Employee Privacy Notice

Effective date: 7 August 2019

We are committed to protecting your privacy and confidentiality.

Introduction

This notice explains what personal data (information) Ieso Digital Health (“We”, “Us”) will hold about you, how We collect it, and how We will Use and share information about you during your employment and after it ends. We are required to notify you of this information, under data protection legislation. Please ensure that you read this notice and any other similar notices We provide to you from time to time when We collect or process personal information about you. These Privacy Notices reflect legal requirements, regulations, and best practice.

The Company is registered with the Information Commissioner as a Data Controller.
ICO Registered no: Ieso Digital Health (UK) Ltd: ZA239229
ICO Registered no: Ieso Digital Health Ltd: Z5383093

By signing and returning your employment contract you have entered into a contract with us which forms the lawful basis for most of the processing of your information. Ieso are permitted to collect, store, use and share your personal information as described in this notice, where necessary, under the General Data Protection Regulations Article 6 (1) (b) “for the purposes of a contract” and Article 9 (2) (b) “employment purposes” and the Data Protection Act 2018 Schedule 9 (a) “contract” and Schedule 1 (1) (a). Other legal bases are GDPR Article 6 (1) (c) legal obligation for processing ‘right to work’ information, and Article 6 (1) (a) consent for details required to administer the cycle to work scheme or childcare vouchers.

Here we explain what personal information we collect about you, how it is used, shared, secured, stored, and how you can exercise choices and manage your data. These Privacy Notices reflect legal requirements, regulations, and best practice.

We understand that the privacy and confidentiality of all the personal information you provide and that we handle, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary.

We reserve the right to change these Privacy Notices from time to time and when we do so we will revise the effective date at the top of the statement and notify you via email.

(These notices are designed to cover personal data processed for employment purposes. If you use our Employee Assistance Program to receive online CBT, there are more detailed Privacy Notices on the therapy site which will also cover your personal data, direct access is here: https://therapy.iesohealth.uk/Start/Privacy)


1. Information we collect

Ieso will collect information about employees initially as candidates when the application for the job is made, and subsequently during the course of an individual’s employment with Ieso. It is collected either directly from the employee, or indirectly e.g. through references, from managers/ colleagues, occupational health referrals.

a) Information We collect from you

  • Information that you provided when you applied for the role. This includes information provided through an online job site, via email, in person at interviews and/or by any other method.
  • In particular, We process personal details such as name, email address, address, date of birth, qualifications, experience, employment history, interests and other information you choose to state in your application.
  • Details of your referees.
  • Your nationality and immigration status and information from related documents, such as your passport
  • Any disabilities of which we need to be aware, where any adaptations may be necessary for example.
  • If you contact Us, We may keep a record of that correspondence.
  • Emergency contacts, marital status, names and contact details of partners/ dependants
  • Details to authenticate your access to company data sources which you are required to access in your role by way of passwords for your sign in security
  • Your bank/ building society account details, contribution details for schemes like cycle to work scheme, National Insurance and tax information, to be able to pay you and satisfy our legal obligations
  • Information you provide regarding any grievance/ conduct /disciplinary issues involving you/ other employees.
  • Details of your share incentive arrangements, and all information included in these and necessary to implement and administer them;
  • Details of your pension arrangements, life insurance, childcare and other benefits, and all information included in these and necessary to implement and administer them;
  • Information in applications you make for other positions within our organisation;
  • Absence data when you take sick leave, special leave, study leave or any other form or leave in addition to your normal holiday entitlement.

b) Information We collect from other sources

In the circumstances below, we will add to the information We collect from you, with information We receive from other sources.

This includes:

  • Information about your previous academic and/or employment history, including details of any conduct, grievance or performance issues, appraisals, time and attendance, from references obtained about you from previous employers and/or education providers.
  • Confirmations regarding your academic and professional qualifications.
  • Information regarding your criminal record, in criminal records certificates and enhanced criminal records certificates (from the Disclosure and Baring Service).
  • Details of salary and benefits.
  • Sickness and absence records.
  • Information on grievances raised by or involving employees.
  • Information on conduct and/or other disciplinary issues involving employees.
  • Details of staff appraisals and performance reviews.
  • Details of staff performance management/improvement plans (if any).
  • Information about your use of our IT, communication and other systems, and other monitoring information including your Internet Protocol (IP) address.
  • Information about your personal mobile device if you choose to connect your device to the Ieso network for emails, namely device owner, name, serial number, model, manufacturer, operating system and version, storage space, IMEI, and last 4 digits of the mobile number.
  • See section 7 below for information on cookies.


