This privacy notice governs the collection, storage and use of personal information relating to employees, contractors and workers (collectively referred to as “employees”) by the companies that comprise The Original Cottage Company. Specifically, this notice provides you with details about the personal information we collect and hold about you, how we use your personal information, and your rights regarding the personal information we hold about you.
The Original Cottage Company is committed to protecting the privacy and security of your personal information. A significant part of this is ensuring that our processing of your personal information is fair, appropriate and in compliance with all applicable data protection laws.
Who we are
What information do we collect about you?
How do we collect your information?
What do we use your information for?
How does the law let us use your information?
Who do we share your information with and how do we do it?
How long do we keep your information for?
How do we keep your information secure?
Does your information ever leave the EEA?
What are your rights?
Do we do profiling or automated decision making?
Consequences of your failure to provide personal information
Change of purpose for processing data
Questions or complaints
The Original Cottage Company is the data controller of the personal information that we collect from you. It is a company registered in England and Wales (registration number 06951692), whose registered office is at Bank House, Market Place, Reepham, Norwich, NR10 4JJ.
We have a Data Protection Officer who makes sure we process your personal information in accordance with the law and ultimately that we respect your rights. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer at firstname.lastname@example.org.
We collect and process your personal information when you apply for a role with us and when you join us as an employee. We also need to continue to process your personal information when you no longer work for us. The personal data we collect and process includes:
name, home address, telephone, personal email address, date of birth, employee identification number, gender and marital status;
information included in resumes and/or job applications i.e. education and employment history;
professional references and interview notes;
copies of identity documents such as driving licences and passports, and documentation relating to your right to work in the UK;
letters of offer and acceptance of employment;
payroll information; including but not limited to national insurance number, bank account details, payroll records and tax codes;
HR information relating to your role with The Original Cottage Company including leave records, start date, location of employment or workplace, current and previous job titles, job descriptions, pay grades, training records, hours of work, professional membership, internal training, assessment and performance information, information regarding disciplinary and grievance issues, and other terms and conditions relating to your employment with us
salary, pension and benefit information;
forms relating to the application for, or in respect of changes to, employee health and welfare benefits; including, short and long term disability, medical and dental care;
dependants, next of kin and their details;
information obtained through electronic means such as building entry card records and your use of our information and communications systems;
photographs and video (CCTV footage).
We also collect some information that is considered to be more sensitive and therefore needs more protection. This includes:
information relating to your race or ethnicity, religious beliefs, sexual orientation, sex life. This is not routinely collected but may be needed in relation to your private medical insurance;
information about your health, including any medical conditions and disabilities; We require you to complete a medical questionnaire when you start work with The Original Cottage Company. This enables us to consider any adaptations we may need to make to our facilities. This information is also necessary for the provision of private health insurance as a benefit.
information about criminal convictions and offences – The Original Cottage Company does not currently conduct criminal records checks but may do in the future in order to ensure compliance with customer and our own requirements;
As a general rule, The Original Cottage Company collects personal information directly from you during the application, recruitment and employee onboarding processes. During the recruitment process you will provide us with information in your resume or job application. Further information will be collected directly from you when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence. Data may then be collected during the course of your employment to enable the continued existence or development of your role in the organisation.
Although we will collect most information directly from you, from time to time we may utilise the services of third parties (including other members of the The Original Cottage Company Family) in our business from whom we may indirectly collect your personal information. For example, we may collect information about potential job candidates from employment agencies or criminal record information about new employees from our background checks supplier. Where this is the case, we will take reasonable steps to ensure that the third parties have the right to disclose your personal information to us. We will always respect your right to transparency and inform you of any such processing via this privacy notice.
We use the information we collect about you to manage your employment relationship with us. In particular this includes:
making decisions about who to offer initial employment to, and subsequent internal appointments, promotions etc.
responding to requests from third parties such as a reference request or mortgage approval etc.
making decisions about salary and other benefits
providing contractual benefits to you
maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained
effectively monitoring both your conduct and your performance and to undertake procedures with regard to both of these if the need arises
offering a method of recourse for you against decisions made about you via a grievance procedure
assessing training needs
implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments
gaining expert medical opinion when making decisions about your fitness for work
managing statutory leave and pay systems such as maternity leave, pay etc.
business planning and restructuring exercises
dealing with legal claims made against us
ensuring our administrative and IT systems are secure and robust against unauthorised access;
providing healthcare provisions
Examples of the circumstances in which we will process special categories of your particularly sensitive personal information are listed below (this list is non-exhaustive):
in order to protect your health and safety in the workplace
to assess your physical or emotional fitness to work
to determine if reasonable adjustments are needed or are in place
to monitor and manage sickness absence, family leave or other absences from work (including time off for dependents)
to administer benefits
In order to fulfill equal opportunity monitoring or reporting obligations
There are a number of legal reasons why we need to collect and use your personal information. These legal reasons are also referred to as “lawful bases” and we must ensure that everything we do with your data is justified in accordance with them. To that end, at least one of the following will apply when we process your personal data:
Consent: You have given clear consent for us to process your personal data for a specific purpose. Please note that we do not rely on consent for the majority of employee personal information we process. However, in the few situations where we do, you have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact email@example.com.
Contractual performance: The processing is necessary for us to deliver on our obligations as detailed in your employment contract. For example, we will process some of your personal information in order to pay salaries and provide benefits.
