Employee Privacy Notice

Plan Communications Limited (“Plan”, “we”, “us” or “our”) and all of the other entities in the Plan Group are committed to ensuring that the personal data of our employees is handled in accordance with the principles set out in the General Data Protection Regulation (EU 2016/679) (“GDPR”).

Plan is the controller for this information unless this notice specifically states otherwise. Our Data Protection Officer is Gregg Knowles.  You can contact him at gregg.knowles@plan.com.
This notice should be read in conjunction with the Plan Privacy Notice which can also be found here link to www.plan.com/privacy, our other corporate policies and procedures can be found here https://plancom.sharepoint.com/sites/Compliance and with reference to the Employee Handbook. When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

In this notice we set out:

• How do we obtain your information
• What personal data we process and why
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Do we use any data processors?
• Your rights in relation to this processing
• Transfers of personal data
• Further information
• Your rights as an individual

How do we obtain your information

We may obtain information about you from the following sources:

• • Directly from you either during the recruitment process or throughout employment.
  • From the calls made to and by you using our telephony systems.
  • From an employment agency.
  • From your previous employer.
  • From a pre-employment screening agency
  • From referees, either external or internal.
  • From security clearance providers.
  • From government departments, for example tax details from HMRC or the Isle of Man Tax Office.
  • From providers of staff benefits including pension administrators, healthcare providers and insurers.
  • CCTV images from our landlords or taken using our own CCTV systems.
  • From social media.
  • From outsourced payroll providers.
  • By data loss protection software.

What personal data we process and why

We process the following categories of personal data.

Information related to your employment

We use the following information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes.

• • Personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses.
  • Your date of birth, gender and NI number.
  • A copy of your passport or similar photographic identification and / or proof of address documents.
  • Marital status.
  • Next of kin, emergency contacts and their contact information.
  • Employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare.
  • Location of employment.
  • Details of any secondary employment, political declarations, conflict of interest declarations or gift declarations.
  • Your responses to staff surveys if this data is not anonymised.

Information related to your salary, pension and loans

We process this information for the payment of your salary, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.

• Information about your job role and your employment contract including; your start and leave dates, salary (including grade and salary band), any changes to your employment contract, working pattern (including any requests for flexible working).
• Details of your time spent working and any overtime, expenses or other payments claimed, including details of any loans.
• Details of any leave including sick leave, holidays, special leave etc.
• Pension details including membership of both state and occupational pension schemes (current and previous).
• Your bank account details, payroll records and tax status information.
• Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, matching certificates and any other relevant documentation relating to the nature of the leave you will be taking.

Information relating to your performance and training

We use this information to assess your performance, to conduct pay and salary banding reviews and to deal with any employer / employee related disputes. We also use it to meet the training and development needs required for your role.

• Information relating to your performance at work e.g. probation reviews, continuous performance reviews, promotions or personal development plans
• Grievance and dignity at work matters and investigations to which you may be a party or witness.
• Disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued.
• Information related to your training history and development needs.

Information relating to monitoring

We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems and employees.

•  Information derived from monitoring our IT systems to ensure compliance with acceptable use standards.
•  Photos and CCTV images.
•  Software applications utilised in the workplace including both proprietary and third-party software.

We may record all calls made to and from the business, which will include calls made and received by you. Please see our Telephone Usage Policy which sets out the basis on which we record and monitor calls. Each recording is encrypted and stored on a secure server. Access to the call recordings is tightly controlled in accordance with our Call Recording Access Policy and can only be obtained on the authority of our Data Protection Officer.

Information relating to your health and wellbeing and other special category data

We use the following information to comply with our legal obligations and for equal opportunities monitoring. We also use it to ensure the health, safety and wellbeing of our employees.

• Health and wellbeing information either declared by you or obtained from health checks, eye examinations, referrals and reports, sick leave forms, health management questionnaires or fit notes i.e. Statement of Fitness for Work from your GP or hospital.
• Accident records if you have an accident at work.
• Details of any desk audits, access needs or reasonable adjustments.

Lawful basis for processing your personal data

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:

