Portmeirion Group is committed to protecting the privacy and security of personal information. This policy describes how we collect and use personal information about you before, during and after your working relationship with us, in accordance with data protection legislation. It applies to all employees, agency workers and contractors.
About this Policy
Portmeirion Group and its subsidiary companies, as your employer, are “data controller(s)”. This means that Portmeirion Group is responsible for deciding how it holds and uses personal information about you. Portmeirion Group is required under data protection legislation to notify you of the information contained in this policy.
This policy applies to prospective, current and former employees, agency workers and contractors. This policy does not form part of any contract of employment or other contract to provide services.
It is important that you read this policy, together with any other privacy notice Portmeirion Group may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why Portmeirion Group is using such information.
Data Protection Principles
Portmeirion Group complies with data protection legislation. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about; and
- Kept securely.
Your personal data
Personal data or personal information means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal information about job applicants, employees, agency workers and contractors through the applications process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, your GP, credit reference agencies or other background check providers.
The data collected, stored and used by Portmeirion Group includes but is not limited to:
- Recruitment information (including copies of right to work; documentation, references and other information included in a CV or cover letter or as part of the application process);
- Personal contact details (including name, addresses, telephone numbers and personal email addresses);
- Next of kin and emergency contact details;
- Family or beneficiary information in relation to benefits provided to you as an employee including pension entitlements;
- Date of birth, national insurance number, copy of driving licence etc;
- Bank account details, payroll records, tax status information;
- Employment records (including job titles, work history, working hours, training records and professional memberships);
- Employment reports or assessments, including performance appraisals;
- Disciplinary and grievance information;
- Salary reviews, benefits records and expenses claims;
- If relevant, employee share scheme and share ownership records;
- CCTV footage and other information obtained through electronic means such as swipe card records; and
- Employee photographs.
Portmeirion Group may also collect, store and use the following “special categories” of more sensitive personal information including:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
- Trade union membership;
- Information about your health, including any medical condition, health and sickness records;
- Genetic information and biometric data; and
- Information about criminal convictions and offences.
How Portmeirion Group will use personal data
Portmeirion Group will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the employment contract we have entered into with you e.g. payroll information;
- Where we need to comply with a legal obligation; and
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. your suitability for future vacancies within the business, making decisions about your continued employment or engagement, dealing with legal disputes).
Portmeirion Group may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests); and
- Where it is needed in the public interest.
Some of the grounds for processing will overlap and there may be several grounds which justify Portmeirion Group’s use of your personal information.
We need all categories of information listed above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests such as:
- Making a decision about your recruitment, appointment or promotion;
- Determining the terms on which you work for us;
- Checking that you are legally entitled to work in the UK;
- Paying you, if you are an employee and making statutory deductions;
- Providing benefits to you including employee share schemes;
- Liaising with our pension providers and administrators;
- Administering the contract that we have entered into with you;
- Business management and planning;
- Conducting performance and salary reviews;
- Dealing with legal issues involving you;
- Managing sickness absence;
- Complying with Health & Safety obligations;
- To prevent fraud; and
- To comply with the monitoring requirements under the Group’s Information Systems Use Policy.
If you fail to provide personal information
If you fail to provide certain information when requested, Portmeirion Group may not be able to perform the contract it has entered into with you (such as paying you or providing a benefit), or it may be prevented from complying with its legal obligations (such as to ensure the health and safety of our workers).
Please note that Portmeirion Group may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How Portmeirion Group will use sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection. Portmeirion Group needs to have further justification for collecting, storing and using this type of personal information. Portmeirion Group may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent;
- Where we need to carry out our legal obligations and in line with our policies;
- Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our pension scheme, and in line with our policies; and
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our policies to carry out our legal obligations or exercise specific rights in the field of employment law. This includes information relating to your race or national or ethnic origin to ensure meaningful equal opportunities monitoring and reporting.
In limited circumstances, Portmeirion Group may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
Maintaining Records
Portmeirion Group will take all reasonable steps to ensure that the personal data it holds about you is accurate and kept up to date. To ensure accuracy, usually every 12 months, you will be asked to check that certain personal information relating to you and held by Portmeirion Group is correct.
As an employee you should always contact the HR Department should your personal information change for any reason, for example a change of surname, home address or telephone number. Out of date information or information that is no longer required will be deleted on a regular basis.
Data Sharing
Portmeirion Group may have to share your data with third parties, including third-party service providers (e.g. payroll, pension providers etc.) and other entities in the Group where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
We require third parties to respect the security of your data and to treat it in accordance with the law.
