We will process your personal data as a “data controller”. This means that we have responsibility (on our own or acting jointly with another party) for deciding how we hold and use personal data relating to you.
Personal data, or personal information, means any information relating to an identifiable individual. It does not include any data or information which relates to a person that cannot be identified or where the person's identity has been removed (ie anonymous data). It also does not include information relating solely to a business or other organisation, rather than to a person.
We may collect, use, store and transfer different kinds of personal data about you in connection with your Engagement which we have grouped together as follows:
Identity Data: data which identifies you, such as your first name, last name, username, job title, employer, title, date of birth, marital status, gender and other information contained in identity documents (such as passports).
Contact Data: contact details including your personal and/or business email address, postal address and telephone number.
Profile Data: data we store in connection with your profile on the Time Sheet Portal, including your username and password to access the Time Sheet Portal.
CV Data: information submitted as part of a job application and/or the registration process, including qualifications, experience and references and any other information contained on a CV.
Application Data: your history of responding to job advertisements and the progress of those applications.
Status Data: confirmation of your eligibility to work in the UK, such as a national insurance number, passport or visa information.
Time Sheet Portal Data: such information as you may enter into the Time Sheet Portal and may be stored on the Time Sheet Portal in connection with your profile, including hours worked, details of your Engagement and absences.
Engagement Data: information relating to your current and any previous Engagements, including the Client you are working for, your agreed wage or fee, the period of your Engagement, hours worked, absences, appraisal and performance and disciplinary records and data and such other information as may be collected during the course of your Engagement and relevant
Payroll and PAYE Data: information which may be collected and processed for payroll purposes, including bank details, national insurance number, information relating to hours worked, rate of pay, tax code, unique tax reference number and such other relevant data as may be required to process payments to you or your services company for your Engagement.
We do not collect any special categories of personal data or criminal data about you, without gaining your explicit written consent (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic and biometric data and information relating to criminal convictions and offences).
Other personal data will be collected during the course of your Engagement, such as the Engagement Data.
From time to time, we may also obtain information relating to you from third parties, such as our Clients and HMRC (to process your wage payments).
We will only collect and process your personal data where we have a legal basis to do so. The legal basis will vary depending on the manner and purpose for which we are collecting your personal information. Most commonly, we will use your personal data in the following circumstances:
Where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where it is necessary to comply with a legal or regulatory obligation that we are subject to.
We have set out in the table below a description of the ways we plan to use your personal data, and which of the legal bases we shall rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data on the basis of more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you require further detail about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/ActivityTypes of dataLawful basis for processing including basis of legitimate interestProcessing and managing job applications submitted by you, checking you have the right to work in the UK.Identity, Contact, CV, Application and Status DataNecessary for our legitimate interests (to conduct our business and perform our contracts with clients)Consent – we will only proceed with an application and your Engagement if you consent to providing the work required.Necessary for the performance of a contract with you (the contract under which you are engaged to provide services).Setting you up as a new Contractor on our systemsIdentity Data, Contact Data, Engagement Data, Status Data, Payroll and PAYE Data.Compliance with a legal obligationNecessary for the performance of a contract with you (the contract under which you are engaged to provide services).Invoicing the Client that you have undertaken work forIdentity Data and Engagement DataNecessary for the performance of a contract with you (the contract under which you are engaged to provide services).Necessary for our legitimate interests (to conduct our business and perform our contracts with clients)Calculating and processing payments of National Insurance and PAYE income tax (and preparing for HMRC a weekly report setting out real time information relating to your National Insurance and PAYE deductions).Payroll and PAYE Data and Identity DataCompliance with a legal obligationMaking payment to you, preparing and sending payslips, deducting tax and National Insurance contributionsIdentity, Contact, Payroll and PAYE DataNecessary for the performance of a contract with you (the contract under which you are engaged to provide services)Compliance with a legal obligationIssuing P45 forms to youIdentity, Contact, Payroll and PAYE DataCompliance with a legal obligationPreparing and providing to the Client reports and statementsIdentity, Contact, Payroll and PAYE DataNecessary for our legitimate interests (to conduct our business and perform our contracts with Clients[Liaising with your pension provider][Identity, Contact, Payroll and PAYE Data][Necessary for the performance of a contract with you][Compliance with a legal obligation]Assessing whether you qualify for auto enrolment, processing payments to your pension provider(s)Identity Data, Contact Data, Engagement Data, Status Data, Payroll and PAYE DataCompliance with a legal obligationNecessary for the performance of a contract with youNotifying NEST of amounts deducted from your pay in respect of pension contributionsIdentity Data, Payroll and PAYE DataCompliance with a legal obligationSetting you up on the time sheet portal on our website, issuing email login detailsIdentity, Contact, Profile, Profile and Time Sheet Portal DataNecessary for the performance of a contract with youNecessary for our legitimate interests (to conduct our business in an efficient manner and perform our contracts with clients)Monitoring your working hours via the time sheet portal on our website for the purposes of calculating your payIdentity, Profile and Time Sheet Portal DataNecessary for the performance of a contract with youNecessary for our legitimate interests (to conduct our business in an efficient manner and perform our contracts with clients)
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you require an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Where we need to collect personal data by law or in order to perform a contract to which you are a party or which otherwise impacts on you, and you fail to provide that data when requested, we may not be able to perform the relevant contract. This may have consequences upon you. For example if we have to cancel our contract with your services company, your Engagement will be terminated. We will notify you if this occurs.
