Korian UK Ltd and Korian Real Estate UK Ltd (“we” or “Company”) are each a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you. In accordance with and as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) and the Data Protection Act 2018, we have implemented this privacy notice to inform you, our employees and workers, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data. This notice applies to current and former employees and workers. This notice does not form part of any contract of employment or other contract to provide services. We may (and reserve the right to) update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.
Data Protection Principles
Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant UK GDPR procedures for international transferring of personal data
Types of Data Held
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection. This is covered in a later section of this privacy notice.
We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our holiday booking system. Specifically, we collect, hold and use the following types of data about you, as appropriate to your status:
a) personal details such as name, title, address, phone numbers, personal email address and date of birth
b) name and contact details of your next of kin
c) your photograph and photographic ID
d) your gender, marital status and dependents, information of any disability you have or other medical information including vaccinations
e) right to work documentation
f) coronavirus vaccination status and information.
g) information on your race and ethnicity, religion or religious beliefs and sexual orientation for equality monitoring purposes
h) information gathered via the recruitment process such as that entered into a CV, application form or included in a CV covering letter
i) references from former employers and character references
j) details on your education and employment history
k) Nurse PIN number
l) National Insurance numbers
m) bank account details
n) tax codes
o) driving licence
p) criminal convictions and offences
q) information relating to your employment with us, including:
• job title and job descriptions
• your salary
• your wider terms and conditions of employment
• pension and benefits information
• trade union membership
• details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information
• internal and external training modules undertaken, including any professional qualifications or memberships you may hold
• information about your health, including any medical condition, health and sickness records
• information on time off from work including sickness absence, annual leave, and family related leave
• information in relation to any shares you have as part of our employeeshareholding scheme, KORUS
r) CCTV footage
s) building access records
t) IT equipment use including telephones and internet access
u) Images and videos for marketing purposes.
Collecting Your Data
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment in the course of job-related activities throughout the period of you working for us. In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies. Personal data is kept in files or within the Company’s HR and IT systems. Lawful Basis for Processing The law on data protection allows us to process your data for certain reasons only. In the main,
we process your data in order to comply with a legal requirement; where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; or in order to effectively manage the employment contract we have with you, including ensuring you are paid correctly. We may also use your personal data where we need to protect you (or someone else’s) interests; or where it is needed in the public interest or for an official purpose. The information below categorises the types of data processing, appropriate to your status, we undertake and the lawful basis we rely on
|Activity requiring your data||Lawful basis|
|Carry out the employment contract that we have entered into with you e.g. using your name, contact details, education history, information on any disciplinary, grievance procedures involving you||Performance of the contract|
|Ensuring you are paid||Performance of the contract|
|Ensuring tax and National Insurance is paid and pension deductions are taken where required||Legal obligation|
|Carrying out checks in relation to your right to work in the UK||Legal obligation|
|Making reasonable adjustments for disabled employees||Legal obligation|
|Carrying out checks to evidence Coronavirus Vaccination status and boosters||Our legitimate interests (recruitment of employees and workers and risk management of COVID-19)|
|Making recruitment decisions in relation to both initial and subsequent employment||Our legitimate interests (recruitment and promotion of employees and workers)|
|Using DocuSign or other electronic means to send/receive documents and information using your personal email address relating to the recruitment process and other employment documentation||Our legitimate interests (recruitment of employees and workers to provide support, care and assistance to both residents and the business as a whole)|
|Making decisions about salary and other benefits||Our legitimate interests (to ensure that employees and workers are receiving the pay or other benefits to which they are entitled)|
|Ensuring efficient administration of contractual benefits to you||Our legitimate interests (to ensure that employees and workers are receiving the pay or other benefits to which they are entitled)|
|Effectively monitoring both your conduct, including timekeeping, attendance and your performance, using online HR, payroll and talent management systems via ‘Access’, ‘Coolcare’ and ‘Talentsoft’, and our Whistleblowing system ‘Integrity’ to do so, and to undertake procedures where necessary including seeking the advice of our external employment-law advice service||Our legitimate interests (operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management)|
|Maintaining comprehensive up to date personnel records about you, on our HR information system, time and rostering system, and personnel files, to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained||Our legitimate interests (maintain accurate and up-todate employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights)|