Legal obligation: The processing is necessary for us to comply with the law. For example, we are legally obligated to provide some of your personal information to the tax authorities. Similarly, UK employment law requires us to retain your personal information for a minimum period after you leave the company.
Legitimate interests: the processing is necessary for our legitimate business interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests. For example, we have a legitimate interest in ensuring that our IT systems remain secure and we process information about your use of our IT systems to achieve this.
“Special categories” of particularly sensitive personal information require higher levels of protection. As a result, we need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
Explicit consent: You have given clear, explicit consent for us to process your personal data for a specific purpose. We may seek your explicit consent in written form. Upon such an occasion we will endeavor to provide full and clear reasons at that time in order for you to make an informed decision. In any situation where consent is sought, please be advised that you are under no contractual obligation to comply with a request. Should you decline to consent you will not suffer a detriment.
To carry out our obligations in the field of employment and social security and social protection law. The processing is necessary for us to comply with the law such as the Disability Act.
For the purposes of preventive or occupational medicine, or for the assessment of the working capacity of the employee. We require you to complete a medical questionnaire when you start work with The Original Cottage Company. We may also need to initiate occupational health assessments or medical examinations during the course of your employment.
The Original Cottage Company does not currently process information about criminal convictions however, going forwards we may make a criminal record check part of the recruitment process for particular roles.
Your data will be shared with colleagues within the Company where it is necessary for them to undertake their duties. This includes, for example, IT for managing your use of IT systems, the HR department for maintaining personnel records and the finance department for administering payment under your contract of employment.
It may be necessary for us to share your personal data with third party suppliers to facilitate or to provide certain services on our behalf. The list below identifies which activities are carried out by third parties on our behalf:
IT services such as hosting of data;
landlord plus security;
Employee Assistance Plan (EAP) providers.
These entities are authorised to use your personal information only as necessary to provide the relevant services to us or, in the case of our customers, for The Original Cottage Company to provide our services to them. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law and protects any data of yours that they process.
We may also share data in the following circumstances:
Merger or acquisition: We may need to transfer information about you if we are acquired by or merged with another company. If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
We retain information (including personal information) for the minimum reasonable time period to allow us to provide our services and will delete it after that time except where we need to keep any personal information to comply with our legal obligations, resolve ongoing disputes, or enforce our agreements. Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data.
Should you require more detail about our retention timescales for a specific category of data or information please refer to our Data Retention Policy or contact firstname.lastname@example.org.
We employ comprehensive, reasonable and appropriate security measures to protect against the loss, misuse, and alteration of the personal information we process. This includes organisational security (passwords and access controls), physical security (data centre protection) and IT security (encryption). Should you require more detail about our data security please refer to the HSS Information Security Policy or contact email@example.com.
In cases of a breach, or suspected breach, of data security you will be informed, as will any appropriate regulator, in accordance with our legal obligations.
We do not currently transfer personal information that we collect from you to third parties located in countries that are outside of the UK or the European Economic Area.
You have certain rights in relation to your personal information. These are listed below. If you would like further information in relation to these or would like to exercise any of them, please contact firstname.lastname@example.org.
The right of access. You have the right to access the data that we hold on you. We aim to provide you with access to as much of your personal information as possible on our HR system. However if you require access to other information, you should make a subject access request in writing.
The right to rectification. You can request that we update any of your personal information which is out of date or incorrect. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it. Please note that you can correct basic personal information on our HR system and it is your responsibility to ensure the data is up to date.
The right to have your data erased. In some circumstances you can ask for your personal information to be deleted, for example:
Where your personal information is no longer needed for the reason why it was collected in the first place;
Where you have removed your consent for us to use your information (where there is no other legal reason us to use it);
Where there is no legal reason for the use of your information;
Where deleting the information is a legal requirement.
Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure. Please note that we can’t delete your information where:
we’re required to have it by law;
it is used for freedom of expression;
it is necessary for legal claims.
The right to restrict processing. You have the right to ask us to restrict what we use your personal information for where:
you have identified inaccurate information, and have told us of it;
where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether.
When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others. Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.
The right to data portability. You have the right to ask for your personal information to be given back to you or to another legal entity of your choice in a commonly used format. It’s likely that data portability won’t apply to most of the information you we process about you.
Right to object. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it. For example you could exercise this right to prevent the processing of your personal information for direct-marketing purposes;
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent.
Currently we do not we do not make any decisions relating to employees without human involvement. However, if we do consider implementing automated decision-making technologies in the future, we will conduct a data privacy impact assessment (DPIA) and ensure that you, as the data subject, are notified. We will also make provisions for you to exercise your right not to be subject to a decision based solely on automated processing, including profiling. Particularly where this produces legal effects or similarly significantly effects.
If you neglect to provide certain information when requested, it may affect our ability to enter into or continue with an employment contract with you, and it may prevent us from complying with our legal obligations.
We commit to only process your personal information for the purposes for which it was collected, except where we reasonably consider that the reason for processing changes to another reason and that reason is consistent with the original basis for processing. Should we need to process personal information for another reason, we will inform you of this and advise you of the lawful basis upon which we will process.
Important note: We may process your personal information without your knowledge or consent, in compliance with the above rules (see above section - lawful basis for processing your personal information).
Should you have any questions regarding this statement, please contact email@example.com.
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.