Under normal circumstances Portmeirion Group will not transfer your personal data outside of the UK and EU. However if Portmeirion Group does transfer your personal information outside the UK or EU in order to perform its contract with you, you can expect a similar degree of protection in respect of your personal information.
Security of Data
Portmeirion Group is committed to the secure storage and where undertaken the secure transmission of your personal data. In addition, Portmeirion Group limits access to your personal information to those employees (such as Managers and employees working in the HR Department), agents, contractors and other third parties who have a business need to know. They will only process your personal information on Portmeirion Group’s instructions and they are subject to a duty of confidentiality. All such data is protected by physical security, such as locks and technical security, such as usernames and passwords to access computer records and data. To further ensure the security of such records Portmeirion Group reserves the right to monitor and keep a detailed log file and computer data analysis of all accesses to your personal data. Portmeirion Group also reserves the right to investigate all employees who have access to such data in the course of their normal employment with Portmeirion Group.
If as an employee you have legitimate access to personal data and you need to pass or transmit the data within Portmeirion Group to another party or parties who in turn have the right to see such data, the following rules apply:
- If the data is transmitted by email it must be sent in an encrypted form;
- If the data is transmitted via a network it must be done using a secure network. Wherever possible such data should not be sent via a wireless network where the risk of interception is greater;
- Data should not be faxed unless prior authority to do so has been given by the Group Operations Director;
- If data is to be passed in hard copy form it should be handed to the recipient personally, the recipient should ensure that the data is stored in a locked drawer or cabinet; and
- Personal data must not at any time be posted or taken out of Portmeirion Group’s office in hard form or by any other means other than in an encrypted company laptop.
You are reminded that unauthorised attempts to gain access to such data or accessing such data is a disciplinary offence and in certain situations may constitute gross misconduct leading to summary dismissal. Such breaches may also constitute a criminal offence under data protection legislation.
External Disclosure Requests
If you as an employee receive an external request for the disclosure of data the following guidelines should be observed:
- Verify the identity of the person requesting the information;
- Be on the lookout for fraud or deception;
- Seek a written request where possible;
- Check any telephone numbers where an oral request is received;
- Inform Moira MacDonald (Group Company Secretary) or your HR department if any request appears suspicious; Moira MacDonald should also be contacted where the party requesting the data states that disclosure is required by law;
- Remember that a duty is owed to the employee whose data is to be disclosed, where appropriate seek their permission, unless doing so would alert them to a criminal investigation; and
- If the disclosure of the data is non-routine where possible provide the employee in question with a copy of the data disclosed. A record of all non-routine data disclosures should also be kept.
Data Retention
Portmeirion Group will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, Portmeirion Group will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Portmeirion Group will generally retain your records for the periods stated below although we reserve the right to retain certain personal data for longer periods of time should there be a legitimate business need or legal interest in doing so:
- Application Forms/letters and interview notes: 6 months if the applicant is unsuccessful or 1 year from end of employment;
- References received: 1 year;
- Payroll and tax information: 6 years plus the current year;
- Sickness and Occupational/Health & Safety records and monitoring: As long as is necessary to enable us to investigate any issues raised as part of the employment relationship;
- Annual leave records: 3 years;
- Unpaid/special leave records: 3 years;
- Annual appraisal/ assessments: 5 years or 1 year from the end of employment;
- Training records: As long as is necessary to enable us to investigate any issues raised as part of the employment relationship;
- Disciplinary matters: 1 year in the case of minor disciplinary matters or 3 years in the case of serious or persistent issues;
- References provided: 5 years from provided or end of employment;
- Summary of service: 10 years; and
- Injury or accident at work: As long as is necessary to enable us to investigate any issues raised as part of the employment relationship.
Portmeirion Group will ensure the safe and secure disposal of your records that are no longer required.
In some circumstances Portmeirion Group may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the HR Department in writing.
Data Access
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, Portmeirion Group may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact the HR Department. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Data Protection Officer
Due to the type of data that we process it is not mandatory for Portmeirion Group to appoint a Data Protection Officer, however we have appointed Moira MacDonald, Group Company Secretary, as Portmeirion Group’s data protection lead to oversee data privacy compliance. If you have any questions about this policy or how we handle your personal information, please contact Moira MacDonald or your HR department.
Changes to this Policy
We reserve the right to update this policy at any time, and we will provide you with a new policy when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.