• Article 6(1)(b) which relates to processing necessary for the performance of a contract. This may include:
  • formal identification documentation relating to you, such as a passport or driving licence, to verify your identity (including your date of birth);
  • your contact details such as your name, address, telephone number(s) and personal email address which will be used to communicate with you on employment matters during your employment;
  • details of emergency contacts;
  • bank details which are used to send/receive funds to/from you such as payment of your salary, expenses, professional subscription fees, or to make or repay loans;
  • information disclosed to a third party agency relating to your pay details for the purposes of providing tenancy references;
  • information disclosed to a mortgage provider relating to your employment history and pay details for the purposes of a mortgage application; and
  • information disclosed to a prospective future employer relating to your employment details for the purposes of providing a reference;
  • information relating to the enrolment or renewal of your employment benefits; and
• Article 6(1)(c) so we can comply with our legal obligations as your employer. This may include:
  • payroll records, social security, child maintenance, marital status, student loans and national insurance information, to comply with social security and Taxation Authorities (tax) requirements;
  • information in relation to legal claims made by you or against you, in order to comply with court processes and court orders including court ordered deductions from pay;
  • accident investigations;
  • information relating to the occurrence, investigation or prevention of fraud;
  • pension benefits to comply with pension legislation.
• Article 6(1)(d) in order to protect your vital interests or those of another person.
• Article 6(1) (f) for the purposes of our legitimate interest. This may include
  • training records, appraisals, 360 review reports and 1:1 meeting notes about you in order to assist/assess your career development and training needs and/or to ensure that you are properly managed and supervised;
  • information relating to the performance of your employment duties, such as disciplinary records, as this is relevant to your ability to carry out your job and for us to assess and identify areas in which we may need to help you improve;
  • information relating to the performance of your duties may also be used to conduct an investigation if circumstances warrant it and to take appropriate action either for conduct or capability reasons in accordance with our grievance and disciplinary policies/procedures;
  • information relating to any grievance process involving you, in order that an investigation may be conducted and appropriate action taken (if any) in accordance with our grievance and disciplinary policies/procedures;
  • management reports (including statistical and audit information) to ensure workplace efficiencies are maximised;
  • health, safety and environmental information, including records to ensure that we are complying with relevant policies and procedures. This allows us to implement any training where applicable;
  • work related contact details on our intranet and/or internal systems to facilitate efficient communication within the business;
  • voicemails, emails, correspondence and other work-related communications created, stored or transmitted by you using our computer or communications equipment for the purposes of the efficient management of the business;
  • non-medical absence records and details including holiday records, appointments, jury service, maternity, paternity, adoption and parental leave in order to monitor attendance levels and to comply with our policies;
  • CCTV across the whole of our estate for the protection of our property, security reasons, health and safety reasons and to ensure business efficiencies.
  • access to our properties for the protection of our property and for health and safety reasons;
  • network and information security data in order for us to take steps to protect your information against loss, theft or unauthorised access.

Special category data

How long we keep your personal data

For information about how long we hold your personal data, see our data retention schedule here. 

Data Sharing

In some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including government agencies and external auditors. For example, we may share information about you with HMRC or the Isle of Man Tax Office for the purpose of collecting tax and national insurance contributions.

Do we use any data processors?

Yes – a list of our current data processors can be found at Annex A.

Your rights in relation to this processing

As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Isle of Man Information Commissioner as the relevant supervisory authority.

For more information on your rights, please see “Your rights as an individual”

Transfers of personal data

We routinely transfer staff personal data overseas due to the fact that certain of our third-party processors (listed in Schedule A) have servers that are located outside the Isle of Man or the UK.  When it is necessary to transfer the data, we ensure that we have appropriate safeguards in place.

Further information

Personnel files

Physical and electronic records are held for each member of staff. Data is held securely on Plan IT systems and at our premises and/or with externals software providers who are compliant in terms of GDPR.

You can request your personnel file by emailing the People Experience team or by submitting an access request to  dataprotection@plan.com.  You can also make a verbal request for your information. You will not be able to take away your physical file. Your request will be handled outside the case management area with restricted access. We will consult internally with members of staff who might hold personal data about you.

Staff surveys

The data collected from staff surveys is held in the cloud based platform15Five and Survey Monkey. Any data collected by 15Five, PeopleHR and/or Survey Monkey for us is stored on UK or US servers.

A link to their privacy notice can be found in Annex A. Staff at these providers cannot gain access to this data. The data is only available to a small number of Plan staff who are responsible for running or administrating the particular survey.

Most survey questions require quantitative responses, however some free text boxes are included. We would advise you not to share identifiable information about yourself in these boxes if you wish to remain anonymous. When appropriate we will also provide ‘just in time’ privacy information regarding specific surveys.

Workforce Development and Planning

Our People Experience department use online learning platforms for the facilitation of work related courses. Links to their privacy notices can be found in Annex A. We will share some information about you with these providers both prior to you joining Plan and during your employment to ensure you have the necessary access to complete training required for your role.

We will also share information about you with our training providers. For example this will include information such as your name, contact details and job role.

Monitoring of staff

All of our ICT systems are auditable and can be monitored, though we don’t do so routinely.

We are committed to respecting individual users’ reasonable expectations of privacy concerning the use of our ICT systems and equipment.

However, we reserve the right to log and monitor such use in line with our legitimate and reasonable expectations of acceptable use.

Any targeted monitoring of staff will take place within the context of our disciplinary procedures.

Financial monitoring

We use a financial accounting system (Sage) to log every financial transaction. This includes any transactions by or loans made to staff. If an outstanding debt by a member of staff is highlighted via this process, Plan may use this information to take steps to recover the outstanding amount.

Security passes

Staff may be issued with a security pass that may display their name, department, staff reference number and photograph. In such a situation, staff pass details (names, numbers and photographs) are held on a standalone machine controlled by our facilities management team and can only be accessed by a restricted number of people.  Should you lose your pass you will need to complete a lost security pass form and return it to People Experience. When you leave Plan, your details are deleted as soon as possible from this system subject to our Retention Schedule.

CCTV

We operate CCTV inside our premises to monitor access to certain areas of the office.

Requests for references

If you leave, or are thinking of leaving, we may be asked by your new or prospective employers to provide a reference. For example, we may be asked to confirm the dates of your employment or your job role. If you are still employed by us at the time the request for a reference is received we will discuss this with you before providing this.

Your rights as an individual

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here. 

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the processing is in our legitimate interests. You can read more about this right here. 

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us dataprotection@plan.com if you wish to make a request, or contact your line manager or our Data Protection Officer, Gregg Knowles at greggknowles@plan.com.

Changes to this privacy statement

We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

This privacy notice was last updated on 13 July 2020 when we changed the layout and sought to set out examples of the information that was contained in the previous version of the notice.

Annex A – Data Processors