personal data without authority will be treated as a serious disciplinary offence and may result in disciplinary action being taken in accordance with The Donnelly Group disciplinary procedure up to and including dismissal.
If you are unsure about the application of these guidelines to the information you hold as part of your job, you should contact your manager for further guidance.
The Donnelly Group may issue further guidance or make amendments to this policy from time to time which will be notified to you.
You acknowledge that The Donnelly Group possess and will process personal data relating to you in accordance with the provisions set out in this policy.
The Donnelly Group reserves the right to take such action as it deems appropriate against users who breach the conditions of this policy. Donnelly Group employees who breach this policy maybe subject to disciplinary action, up to and including dismissal as provided for in the Donnelly Group disciplinary procedure.
Review & Update
This policy will be reviewed and updated if necessary, to ensure that any changes to the Donnelly Group’s organisation structure and business practices are properly reflected in the policy.