General Data Protection Regulations (GDPR)

We care about your information
Willowbrook is a data controller and data processor for the purposes of data protection legislation. Relevant, authorised members of our staff will have access to the information. We ask you to share information with us so that we can fulfil our obligations under your Contract of Employment.
This document tells you what you can expect from us and how we will protect your rights. It applies to information we collect about agency workers, staff members and individuals who work at the companies we do business with. If you wish to exercise any of your rights, please contact the HR Department.
Why do we process your information?
We process information about you known as ‘personal data’ to enable us to carry out our business and to help us make sure we are treating people legally and fairly, preventing human rights abuses, and that we are always improving.
Who will we share information with?
Information shared with workers – In order to perform our business (such as arranging pay) we often need to share contact information (such as name, job title and contact details) with workers.
Auditors & Inspectors – From time to time we may be audited by third parties to ensure that we are operating a legally compliant and ethical business. These third parties may include:
• • Government regulatory and enforcement audits such as the Health and Safety Executive, Environmental Health Officers, GLAA or HMRC.
• • Independent social compliance audits such as SEDEX Ethical Trade
• • Client audits
• • Insurers

Other – If we would like to share your data with anyone not covered in this privacy notice, we will only do this where we have a legitimate reason to do so and where required will ask for your specific consent to do so.
What are your rights?
All individuals have the following rights regarding their personal information (also called ‘personal data’)
1. The right to be informed – You have the right to know what information we hold about you, what we are using it for, who we are sharing it with, how long we are keeping it, and on what basis we are processing the data. There are times when we have to process your information because we are required to by law.
2. The right of access – If you would like to see the records we hold on file for you, please contact The HR Manager. All requests must be made in writing and will be dealt with within 30 days. Copies of the information requested are provided free of charge.

A reasonable charge can be made in following circumstances:
A request is manifestly unfounded or excessive, particularly if it is repetitive
Requests for further copies of the same information (administrative costs of providing the information only)
This can be extended by a further two months where requests are complex or numerous. In these cases, you will be informed within one month of receipt of the request and explain why the extension is necessary.
3. The right to rectification – If you believe we are holding incorrect information, you can ask us to correct it.
4. The right to erasure – You can ask us to remove your information from our records. As long as there is no legal requirement for us to keep them (for example, HMRC require us to keep payroll records for 6 years), we will remove your details.
5. The right to restrict processing – Instead of asking to be removed, you can ask us to stop processing it. This element is not relevant at Willowbrook.
6. The right to data portability – If you want to take your data to another organisation, please contact The HR Manager.
7. The right to object – You have the right to object to your data being processed on the basis of legitimate interests and processing for statistical purposes. We will stop processing your information immediately unless there are legal reasons for us not to do so.
8. The right not to be subject to automated decision-making (including profiling) – You have the right to object to automated decision-making. We do not use automated decision-making in our recruitment process.

What information do we collect? How do we use it? How long do we keep it?
This privacy notice has been divided into sections, so that you can read the information relevant to you. Each section tells you what information we collect, how we use it, and how long we will keep it for. These sections are:
• • Agency workers
• • Willowbrook Staff members
• • External Business Contacts.

AGENCY WORKERS
Agency Workers are supplied to Willowbrook through Agencies and have no contract of employment with Willowbrook. The Agency is responsible for providing their Workers with their arrangements under GDPR.
What information do we collect?
We collect personal data from you in order to fulfil our contract with you, to comply with our legal obligations and where it is in our legitimate interests in order to provide you with work seeking services and to supply our clients with labour.
This will include:

• • Your name and contact details
• • Your right to work status (and to take copies of your passport/other allowable documents)
• • Your skills, experience and qualifications (where relevant)
• • Details about the type of work you are looking for
• • Your next of kin
• • Whether you require any reasonable adjustments

We may also ask for further information to confirm your suitability for work, which may include:
• • Reference details
• • Health questions relevant to the type of work you are applying for
• • Whether you have any unspent criminal convictions.