|Implementing grievance procedures||Our legitimate interests (operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace)|
|Assessing training needs and the administration of our learning platforms, digital apprenticeship service, and resources (using your personal email address relating to these processes) including our e-learning/learning management system, talent development platform, qualifications, distance learning, external and internal training||Our legitimate interests (operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management)|
|Implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments||Our legitimate interests (operate and keep a record of types of absence and absence management procedures to allow effective workforce management and to ensure that employees and workers are receiving the pay or other benefits to which they are entitled)|
|Gaining expert medical opinion when making decisions about your fitness for work via occupational health or GP medical reports||Our legitimate interests (operate occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law and ensure that employees are receiving the pay or other benefits to which they are entitled).|
|Managing statutory leave and pay systems such as maternity leave and pay etc||Our legitimate interests (operate and keep a record of types of leave (including maternity, paternity, adoption, parental and shared parental leave) to allow effective workforce management, to ensure we comply with our duties in relation to leave entitlement and to ensure that employees and workers are receiving the pay or other benefits to which they are entitled)|
|Business planning and restructuring exercises||Our legitimate interests (for business efficacy, succession planning and workforce management)|
|Dealing with legal claims made against us||Our legitimate interests (respond to and defend against legal claims)|
|Preventing fraud||Our legitimate interests (to prevent fraud and other illegal activity)|
|Ensuring our administrative and IT systems are secure and robust against unauthorised access||Our legitimate interests (to ensure adequate security of IT systems and compliance with data protection and confidentiality requirements)|
|The administrations of our employee benefit and engagement schemes such as BAPPreciated Rewards, Care Friends, the Employee Assistance Programme, Winningtemp, Cycle to Work Scheme, Hardship Fund and Employee-Shareholding Scheme KORUS (using your personal email address relating to these processes)||Our legitimate interests (to ensure that employees and workers are receiving the pay|
|Carrying out Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) checks, and where needed making referrals to the Disclosure and Barring Service (DBS), Nursing and Midwifery Council (NMC), Local Safeguarding Authorities and the Care Quality Commission (CQC), when required||Legal Obligation|
|The administration of our online policies and procedures portal, QCS||Our legitimate interests (for business efficacy and adherence to regulations and legislation)|
|Assessing information relating to leavers including exit interviews and turnover analysis||Our legitimate interests (operate and keep a record of employee feedback , and for succession planning and workforce management)|
|Providing employment references to prospective employers, when our name has been put forward by the employee or worker/ex-employee or ex-worker, to assist with their effective recruitment decisions||Legitimate interest of the prospective employer (recruitment and promotion of employees and workers)|
|Gathering feedback and comments from you for the purposes of effective employee engagement, by way of surveys and pulse surveys||Our legitimate interests (Operate and keep a record of feedback for engagement and workforce management purposes)|
|Operating CCTV in communal interior and exterior areas of our care homes||Our legitimate interests (as part of safety management, and resident risk management)|
|Complying with health and safety obligations||Legal Obligation|
Where we rely upon legitimate interest as a reason for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of employees or workers and have concluded that they are not.
Special Categories of Personal Data
Special categories of personal data are data relating to your:
b) sex life
c) sexual orientation
e) ethnic origin
f) political opinion
h) trade union membership
i) genetic and biometric data.
These special categories of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of data when the following applies:
a) in limited circumstances, where you have given explicit consent to the processing.
b) we must process the data in order to carry out our legal obligations or exercise rights in connection with employment.
c) we must process data for reasons of substantial public interest, such as for equal opportunities monitoring or in relation to an occupational pension scheme.
d) where it is necessary to protect you or another person from harm.
e) where it is needed in relation to legal claims
f) where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
g) you have already made the data public.
In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising obligations or rights in connection with employment.
On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we will process your particularly sensitive personal information are listed below:
a) We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting, and to maintain and promote equality in the workplace.
b) We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay and pensions. We need to process this information to exercise rights and perform obligations in connection with your employment.
c) If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.
d) We will use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations
We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.
Failure to Provide Data
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment, or administer contractual benefits (such as paying your wages or providing a benefit). We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of our employees and workers.
