Privacy notice - colleagues
Current and former colleagues
Once a person has taken up employment with Bromford we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Bromford has ended, we will retain the file in accordance with the requirements of our Data & Document Retention Policy and then delete it.
What data do we collect from our colleagues?
When you start work for Bromford we will ask for:
- your full name (and proof of your identity / photo ID).
- your date of birth.
- your marital status and gender.
- your National Insurance number (your unique identifier).
- your student loan and tax status
- details of your driving licence (if relevant to your role)
- your contact details (phone, email or correspondence address).
- banking details, so we can pay you
We may also collect your personal data via our CCTV systems or in still photographs. See below for more information.
Sometimes our People Services Team may want to make a voice recording of meetings we have with you. We will always notify you if we would like to make a digital voice recording of the meeting and seek your approval to do so.
We may also ask for your consent to collect special categories of data as explained below.
If you provide us with personal information relating to members of your family, next of kin contact information for example, we will assume that you do so with their knowledge and their consent to the collection and processing of the information.
It is important that you notify us of any changes to your personal information.
How we use personal information and the lawful basis for processing
Most of the information we collect from our colleagues is required as part of your contract of employment or other contract between you and Bromford.
Please read your employment contract for specific details as ‘performance of a contract’ is usually the lawful basis for processing your information as set out in data protection law.
The processing we conduct can be summarised as:
- Managing the employer – employee relationship.
- Arranging to pay your salary, wages, pensions or other benefits;
- Complying with relevant legislation and regulation.
The other lawful basis for processing your data, as defined in data protection law, that we regularly rely on is ‘legitimate interest’ (processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject).
Our legitimate interests may include the need to:
- eliminate discrimination or advance equality of opportunity;
- prevent and detect crime;
- conduct research and statistical analysis to help improve our business;
- track our vehicles to ensure they are driven responsibly;
- monitor, and in some circumstances charge for, the charging of electrical vehicle
- evaluate our performance against other benchmarks.
- Arranging to provide non contractual benefits.
Special Category Data
We may process special category or sensitive personal data relating to your health where this is necessary in connection with employment law and/or for the purposes of preventive or occupational medicine.
We also seek your consent to collect some ‘special category’ information from you. This includes information relating to your religious beliefs, ethnicity and sexual orientation.
We will always give you a ‘prefer not to answer’ option when we ask for this information.
Other Lawful Bases
In exceptional circumstances there may be another lawful basis for processing your data for example ‘compliance with a legal obligation’ or to ‘protect the vital interests of a data subject or another person’.
How long we keep information
Information relating to your employment is normally kept for six years after your employment ends. Where information relates to employees who worked with asbestos or other substances hazardous to health the retention period is forty years after your employment ends.
When we dispose of information we do so securely.
Sharing your information
Your personal information will only be available to relevant leaders and colleagues in the People Services and other relevant teams for the reasons outlined in this privacy notice.
Your personal information will be kept secure and confidential. Usually we will not disclose personal data without consent, but we may share information between the Bromford group of companies, with contractors or third parties and other agencies we work with.
Bromford shares limited personal information with contractors who are carrying out services on our behalf. This includes payroll and pension providers, companies who provide colleague benefits, companies who provide occupational health services and so on. Our contractors are required to comply with the law to ensure data is managed appropriately and for specified purposes.
All requests for ad-hoc sharing are considered by the Data Protection Officer. In exceptional circumstances we may share your personal information with the Police as required by law or where sharing is in your vital interests.
Calls with customers and other external parties are recorded in our Customer Services, Income, Lettings and Customer Solutions teams. In addition, internal colleague to colleague calls with these teams may be recorded. Calls are recorded for training, monitoring and performance management purposes and are held for a period of twelve months.
Recording and Transcription of MS Teams Meetings
Bromford colleagues may record Teams meetings where there is a legitimate business reason to do so, for example, where there is a need to share the content of a meeting with colleagues who were unable to attend. The lawful basis for recording, and processing the data of colleagues in the meeting is legitimate interest.