We may share personal data with Clients (acting as controller) or your services company (acting as controller)
We may share personal data with the third parties set out below for the purposes set out in the table above. These third parties process your personal data on our behalf in connection with the performance of certain services for us. :
Name of Service Provider
Types of Personal Data
IT Support Provider
Identity, Contact, profile, CV, Application, Financial, Marketing, Communications Data
Identity, Contact, CV, Profile, Application, Technical and Usage Data. This type of personal data is only shared through the website host as a processor if a data subject creates an online account with us.
Data Analytic Software
Identity, Contact, CV and Application Data
Bullhorn & Kyloe & Herefish
Identity, Contact, Profile, CV, Application, Financial, Marketing and Communications Data.
Timesheet Solutions Software
Identity, Contact, Financial. This data is processed solely between our contractors and clients.
We have entered into a data processing agreements with the service providers listed above.
Identity, Contact, CV, Application, Time Sheet Portal Data and Engagement Data may be disclosed to the relevant Client to whom the Engagement relates. Our clients will process your personal data as a data controller, and should direct applicants to their own privacy policies setting out how they process personal data.
Identity, Contact and Financial Data will be provided to TSP, our payment service provider.
Your personal data may be disclosed to professional advisers (acting as processors or joint controllers) including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Companies and organisations for the purposes of fraud protection and credit risk reduction, such as Credit Safe.
HM Revenue & Customs, regulators and other authorities (acting as processors or joint controllers) who require reporting of processing activities in certain circumstances.
We require all our data processors to respect the security of your personal data and to treat it in accordance with the law. We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions as set out in our data sharing agreements.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the EEA.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) in order to develop our business methods and strategy or for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
As a general rule, we will retain your personal data for a period of [six years] following the end of your Engagement. We will keep this under review and may periodically delete some of your personal data which we no longer require for the purposes set out in the table above. For example, your bank details will be deleted promptly at the end of your Engagement.
In some circumstances we may be entitled or required to retain your data for a longer period where we are under a legal obligation to do so or in order to commence or defend legal proceedings in future.
You have certain rights in respect of the personal data that we process about you (where we determine the purpose and means for which that personal data shall be processed):
the right to request access to your personal data that we hold and to receive certain information relating to that data;
the right to ask us to rectify inaccurate data or to complete incomplete data;
a right to receive or ask for your personal data to be transferred to a third party(note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you);
the right to request the erasure of personal data where there is no good reason for us continuing to process it (note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request);
the right to object to how we process your personal data where we believe we have a legitimate interest in processing it (as explained above) (note that in some cases we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms);
the right to restrict processing of your personal data in certain scenarios, for example if you want us to establish the accuracy of the data or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it (note that when processing is restricted, we are allowed to retain sufficient information about you to ensure that the restriction is respected in future; and
where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. If you withdraw your consent, we may not be able to provide certain services to you.
If you wish to exercise any of the rights set out above in respect of your personal data, please contact our Data Compliance Officer at firstname.lastname@example.org
We may ask you to verify your identity if you make a request to us to exercise any of the rights set out above. We may also contact you to ask you for further information in relation to your request to speed up our response. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance and we shall endeavour to resolve your complaint.