Staff and Job Applicants Privacy Policy

Harmeny Education Trust Limited (referred to as ‘Harmeny’, ‘we’, ‘our’ in this document) is a registered Scottish Charity (No SC024256), and a company limited by guarantee (Reg No SC162021).  Our registered office is Harmeny School, Mansfield Road, Balerno, EH14 7JY.

We are committed to protecting your personal information.  This privacy policy states how we collect it, how we store it and how we use it, in line with the law.

Information we collect will be used only in accordance with data protection laws, including the Data Protection Act 2018 (“DPA 2018”), the UK General Data Protection Regulation (“UK GDPR”) together with all applicable legislation, regulations, guidance, and codes of practice in force from time to time relating to the processing of personal data and the privacy of individuals in the UK (together, the “data protection laws”).

We comply with data protection law, which requires that personal data about you must be:

• used lawfully, fairly and in a transparent way;
• collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes (purpose limitation);
• relevant for the purposes we have told you about and limited to only what is necessary for those purposes (data minimisation);
• accurate and where necessary kept up to date (accuracy);
• not kept for longer than necessary (storage limitation);
• Kept securely (security, integrity and confidentiality);
• not transferred to another country without appropriate safeguards in place (transfer limitation).

When we collect your personal data, we will respect your privacy and collect only the information that we need.  We ensure personal data is retained securely until it is no longer required and then securely deleted.

We collect personal data about prospective or current staff, which includes employees, workers, and contractors.  Initially, this is done through our recruitment processes, where information is collected either directly from applicants or candidates (for example when submitting data through our online recruitment system) or sometimes indirectly from third parties such as recruitment agencies, head-hunters or consultants, background check providers, and referees.   We may collect it through interviews or other forms of assessment.

We may sometimes collect additional data from third parties, including former employers, credit reference agencies and HMRC, and other background check agencies such as Disclosure Scotland.  Harmeny will normally seek information about you from third parties only when we’ve made you an offer of work.

We collect additional personal data during the course of your work for us, including information passed to us from individuals and third parties with whom you interact and engage. We may also collect personal data from the trustees or managers of pension arrangements.

Technical data may be collected at work using our equipment and software through automated technologies or interactions.  Please see our website privacy policy and cookie policy for more information about what automated technologies operate on our website.

Personal data means any information about an individual from which that person can be identified. It does not include information from which the person’s identity has been removed (anonymous data).

We may collect, store and use the following categories of personal data about you:

• Identity data: first name, last name, any previous names, marital status, title, date of birth, and gender.
• Contact data: addresses, telephone numbers, personal email addresses, and emergency contact information.
• Family data: dependants and next of kin.
• Recruitment data: copies of right to work documentation, copy of passport or other photo ID, copy of driving licence, copy of proof of address documentation (for example, bank statement or utility bill), references, and information included in a CV or cover letter or as part of the application process.
• Employment status check data: results of HMRC employment status check and details of your interest in and connection with the intermediary through which your services are supplied.
• Financial and tax data: National Insurance number, bank account details, payroll records and tax status information, salary, pension and benefits information, and compensation history and conflict of interest or gift declarations.
• Employment data: start date (and, if different, start date of continuous employment), location of employment or workplace, leaving date and reason for leaving, employment records (including contracts, photographs, job titles, work history, working hours, working arrangements (office-based, hybrid, remote), holidays and other types of leave, training records and professional memberships, a copy of any relevant insurance policies, performance information and disciplinary and grievance information.
• Monitoring data: information about your use of our information and communications systems.
• Image data: images, including digital images and photographs, and video recordings.

We may also collect, store and use the following special category data:

• Race, religion, beliefs, and sexual orientation: information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, and political opinions.
• Trade union membership.
• Health and medical: information about and connected with your health, any medical condition or disability, including:
• sickness absence records;
• accident at work records;
• tailored adjustment records; and
• correspondence with and information provided to and received from an occupational health service and other medical health professionals.

We may collect, store, and use criminal offence data about you. This is information about criminal convictions and offences, including information relating to the alleged commission of offences, proceedings for an offence committed (or alleged to have been committed) and the disposal of those proceedings, including sentencing.

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide Harmeny with information, we may not be able to process your application properly, or at all, or offer you employment.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information. The interview panel will not have access to this information, except for any HR representative.

If any of the information you provided to us changes, let us know so that we can ensure that all the information we hold about you is accurate and up to date.

We will only use your personal data when the law allows us.

Most commonly, we will use your personal data in reliance on:

• Legal obligation. Where we need to use your personal data to comply with a legal or regulatory obligation (for example, checking an individual’s right to work in the UK). For some roles, Harmeny is obliged to seek information about criminal convictions and offences. This is necessary to fulfil legal obligations, particularly in relation to child safeguarding.
• Contract performance. Where we need to process your personal data to enter into a working agreement or contract with you, or to perform an agreement or contract that we have entered into with you.
• Public interest. Where it is needed in the public interest or for official purposes.
• Legitimate interests. Where we need to use your personal data for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, for example to monitor recruitment statistics. We consider any potential impact on you and your rights when determining whether we can process your personal data for our legitimate interests. It also includes where use of personal data is necessary for:
• protecting the physical, mental, or emotional wellbeing of a vulnerable individual or protecting that individual from physical, mental, or emotional harm
• detecting, investigating or preventing crime, or apprehending or prosecuting an offender.