We may use assessments as part of the recruitment process including numeracy and literacy assessments and colour blindness assessments – these results will be held on file.
Once you are placed with us, your employee record will include other relevant information, including:
• • Training records
• • Health Surveillance records
• • Appraisal and performance review records
• • Sickness absence records (Return to Work), Risk Assessments, Accident Reports and any other record which we must retain to fulfil our legal and contractual obligations.
• • Correspondence records (including disciplinary and grievance meeting notes where relevant).

How do we use it?
The information we collect will only be used for the purposes of progressing your application for work, or to fulfil legal or regulatory requirements if necessary. The information we ask for helps us to assess your suitability for work. You don’t have to provide the information we ask for, but it might affect our ability to provide you with work if you don’t.
How long do we keep it?
We keep the information for either the minimum period we are required to keep it by law, or as defined in our Data Retention Policy or for as long as you give us consent to keep the information.
WILLOWBROOK STAFF MEMBERS
Staff members are those people who work directly for and within our organisation.
What information do we collect?
We collect personal data from you in order to fulfil our contract with you, to comply with our legal obligations and where it is in our legitimate interests as an employer/labour provider to recruit new workers to fill vacancies in our business.
As part of our recruitment process, in order to assess your suitability for employment, we will ask for the following information:
• • Name and contact details

• • Your right to work status (including taking copies of original passport/visa documents)
• • Your skills, experience and qualifications
• • Whether you require any reasonable adjustments in the recruitment process
• • Questions relevant to your ability to carry out the role
• • Reference details
• • Health questions relevant to the type of work you are applying for
• • Whether you have any unspent criminal convictions.

Once a job offer has been made and accepted, we will also ask for the following information:
• • Bank details
• • National Insurance Number
• • Your next of kin
• • Whether you require any reasonable adjustments to undertake the role

How do we use it?
The information we ask for helps us to assess your suitability for employment, to enable us to employ you and to fulfil legal or regulatory requirements with us. You don’t have to provide the information we ask for, but it might affect our ability to employ you if you don’t.
This information is collected, processed and retained because employers have a ‘legitimate interest’ under data protection law to do this.
How long do we keep it?
If you are successful in your application for employment with us, we keep the information you provide for either the minimum period we are required to keep it by law, or as defined in our Data Retention Policy or for as long as you give us consent to keep the information.
If you are unsuccessful in your application for employment with us, the information will be kept on file for one year after the end of the recruitment process for that role.
Once you are working with us, your employee record will include other relevant information, including:
• • Training records
• • Health Surveillance records
• • Appraisal and performance review records
• • Sickness absence records (Return to Work), Risk Assessments, Accident Reports and any other record which we must retain to fulfil our legal and contractual obligations.
• • Correspondence records (including disciplinary and grievance meeting notes where relevant).
• • Your employee record will be retained for the duration of your employment and for differing periods depending on the records as defined in our Data Retention Policy following the end of your employment.

EXTERNAL BUSINESS CONTACTS
External business contacts means individual members of staff at the supplier, support, client and other organisations we work with to perform the legitimate activities of our business.
What information do we collect?
We collect personal data in order to comply with our legal obligations and where it is in our legitimate interests to do so. Individuals within the companies we work with are also entitled to have their personal information protected.
We will only share information where it is allowed by law and relevant to our legitimate business activities, such as providing name, job title and contact details.
We may also share professional information that is already in the public domain (such as company website pages, LinkedIn profiles, and similar media).
How do we use it?
The information we ask for will only be used in connection with the legitimate activities of our business.
How long do we keep it?
We keep the information for either the minimum period we are required to keep it by law, or for as long as you give us consent to keep the information, whichever is longer.
We will retain contact details for individuals within client organisations while the organisation remains a current or prospective client organisation.
Individuals within the organisations we work with have the same rights as any other individual (including the right to be forgotten). Anyone wishing to exercise their rights under data protection legislation should contact the HR Manager.
Data Retention Policy
Willowbrook must retain certain records containing your personal and sensitive personal data for periods that are defined in law. For these, and for other records containing your personal and sensitive personal data the Company will retain this information in either or both paper and electronic form for the periods specified in this policy.
Where the Company has obtained your consent to process your personal and sensitive personal data we will retain the information for the time period defined in the specific consent. Upon expiry of that period the Company may seek further consent from you.
The Company will securely process, store, archive and delete information containing your personal and sensitive personal data in accordance with our Data Security Policy.
All individuals have the following rights regarding their personal data:
1. The right to be informed – You have the right to know what information we hold about you, what we are using it for, who we are sharing it with, how long we are keeping it and on what basis we are processing the data.

