Purpose of our privacy statement
Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), we are required to explain to you why we are asking for this information about you, how we intend to use the information you provide and whether we will share this with anyone else.
Who are we?
Sanctuary Students is a trading name used by Sanctuary Management Services Limited, that is a subsidiary of Sanctuary Housing Association, a part of Sanctuary Group (“Sanctuary”), one of the UK's leading providers of housing, care and commercial services. Our address is Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ.
Our data protection officer
Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.
If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing to The Data Protection Officer, Sanctuary House, Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ or emailing dataprotection@sanctuary.co.uk.
Why are we collecting your information?
The information that is provided to us during your appointment (including that obtained as part of the recruitment process), or whilst you are engaged by us as an employee, contractor or worker is required by Sanctuary for us to enter into and perform a contract of employment or services with you. Without this information, we will not be able to offer and enter a contract with you.
The information you provide to us will be used for the following purposes:
managing your appointment and employment with us, including the performance of our obligations and exercise our rights under your contract of employment or service with us;
it will allow us to provide services and facilities which are tailored to your needs;
monitoring and compliance purposes in line with our legal obligations (including our legal obligations as an employer);
monitor your business and personal use of our information and communication systems to ensure compliance with our Acceptable Usage Policy and Procedure. This includes login and logoff times and any emails or other communications you send or receive in the course of your duties;
it will allow us to ensure information and network security, including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution;
collect health information as part of the new starter process and when required to ensure the health and safety of all of our staff and residents. For example,
o we may ask you about any disabilities you have, so that we can make reasonable adjustments to assist you in your role
o during or after a period of illness we may ask for information as part of a return-to-work assessment
o make decisions and offer support in the event of illness or a health issue, including determining your fitness for the role and making adjustments to support you at work;
o collect information which you provide to us as part of any health review or claim, including occupational health and ergonomics assessments where relevant to your role;
understanding of your personal situation and individual needs to enable us to provide a tailored service that meets any physical or cultural needs that you may have;
improve our overall employee experience, by improving our HR policies, procedures and our operating model. This includes collecting data from any online surveys you choose to complete (e.g. communications, engagement, leavers) – please refer to our separate Privacy Statement on Staff Surveys for further information;
to contact you for the purpose of communicating emergency information in a critical incident (e.g. cyber attack, total network loss or pandemic);
so we can send you information about your employment (e.g. benefit schemes, pension, electronic payslips, staff surveys, ID badges);
occasionally, where technical information is being delivered or where there is a legitimate business need, we will record meetings and presentations that use MS Teams, Zoom or similar technologies (we will notify you in advance if a meeting will be recorded and will offer options for those attendees who would rather not participate in a recorded session);
for HR systems training purposes;
collect recordings of Automated Call Distribution (ACD) user telephone calls (both internal and external) for training and monitoring purposes;
to maintain the security, health and safety of all our staff and service users by:
o collecting photographs for use on staff ID cards
o collecting data from door access systems;
collecting equalities data is part of Sanctuary’s Equality Strategy: Inclusion for All and is therefore a core element of governance and making sure that we listen and respond to your needs, promote your interests and enhance trust within our community. Before or during your employment Sanctuary may invite you to share data on your diversity characteristics. These can be provided on a voluntary basis, and you can update or remove them via MySanctuary at any time;
to allow us to communicate with you in the most appropriate way. For example, we can provide documents in large print if needed.
The table below sets out what further data we may require to manage your appointment by various role types. We will:
| Lone-workers, peripatetic workers,
and maintenance operatives | Company car users
and/or expense claimants |
|---|
track your location using GPS technology, to
ensure efficient use of vehicles and the
safety of lone workers | ✓ | |
monitor the movement of company mobile
phones and/or mobile devices to ensure lone
worker safety | ✓ | |
collect information to verify driver eligibility
before using a company vehicle or making an
expense claim for mileage. For example Driver’s license details including:
o License categories
o License restrictions Driving offences that are civil offence
data Health-related information Driving offences that are criminal
offence data
| | ✓ |
We may also receive personal information indirectly, from the following sources in the certain circumstances:
What information are we collecting?
To facilitate the purposes detailed in section 4 we collect the following information:
Name and contact details
Date of birth
National Insurance number
Nationality
Country of birth
Bank details
Relationship status
Emergency contact details
Next of kin details
Training records
Staff survey responses
Photograph
Door access information
Communication preferences
Information and communication systems usage
Employment performance information
Where applicable we collect work eligibility data to ensure compliance with legal and regulatory requirements. This information allows us to verify employee’s suitability for specific roles, maintain a safe working environment, and meet industry standards. This includes the following information:
ID documents for visa checks (British and Irish citizens only)
Right to work status, documentation and share code
Supporting documentation and information for DBS checks (including 3-
year DBS re-check)
Criminal conviction check results
Role-specific qualifications and registrations
Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:
Health data, including disability
Trade union membership
Gender and gender identity data
Racial or ethnic origin
Religious or philosophical beliefs
Sexual orientation
What is our lawful basis for using your information?
Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:
(b) Performance of a contract – using your information in this way is necessary for us to perform the employment or services contract in place between us and in order to take steps at the request of you prior to entering into the contract.
(c) Compliance with a legal obligation – using your information is necessary for us to comply with legal obligations to which we are subject, in accordance with the UK employment laws as an employer and as a provider of care and support services.