Bromford uses Microsoft Intune to control how devices are used, including mobile phones, tablets, and laptops. Intune allows people to use their personal devices for work. On personal devices, Intune helps make sure your Bromford data stays protected and can isolate Bromford data from personal data.
When you enrol a corporate or personal device with Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Required personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data.
Intune doesn't collect nor allow an Admin to see the following data:
- An end users’ calling or web browsing history
- Personal email
- Text messages
- Passwords to personal accounts
- Calendar events
- Photos, including those in a photo app or camera.
The lawful basis for processing your personal data for Microsoft Intune, as defined in data protection law, is ‘legitimate interest’. The UKGDPR highlights fraud prevention and network and information security as specific types of processing that are considered legitimate interest.
Colleagues may be issued with a laptop or other device which has biometric security functionality (fingerprint and facial recognition). This functionality is provided by Microsoft via Windows Hello which is being used by Bromford as part of our information security strategy to keep our laptops and systems secure. Colleagues may asked to set up these new access controls.
Microsoft advise that the biometric data used to support Windows Hello is stripped of any information that could be used to specifically identify you and is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This means that your biometrics are not processed by Microsoft or Bromford as personal data when you log in to our systems.
Personal Use of Bromford IT Services
Where Bromford provides you with an e-mail address, a way of saving documents or any other IT service these are provided for business use. Personal use of these services to send private messages or to save personal data or documents is not recommended as it may be necessary for your manager to be given access to your e-mail account or file storage when you leave or in other circumstances. This access will however only be given when there is a clear business need for the access and will be approved by a director.
We may take your photograph for use on your Bromford ID card. We may also take photographs at our events, at our properties and in our communities to use for general marketing and publicity.
In these circumstances the legal basis for processing is legitimate interest as described above. We will however respect your wishes if you do not want your photograph to be used in any marketing or publicity materials.
We operate CCTV systems at our offices and in public areas at some of our properties. Wherever CCTV systems are operating we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously, and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights - the right of access for more information on how to make a subject access request.
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to the issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
Door Entry Data
Your Bromford ID card is used to gain access to our offices via access-controlled door entry systems. These systems record the dates and times you access a Bromford office. This data may be reviewed as part of monitoring the effective use of our workspaces and how and where our colleagues are working. The lawful basis for processing data relating to the dates and times colleagues access a Bromford office is legitimate interest.
Data matching and analytics
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows employee and benefit fraud to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.
No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We participate in the National Fraud Initiative (NFI) data matching exercise carried out by the Cabinet Office. Our participation in NFI will assist in the prevention and detection of fraud against Bromford and other organisations within the private and public sector.
We participate on a voluntary basis and provide the Cabinet Office with particular sets of data for matching as set out in the Cabinet Office’s guidance.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection law.
Data matching by the Cabinet Office is subject to a Code of Data Matching Practice. Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information is available here.
Colleague COVID 19 Vaccination Status
Bromford processes data relating to the COVID 19 vaccination status of colleagues who need to enter a registered care home from 11th November 2021. All care home workers and anyone entering the home, will need to be fully vaccinated unless they are exempt under the compulsory vaccination regulations.
We follow the advice issued by the Information Commissioner’s Office in processing data about a colleague’s vaccination status. The lawful basis for processing this data is legitimate interest, as Bromford has a legitimate interest in minimising the risk that Bromford colleagues pass the Covid virus on to clinically vulnerable individuals; and complying with the Department for Health and Social Care Regulations.
Information about a colleague’s vaccination status may need to be shared with the care provider at the care homes you visit.
Disclosure & Barring Service (DBS) and Consumer Credit Checks
Bromford may carry out DBS and consumer credit checks to screen colleagues and candidates for roles. Under data protection law the lawful basis for this processing is “legitimate interest”. Bromford’s legitimate interest is based on the need to safeguard our customers, especially vulnerable customers, in their homes and elsewhere and safeguarding the business from risks to our financial wellbeing and the integrity of business-critical data.