2. The right of access – If you would like to see the records we hold on file for you
3. The right to rectification – If you believe we are holding incorrect information.
4. The right to erasure – You can ask us to remove your information from our records.
5. The right to restrict processing – You can ask us to stop processing it.
6. The right to data portability – If you want to take your data to another organisation
7. The right to object – You have the right to object to your data being processed.
8. The right not to be subject to automated decision-making (including profiling) – You have the right to object to automated decision-making.

Data record types with statutory retention periods
Accident books, accident records/reports Statutory retention period: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances (see below).
Accounting records Statutory retention period: 3 years for private companies. Statutory authority: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.
Income tax and NI returns, income tax records and correspondence with HMRC Statutory retention period: not less than 3 years after the end of the financial year to which they relate. Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631).
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH) Statutory retention period: 40 years from the date of the last entry. Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).
Medical records under the Ionising Radiations Regulations 1999 Statutory retention period: until the person reaches 75 years of age, but in any event for at least 50 years. Statutory authority: The Ionising Radiations Regulations 1999 (SI 1999/3232).
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH) Statutory retention period: 5 years from the date on
which the tests were carried out. Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).
Records relating to children and young adults Statutory retention period: until the child/young adult reaches the age of 21. Statutory authority: Limitation Act 1980.
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity Statutory retention period: 6 years from the end of the scheme year in which the event took place. Statutory authority: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence Statutory retention period: 3 years after the end of the tax year in which the maternity period ends. Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended.
Wage/salary records (also overtime, bonuses, expenses) Statutory retention period: 6 years. Statutory authority: Taxes Management Act 1970.
National minimum wage records Statutory retention period: 3 years after the end of the pay reference period following the one that the records cover. Statutory authority: National Minimum Wage Act 1998.
Records relating to working time Statutory retention period: 2 years from date on which they were made. Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).
Data Record types with non-statutory retention periods
Application forms and interview notes (for unsuccessful candidates) Retention period: One year.
Assessments under health and safety regulations and records of consultations with safety representatives and committees Retention period: permanently.
Money purchase details Retention period: 6 years after transfer or value taken.
Parental leave Retention period: 5 years from birth/adoption of the child or 18 years if the child receives a disability allowance.
Pension scheme investment policies Retention period: 12 years from the ending of any benefit payable under the policy.
Pensioners’ records Retention period: 12 years after benefit ceases.

– Food Safety
– Health and Safety
– Crime Prevention.
– Repetitive
– Administratively cumbersome.

Personnel files and training records (including disciplinary records and working time records) Retention period: 6 years after employment ceases.
Redundancy details, calculations of payments, refunds, notification to the Secretary of State Retention period: 6 years from the date of redundancy
Senior executives’ records (that is, those on a senior management team or their equivalents) Retention period: permanently for historical purposes.
Statutory Sick Pay records, calculations, certificates, self-certificates Retention period: The 6 years after the employment ceases.
Trade union agreements Retention period: 10 years after ceasing to be effective.
7.1 Closed Circuit Television (CCTV) at Willowbrook
Willowbrook have installed CCTV throughout the premises both internally and externally. This system has been installed for legal reasons:
GDPR principles apply to our CCTV systems.
7.2 Subject Access Requests
Should you wish to exercise your right to receive a copy of the data being held you must contact HR for a Subject Access Request form. Your request will be actioned within 30 days, free of charge unless it is:
In these cases a charge can be applied and we will write to you to outline these charges in advance of addressing your request.