GDPR POLICY AND PRIVACY STATEMENT
The General Data Protection Regulation came into force on 25th May 2018. This paper sets out the approach taken by the City HR Association Limited (“City HR”) in order to comply with its obligations. It specifically addresses how data privacy will be maintained for both our employees and suppliers alongside our members and market collaborators. This includes how we: secure consent to hold and process personal data; process information; maintain our records and for what purpose and duration; maintain the right for individuals to be forgotten; plan to notify individuals should there be any breach of their personal data.
A) Background
The City HR Association Limited isthe professional body for HR practitioners and Human Capital Management professional advisors within financial services. It is a corporate membership body in which the corporate (in this case predominantly banks, insurance companies, asset management firms and organisations providing expert services to employers in the financialservices sector) pays an annual subscription to City HR in order for its HR team (or HCM experts) to benefit from the services provided. The services provided include free and subsidised training on HR topics, best practice publications, conferences, networking/discussion groups and HR policies benchmarking.
B) Personal Data
City HR holds very limited personal data which can generally be described as:-
- Payroll, pension and contact details for its employees (currently 2), alongside contact and bank payment details for its consultants and interns.
- The Email details, plus the name with corporate title and corporate addresses for those individuals nominated by their employing organisation to receive information from us for which a subscription has been paid for this benefit. This data is updated once a year at the time of subscription renewal.
- Email, name with corporate title, corporate address and telephone detailsfor those participating in the City HR Benchmarking Survey. The CORPORATE information provided by participants in the survey is collated via a bespoke token which is unique to each firm for security purposes and then aggregated by City HR in a password protected Excel spreadsheet, with the results anonymised and reported on a non-attributable basis
- Only the occasional CV which is provided by those seeking jobs with our member firms. This has occurred on less than 10 occasions since 2007.
C) Data Retention
City HR will hold personal data for a specified duration as follows:
- City HR employees – data will be retained for up to six years for the purpose of reference enquiries
- City HR applicants – data will be retained for one year after a recruitment campaign has been completed. CVs will not be forwarded to any third parties without the express permission of the candidate
- City HR Members – individual data will be removed one year after the individual leaves a corporate member unless the individual has a) given permission to retain their details and receive communications from us and b) joined another corporate member or City HR Networking Group
- Should a Corporate Member resign, then the personal details of those working for the organisation will be removed within one year.
D) Data Security
In terms of data security, City HR will do its utmost to uphold high standards of data protection through:
- Each computer requires a unique password to access the City HR systems and databases
- The City HR Association Benchmarking data is password protected at every stage. The measures taken include:-
- Each participant is provided with a unique password token through which they can access the questionnaire and store their information so that the collated data is not seen by any other participant. Each firm is reminded to keep their unique password token safe and that they may only forward the City HR link to the survey, plustheir unique access code, to trusted individuals within the HR Department.
- The data is aggregated by City HR and can only be seen by those working on the City HR Benchmarking Survey, all of whom have signed confidentiality agreements. The aggregated spreadsheet is password protected.
- The survey results are aggregated, anonymous and non-attributable and are written up into reports. The results of the survey are hard copy reports and a pdf of the same reports and it is not possible to access the data of any one firm at this stage.
- All participants are reminded of their responsibility in safe-keeping the data and there is a warning on the front page of the soft copy that it cannot be forwarded outside of the individual’s own organisation. If they did forward the document, it would not be possible for the data relating to any one firm to be identified and there is a copyright on the data to prevent publication of this non-attributable and anonymised report.
- All employees, consultants and interns working on the benchmarking survey are required to sign a confidentiality agreement including the management of data security
- Consultants working in the office are made aware of data protection, security and confidentiality and it is an endemic part of their relationship with City HR.
The City HR Data Protection Officer is Sam Bailey, Operations Manager.
HOW GDPR WILL AFFECT CITY HR AND THE CORRESPONDING REMEDY (ACTION POINTS TAKEN)
The new and enhanced data obligations (originally EU Data Protection Directive of 1995, leading to the Data Protection Act 1998) requires firms to:- Gain consent to hold data
- Gain consent to hold data.
- City HR personal data is miniscule with regard to personal data, being mainly that of employees or in-house consultants and interns and being limited to information relating to payroll, payment and personal contact details. Confidentiality agreements are also held on those who come into contact with the City HR database or the City HR Benchmarking data. Remedy/Action Point: Ask employees to confirm that they are content for these details to be held for this purpose
- Corporate Data of a personal nature is provided by the member firm who pays the subscription and nominates who they wish to receive our data. Remedy/Action Point: Remind Individuals that they are part of this corporate membership and to let us know if they’d like to opt out. Diarise to include ‘consent to hold personal details’ in our annual renewal
- The fair processing of information. The majority of information provided to City HR is of a corporate nature and held securely
- Keep comprehensive records of processing activities
- Keep contracts with data processors – Remedy/Action Point: City HR will incorporate this in the confidentiality agreements with suppliers, consultants, systems providers and those providing services to the Association
- Rights for Individuals – right to be forgotten. Remedy/Action Point: When employees leave City HR we will ask if they’d like their data deleted after 6 years. Those who supply City HR with services can ask us to remove their details, save any confidentiality agreements which will be held for 6 years.. Those who send us CVs will be informed that these are automatically destroyed after 6 months.
- Notification requirements – Remedy/Action Point: City HR will inform the employee, consultant, supplier or corporate nominated representative or benchmarking participant if any data is breached.
City HR will continue to remain vigilant in terms of data protection, confidentiality and the rights of individuals relating to GDPR.
PRIVACY NOTICE – TRANSPARENCY OF DATA PROTECTION
What information is being collected?
Full name, job title, business address, telephone and email address, any diet requests if needed for event such as conference
Who is collecting it?
Sam Bailey, Operations Manager
Why is it being collected?
So that we may maintain contact with members with regard to City HR news and events; to establish accurate event arrangements
How will it be used?
Maintain a database, send information regarding City HR news and events, and confirmation of event details once booked
Who will it be shared with?
With the City HR Association. Names and company names only with event venues so that security can admit delegates.
Identity and contact details of any data controllers
The Operations Manager is the sole administrator. Her contact details are:
Sam Bailey: sambailey@cityhr.co.uk
Details of transfer to third country and safeguards
No information is transferred to a foreign country
Retention period
See under Data Retention
FORMAT IN WHICH DATA IS HELD
This falls into two categories:
- For employees, past employees and contractors: in hard copy (paper file) and electronic format (ie on the City HR server) including the signed agreement of these individuals for this data to be held
- For our members and market collaborators in electronic form and mainly on our database with a communication sent in May 2018 explaining what is held, for what purpose and how to withdraw consent.
For information on this Policy or to request Subject Access please contact the Data Protection Officer:
Sam Bailey
Telephone: 0207 073 2687
Email: sambailey@cityhr.co.uk
Postal address: Room 209, 11 – 12 Tokenhouse, Yard London EC2R 7AS