We do not use your personal data in situations where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Less commonly, we may need to process your personal data in emergency situations when it is in your vital interests or those of another person.

Situations in which we will use your personal information are in the table below.

Starting work

Performance of duties

Managing your contractual entitlements (pay, pensions, other benefits and leave)

Managing our working relationship with you

Monitoring

Wider workforce management

Promotional and marketing

We only use your special category data when, in addition to having a lawful basis that is required to process personal data (referred to previously in this policy), there is an additional ground that permits us to do so. Those additional grounds include:

• Employment law. When using your special category data is necessary for carrying out rights and obligations in connection with employment law.
• Legal claims. When using your special category data is necessary for establishing, exercising or defending legal claims.
• Substantial public interest. When using your special category data is necessary to undertake matters deemed to be of substantial public interest. These include equal opportunities monitoring, preventing or detecting unlawful acts, protecting the public against dishonesty, compliance with regulatory requirements in relation to unlawful acts, provision of confidential counselling and in relation to our occupational pension scheme.
• Assessment of working capacity. When using your special category data is necessary for the assessment of your working capacity by a health professional.
• Vital interests (incapacity). When using your special category data is necessary to protect your vital interests, or someone else’s vital interests, in circumstances in which you may be physically or legally incapable of giving consent.

Race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions

Trade union membership

Health and medical information

You will have been given information about whether any criminal records checks were required for your role when you applied to work for us. If any further checks are required, for example, due to a change in the law or a change in your role, we will advise you.

We only use your criminal offence data when, in addition to one of the grounds that is required to process personal data (referred to previously in this policy), there is a further ground that permits us to do so. The further grounds on which we may make use of criminal offence data include:

• When processing criminal offence data is necessary to perform or exercise obligations or rights which are imposed or conferred by law either on us or on you in connection with employment.
• Legal rights. When processing criminal offence data is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
• Deemed substantial public interest. When processing criminal offence data is deemed to be of substantial public interest because it concerns preventing or detecting unlawful acts or protecting the public against dishonesty or because it concerns compliance with regulatory requirements in relation to unlawful acts.

If you fail to provide certain data when requested, we may not be able to perform the contract that we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

We will use your personal data only for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not need your consent if we process your personal data in accordance with this policy, having a lawful basis, for example to carry out our legal obligations as described above.

In limited circumstances, we may approach you for consent to allow us to use or share personal data. If we do so, we will provide you with full details of the data that we would like to use and the reason for doing so, to allow you to carefully consider whether you wish to consent.

We may seek your consent for purposes, such as using images and video of you for marketing purposes, or to assist in fundraising. It should be noted however that we will not always need consent to use your image, where we are allowed to do so for other reasons, as described in this policy.

Automated decision-making is the process of making decisions by automated means without any human involvement.

We do not make decisions about you based solely on automated processing that would have legal, or similarly significant, effects for you. We will notify you if this position changes.

We are committed to using artificial intelligence thoughtfully and responsibly, with the dual aim of helping us work more efficiently while safeguarding ourselves, the children and young people we support and the data we hold from the risks that AI can pose when not used properly. Use of AI will have appropriate human oversight with humans being responsible for making all final decisions on their output.

We use AI tools to enhance efficiency and protect privacy e.g. creating first drafts of summary reports, data analysis, amending images to protect privacy when used in a public space.  

Personal, sensitive and confidential data will only be used within pre-approved AI tools that do not share data outwith our systems.

In certain circumstances, we need to share your personal data with other third parties, including partners and service providers.

As part of the recruitment process, we may need to share your data with third parties in order to conduct any necessary background checks and vetting processes, such as contacting previous employers/referees to obtain a reference, and/or Disclosure Scotland to conduct criminal record checks. As part of the recruitment process, we will make clear to you which checks will be required and at what stage of the process.

Any disclosures or data sharing will be done in accordance with the law or relevant contractual arrangements. All other third parties are required to take appropriate security measures to protect your personal data. We only permit them to process your personal data for specified purposes and in accordance with our instructions. They are not allowed to use your personal data for their own purposes.