2. How we use collected information (includes sharing within Ieso)

We use the personal information we collect to ensure that we provide you with the best possible support now and in the future. We have appointed a Data Protection Officer to ensure that our procedures for handling data subject information and requests meet with our obligations.

We use the personal information that we that we collect from/ about you to:

  • To support the process of recruiting and onboarding you as a member of staff
  • To pay you and to keep payroll and benefits records
  • Administration of travel, Expenses and Leave
  • To deliver and maintain records on your training and professional development
  • To support secondments or promotions
  • To manage your performance
  • To communicate with you

To undertake some of these activities, your information will be shared internally across our teams. We will work to ensure that only the right people have your information and that they are only given the information they need.

Where you have chosen to connect your personal device to the Ieso network for email, we can use the information collected to remotely wipe Ieso email from your phone when you leave for example, or to remotely wipe the device entirely, if you lost your device and wished to ensure all the data became irrecoverable for example. (NB although all data can be wiped, it cannot be viewed/ collected by Ieso)

Ieso does not undertake automatic profiling or automated decision making in relation to your employment information.


3. When we share your information

We will share your personal information, as necessary, with our benefits, payroll and travel providers, consultants and other professionals we engage, e.g. to advise us generally and/or in relation to any grievance/ conduct appraisal/ performance review procedure, HR management systems, automated website monitoring and other technical systems, and communications systems. Ieso works hard to ensure that only the right people have access to your personal data, and information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.

Ieso uses other companies to help deliver some of our services such as:

Ieso have contracts in place with these organisations, and where the organisation is a Data Processor then the contract prevents them from using personal data in any other way than how Ieso tells them to.

We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation for any other reason not set out in this policy unless we have an overriding legal duty to do so.

Sharing your personal information without your consent

Other than for activities related to performance of your employment contract, the sharing of information about you without your consent is strictly controlled by law.

In exceptional situations we may need to share information (only the minimum necessary) without your permission if:

We are required to do so by law e.g. A serious crime has been committed; withholding information could endanger someone’s life, a child or vulnerable adult is at potential risk; or we are ordered to by a court of law.

If these circumstances arise, we would inform you wherever possible.

Transferring data outside the UK

We seek where possible to prevent any transfers of your personal information to countries which may not have adequate data protection standards. Some employee information may be accessed by Ieso US staff, but when this happens, we make sure that we have satisfied an appropriate legal gateway and that appropriate measures are in place to protect your data and your information rights.

Where personal data is stored by technical solutions based outside the EEA, we take appropriate measures to safe guard data/ individual rights, see storage section.


4. How we secure your information

We place great importance on the security of personal identifiable information associated with our therapists. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under our control.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

All information submitted by you is encrypted in transit using best -practice Transport Layer Security (TLS) with at least 128-bit encryption and using the industry-standard AES-256 cipher and stored at hosted facilities with dedicated physical access controls and restricted system access.

We have achieved the International Standard certification for information security (ISO 27001) and maintain the Cyber Essentials Plus certification.


5. How we store your information

We store your personal data:

Personnel file data will be stored on the company internal shared drive (by Bridge Fibre who store the data on servers in an Interoute tier 3 data centre in the UK), in CascadeGo (who store data on Rackspace servers in the UK), NetSuite (who store data on servers based in the EU), Microsoft OneDrive (who store data on servers based in the EU), Talent LMS (who are certified under the EU/US Privacy Shield, using Rackspace and Amazon Web Service in the US) and on the Hub (hosted by Kineo Ltd who store data on Rackspace servers in the UK).

Emails which may contain your personal data are stored in Microsoft Exchange within the EEA, and any personal device information is stored in Microsoft Azure in UK.

Depending on your role or making use of the Employee Assistance Programme (EAP), you may have an account on the Ieso therapy site, and this personal data is held on Microsoft Azure servers within the UK, and the privacy notices associated with this data are held on the therapy site.