Criminal Conviction Data
We envisage that we will hold information about criminal convictions. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the lawful basis of a legal obligation and legitimate interests (to ensure that our recruitment practices help us attract and retain suitable employees and workers to provide care and support to our residents and their families) to process this data. We have in place appropriate safeguards which we are required by law to maintain when processing such data
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who We Share Your Data With
We will share your personal data where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with the UK GDPR.
Data is shared with third parties for the following reasons:
• With our external Payroll Company to administer payroll (performance of the contract)
• With our Employment Law and Health and Safety advisors to advise us on employmentlaw and health and safety related matters (legitimate interests)
• With our external Occupational Health Provider in order to assess and seek guidance on employee’s health and wellbeing (legitimate interest)
• With our Qualification providers in order to enrol you into a qualification and access funding (legitimate interests)
• With our benefit and engagement providers in order to administer our employee benefits to you and gather your feedback (legitimate interests)
• With CQC inspectors, Local Authority Safeguarding Teams, the Police, the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) in order to comply with a legal obligation upon us.
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us
• With HMRC for payroll purposes in order to comply with a legal obligation upon us
• With Insurance companies for any claims made (legitimate interests)
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. Where your personal data is shared in the context of a Company sale or restructure, we will, so far as possible, share anonymised
data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction. We have a data processing agreement in place with such
third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or in order to provide services to us.
All our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their
own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will transfer the personal information we collect about you to countries within the European Economic Area in order to perform our contract with you. There are adequacy regulations in respect of those countries within the European Economic Area. This means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
Protecting Your Data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
This notification will be made without undue delay and may, dependent on the circumstances, be made after the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
a) A description of the nature of the breach
b) The name and contact details of the data protection officer where more information can be obtained
c) A description of the likely consequences of the personal data breach
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, which will be at least for the duration of your employment with us though in some cases we
will keep your personal data for a period after your employment has ended. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Some data retention periods are set by the law. Retention periods can vary depending on why we need your personal data, as set out below:
|Record||Statutory Retention Period|
|Children/young adults||Until the child reaches 21|
|Retirement Benefits Schemes||6 years from the end of the scheme year|
|Statutory Maternity Pay (calculations, certificates, medical evidence)||3 years after the end on the tax year in which the period ends|
|Wage/salary (overtime, bonuses, expenses)||6 years|
|National Minimum Wage||3 years after the end of the consequent pay reference period|
|Working hours||2 years after they are made|
|Application forms and interview notes||6 months to a year|
|Assessments under health and safety regulations and records of consultations with safety representatives and committees||Permanently|
|Parental leave||Until child is 18 (birth/adoption)|
|Contributions to Pension plans||6 years|
|Personnel files, training records (disciplinary records, working time records)||6 years after end of employment|
|Redundancy details, calculations of payments, refunds, notification to the Secretary of State||6 years after date of redundancy|
|Statutory Sick Pay records, calculations, certificates, selfcertificates||at least 3 months after the end of the period of sick leave, but 6 years after the employment ceases advisable|
|Time cards||2 years after audit|
|Trade Union agreements||10 years after end|
|Works Council minutes||Permanently|
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with the above table and any applicable laws and regulations.
Automated Decision Making
Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. We are allowed to use automated decisionmaking in the following circumstances:
1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights. If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which
has a significant impact on you, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Data Subject Rights
Under certain circumstances, you have the following rights in relation to the personal data we hold on you:
a) the right to be informed about the personal data we hold on you and what we do with it;
b) the right of access to the personal data we hold on you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
c) the right for any inaccuracies in the personal data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
d) the right to have personal data deleted or removed in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. This is also known as ‘erasure’;
e) the right to restrict the processing of the personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
f) the right to transfer the personal data we hold on you to another party. This is also known as ‘portability’;
g) the right to object to the inclusion of any personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes; and
h) the right to regulate any automated decision-making and profiling of personal data.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with, and an explanation of the reason will be provided.
Where you have provided consent to our collection, processing or transfer of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will stop processing your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Making a Complaint
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
Data Protection Compliance
We have appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer.
Our Data Protection Officer is:
• Leah Smith
• Chief HR Officer
• 07826 133549