We may also share staff personal data with the following:

• Local authorities
• Scottish Government
• Social services or child protection services
• Healthcare providers including, doctors, emergency services and first aid providers, and other medical practitioners
• Organisations with whom we need to share information for safeguarding reasons
• Regulatory bodies, external auditors or inspectors, such as the Care Inspectorate, HMIe, and the HSE – for ensuring compliance and the safety and welfare of service users. This would include the Office of the Scottish Charities Regulator (OSCR), Companies House, and HM Revenue & Customs
• Professional bodies such as the Scottish Social Services Council and the General Teaching Council for Scotland
• Any relevant accreditation body or trade association for the purpose of obtaining and maintaining accreditation standards
• Any organisation or individuals we are legally obliged to share personal information with, for example by a court order, such as any law enforcement agency, or other relevant governmental or regulatory authority, Police Scotland, external investigators and/or the Procurator Fiscal, in relation to any suspected or alleged fraudulent or criminal activity
• Governmental and judicial authorities, such as the courts and tribunals in the event of investigation or prosecution of crime or legal claims.
• Third-party services providers who provide catering, event management, excursion or other services.
• Credit reference agencies and fraud prevention agencies
• Professional advisers including bankers, accountants, legal advisors, auditors and insurers who provide consultancy, banking, insurance, legal advice and accounting services.
• Researchers, providers of statistical or analytical services – for reviews, planning and assessment (and we will in such cases anonymise all data where possible prior to sharing).

We will share your personal data with service providers (including contractors and designated agents) who carry out the following functions:

• pension administration,
• benefits provision and administration,
• IT security and IT services
• finance systems, such as payment cards
• survey providers to conduct staff surveys and questionnaires relating to your employment at Harmeny
• Database and CRM providers for administration of our supporter, HR, and children’s database
• Design software, such as Canva, to provide access to their services or to generate marketing materials (all marketing materials utilising your image or data will only be created with your consent)
• Learning management systems providing online training
• Training providers

We may also share your data with prospective employers, e.g. as part of providing a reference.

We may also need to share your data with third party providers of online tools such as social media providers, if relevant for your role, to give access rights to information within our social media accounts.

We may need to share your personal data with other third parties as part of any merger, acquisition, sale or restructure.

We may need to share your personal information with a regulator to comply with the law. For example we may share data with the Scottish Social Services Council and/or the General Teaching Council for Scotland and the Care Inspectorate for regulatory purposes. Sharing for regulatory purposes may also include making returns to HMRC and disclosures to shareholders such as remuneration reporting requirements.

Images captured during your time at Harmeny (i.e. digital photos and video) may also be shared with our young people as part of their ‘memory books’ given to them when they leave Harmeny. These books and images are only for their personal use and are not to be shared more widely.

We may transfer your personal data outside the UK in limited situations.

When we transfer data to service providers that carry out certain functions on our behalf, it may involve transferring personal data to countries which have laws that do not provide the same level of data protection.  We ensure a similar degree of protection is afforded by ensuring that the following safeguards are in place:

In most cases, we will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data.  For example, we use Microsoft Office 365, a multi-tenant cloud service, for our internal office use. This means that internal documents and information generated by us are stored in cloud services hosted within the European Economic Area (EEA) which the UK government considers to have adequate equivalent protections.

However, in some limited cases, we may use service providers that process and/or store data outside of the EEA.  In these cases, we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your information, for example, by entering into a contract that includes specific standard contractual terms approved for use in the UK which give similar protections, namely the International Data Transfer Agreement or The International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers.

We have implemented appropriate security measures to protect your personal information against accidental loss and unauthorised access, use, alteration, or disclosure.

We impose controls for access to employee data based on business requirements and in accordance with the relevant lawful bases for processing. Any party with access rights will only process your personal information in accordance with applicable data security policies and procedures, relevant employee obligations or third-party contractual terms.

Your personal information will be stored, securely, on our recruitment systems, in our employee database (if you are appointed) and in your employee file (if you are appointed).

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We will only retain your personal information in accordance with applicable laws, regulatory requirements or for as long as necessary to fulfil the purposes for which we collected it, as set out in our Data Retention Policy.

In some circumstances, you can ask us to delete your personal information.

Personal information about unsuccessful candidates or applicants for work, including those who have not been shortlisted and those who have been unsuccessful at interview, will be held for up to one year after the recruitment exercise has been completed, and will then be destroyed unless the candidate requests that they wish for us to keep their information for longer.

Interview notes for all unsuccessful applicants are destroyed after six months.

We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

If you set up an account on our online recruitment system, we will hold your data on file until you delete your account, when your data will be deleted and destroyed.

Equality monitoring information will be retained for up to three years to allow us to comply with our reporting obligations to the government.

If your application is successful, personal data gathered during the recruitment process will be transferred to your personnel file and will be processed and retained in accordance with your employment contract and other applicable data retention guidance.

Once you are no longer working for Harmeny, we will retain and securely destroy your personal information in accordance with our Data Retention Policy and any applicable legal requirements.

You have the following rights under data protection laws:

• Request access to your personal information (commonly known as making a data subject access request). We will provide you with copies of your personal information and other information, such as where we got the information from and who we have shared it with.
• Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Head of HR. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so.

If you want to exercise any of these rights, please contact the Head of HR in writing.

You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific data from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.