Ieso have contracts in place with these organisations that prevent them from using personal data in any other way than how Ieso tells them to, and all have appropriate and audited access controls.

As detailed in the Security section of these Privacy Notices, such information is stored in an encrypted state, both in transit and at rest, meaning the provider cannot lawfully access identifiable information.

Retention details

Ieso Digital Health will retain / store your information for 7 Years post-employment date as part of our obligations as an employer. Where items of your record can be removed at an earlier time, or be de-identified, this will happen to ensure that Ieso Digital Health only hold information that is needed.

Our data retention practices are reviewed at least annually in conjunction with industry standards and best practice.


6. Your data protection rights

Data protection law provides you with rights that Ieso Digital Health is committed to supporting you with: Right to Access You have the right to obtain:

  • Confirmation that your information is being used, stored or shared by the company
  • A copy of information held about you
  • If you only require a particular part of your record, tell us and this can reduce the time it takes to provide it
  • We will respond to your request within one month of receipt or will tell you when it might take longer.
  • We are required to validate your identity including the identity of someone making a request on your behalf

If you feel there is an error of fact within your personal details held by us, please contact us. If we agree the information is incorrect, the alteration will be made, but if we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.

Data protection law also includes the right to withdraw consent where that is the legal basis for the processing, and the right to make other requests to seek to erase, port, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health, employment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights may be restricted or not apply in practice.

For more detailed information on your rights visit https://ico.org.uk/for-the-public/

If you need any assistance in these areas, please write to:

The Data Protection Officer,
Ieso Digital Health (UK) Limited,
Jeffreys Building
Cowley Road
Cambridge CB4 0DS
Or by email, For the Attention Of the Data Protection Officer, to info@iesohealth.com

Complaints

Employees also have the right to make complaints and request investigations into the way their information is used. Please contact our Data Protection Officer or visit the link below for more information.

For more detailed information on your rights visit https://ico.org.uk/for-the-public/.

If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office

You can call the ICO on 0303 123 1113 or write to them at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Additionally, you also have a right to seek to enforce your rights through the courts.


7. Cookies and tracking

A cookie is a small data file stored by your browser on your device's hard disk for record-keeping purposes and typically includes a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the same site.

Session cookies are stored only temporarily during a browsing session and are deleted from the user’s device when the browser is closed; Persistent cookies are saved on your computer for a longer, fixed period and are not deleted when the browser is closed and are used to remember you when you visit the website again; and Third party cookies are set by a different organisation to the owner of the website you are visiting. They might include cookies set for website visitor analytics or embedded content, for example Google Analytics.

Cookies used, and data collected are explained on the websites you are visiting. For the Ieso UK corporate site the policy is here: https://www.iesohealth.com/en-gb/legal/cookies. For the US corporate site, the policy is here: https://www.iesohealth.com/en-us/legal/cookies. For the UK therapy sites, the policy is here: https://therapy.iesohealth.uk/Start/cookies.

Any third-party websites you access because of your role as an employee of Ieso will be covered by their own cookie policies, which should be easily accessible on their sites, and are not the control or responsibility of Ieso.


8. Your questions and how to contact us

In summary, Ieso Digital Health are committed to ensuring the security and confidentiality of your information. There are a number of ways we do this including:

  • Staff receive training about protecting and using personal data
  • Policies are in place for staff to follow and are regularly reviewed
  • Ieso check that only the minimum amount of data is shared or accessed
  • Ieso use controlled access to systems, this helps to ensure that the right people are accessing data – people with a ‘need to know’
  • Ieso use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
  • Ieso report and manage incidents to make sure we learn from them and improve
  • The company puts in place contracts that require providers and suppliers to protect your data as well

If you have any questions or wish to make a request in relation to your information, please contact the Ieso Digital Health Data Protection Officer, Helen Simpson, at:

The Jeffreys Building
Cowley Road
Cambridge
CB4 0DS


9. Changes to your personal data

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

In an emergency
Call 111 - if you urgently need medical help or advice but it is not a life threatening situation
Call 999 - if you or anyone else is in immediate danger or harm
Call the Samaritans 24 hours a day on 116 123