(f) Legitimate interests – using your information is processing is necessary for the purposes of our legitimate interests for communicating emergency information in a critical incident and for collecting data from any online surveys you choose to complete.
In accordance with Article 9 (UK GDPR) the condition we rely
on for processing special categories of personal data is:
(a) Explicit consent to process your equality and diversity
data. You can manage this information via MySanctuary and remove at any time. You are also able to remove your consent at any time by contacting HRDO@sanctuary.co.uk.
(b) Employment, social security and social protection
Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
Sharing your information
Members of Sanctuary Group
Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.
For more information on which companies make up Sanctuary Group, please go to About Sanctuary.
Regulators and other legal obligations
We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.
Other Organisations
We may from time to time share your information with other organisations, such as:
pension companies, for the purpose of managing retirement savings schemes related to your appointment;
benefit companies, for the purpose of managing employee benefit schemes related to your appointment;
occupational health and insurance companies/brokers, for the purpose of managing health related issues and policies relating to your appointment;
it may be necessary to provide our occupational health provider with your contact details in order for a health questionnaire to be sent to you following your appointment;
we may need to provide insurance companies with information about your health, to comply with employment related insurance policy terms;
training companies, colleges and funding/awarding bodies, for the purpose of providing learning and development during the course of your employment;
future employers, for the purpose of providing factual references;
recruitment companies, for the purpose of managing your appointment;
debt collection agencies, for the purpose of obtaining outstanding monies in relation to your appointment;
fleet management companies, for the purpose of managing, maintaining and servicing company provided vehicles;
solicitors, advocates and trade union representatives, for the purpose of dealing with legal issues in relation to your appointment;
safeguarding organisations and emergency services for the purpose of protecting our staff and residents;
the police for the purpose of detection and prevention of crime; and
organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud.
Home Office, to check a prospective employee/employees immigration or right to work status.
DBS (Disclosure & Barring Service) and/or Disclosure Scotland, to carry out a DBS checks.
the Driver and Vehicle Licensing Agency (DVLA) for checking employee eligibility to drive
Vehicle and Operator Services Agency (VOSA) for the safe and legal operation of the Group’s vehicles.
Data processors and Transfers
To facilitate the appointment process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:
DBS check facilitation service – to process checks for criminal convictions to ensure suitability for roles.
References processor – to process reference checks for new starters.
Driving license check facilitation service – for the purpose of collecting the driving licence information from the DVLA.
digital right to work check provider – to process digital right to work checks (British and Irish citizens only)
vehicle suppliers for the delivery and collection of vehicles.
companies producing benchmarking information to enable Sanctuary to obtain market data to make decisions in relation to your appointment
mail fulfilment companies, for the purpose of printing and dispatching communications and ID or service badges related to your appointment
engagement companies, for the purpose of undertaking staff surveys and seeking feedback on the organisation;
Whenever we transfer your personal data out of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that we rely on an adequacy decision, and/or use specific contract clauses which give personal data the same protection it has under UK law.
We use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.
This transfer is made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.
For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.
Can we use your information for any other purpose?
In limited circumstances, we may use your information for a purpose other than those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.
Security of your information
The information that you provide will be stored securely. Our technological and organisational security measures and procedures reflect the seriousness with which we attach to the confidentiality, integrity and availability of your information.
Only relevant members of staff will access the information you provide to us.
Storing your information and deleting it
We will not keep your personal data for longer than we need it or are required to by law.
Once you are no longer working for us, we will review the information which we hold concerning you and determine whether there are any reasons why we need to continue holding that information. For example, it may be necessary to retain information about you in order to manage income tax and national insurance queries or provide earnings details to pension schemes. Once the identified purpose comes to an end, unless there is another identifiable purpose for which it is necessary to hold on to your information, we will delete your information.
Recordings of ACD users’ calls will be kept for a period of 30 days for the
purpose of staff training and development and will be deleted after this time.
From the employment end date, your employee file will be kept for 6 years.
From the employment end date, information contained in your employee file that relates to employer’s liability (i.e. training records, absence records, medical records relating to work related illness/accident) will be kept for 40 years.
From the employment end date, information related to driver’s licenses, expense claims and benefits will be retained for 6 years following the purpose it was used for.
Your rights
In relation to the information which we hold about you, you are entitled to:
Ask us for access to the information;
Ask us to rectify the information where it is inaccurate or is incomplete;
Ask us to erase the information and take steps to ask others who we have shared your information with to also erase it;
Ask us to limit and restrict what we do with your information;
Object to our use of your information and ask us to stop that use;
Ask us to provide the data you have provided us in a structured, commonly used, and machine-readable format (for example, a CSV file) in order transmit the data to another data controller.
Where we are using your information because you have provided your consent to that use, you are entitled to withdraw your consent at any time. The lawfulness of our use of your information before consent was withdrawn is not affected;
Challenge the decision of any automated decision-making and/or profiling that is applied to your personal data as part of the processing;
Our obligations to comply with the above rights are subject to certain exemptions.
To exercise any of the rights referred to above, you should contact our Data Protection Officer by writing to The Data Protection Officer, Sanctuary House, Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ or emailing dataprotection@sanctuary.co.uk.
How to complain
If you have any concerns about our use of your personal information, you can contact our Data Protection Team on dataprotection@sanctuary.co.uk.
You also have the right to complain to the Information Commissioner's Office (the ‘ICO’) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
