Staff Privacy Notice

STAFF PRIVACY NOTICE

William Reed Group – Privacy Notice for Staff

Issued: 1st May 2018

Last reviewed: 16th December 2022

1. Introduction

William Reed Group (“the Group”, “we” or “us”) has issued this Privacy Notice (this “Notice“) to describe how each member company of the Group (“Company”) handles personal information that we hold about our staff members (collectively referred to as “you“). The term “staff member” includes those who work on a non-permanent basis, including contingent workers, temporary and contract workers, independent contractors, consultants, professional advisors, secondees, interns and other third parties engaged to carry out work for us and who have access to our premises or our internal systems. This categorisation is for convenience and does not demonstrate any particular employee, worker or other status.

We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This Notice sets out the personal information that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.

If you are in any doubt regarding the applicable standards, or have any comments or questions about this Notice, please contact us at the contact details in Section 11 below.

2. Types of personal information we collect

In the course of your employment or engagement with the Group we may process personal information about you and your dependents, beneficiaries and other individuals whose personal information has been provided to us.

The types of personal information we may process include, but are not limited to:

•Identification data – such as your name, gender, photograph, date of birth, staff member IDs.

• Contact details – such as home and business address, telephone/email addresses, emergency contact details.

• Employment details – such as job title/position, office location, employment contract, performance and disciplinary records, grievance procedures, sickness/holiday records.

• Background information – such as academic/professional qualifications, education, CV/résumé, criminal records data (for vetting purposes, where permissible and in accordance with applicable law).

• National identifiers – such as national ID/passport, immigration/visa status, social security or national insurance numbers.

• Information on your spouse / partner and/or dependents – such as your marital status, identification data on them and information relevant to any Company benefits extended to such people.

• Financial information – such as bank details, tax information, withholdings, salary, benefits, expenses, company allowances, stock and equity grants.

• IT information – information required to provide access to company IT systems and networks (and information collected by / through those systems) such as IP addresses, log files and login information.

We may also process sensitive personal information relating to you (and your spouse / partner and/or dependents). Sensitive personal information includes any information that reveals your (or their) racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life (“Sensitive Personal Information“). As a general rule, we do not to collect or process any Sensitive Personal Information about you, unless authorised by law or where necessary to comply with applicable laws.

In some circumstances, we may need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate employment-related purposes: for example, information about your racial/ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and for government reporting obligations; or information about your physical or mental condition to provide work-related accommodations, health and insurance benefits to you and your dependents, or to manage absences from work.

3. Sources of personal (and Sensitive Personal) information

Usually you will have provided the information we hold about you but there may be situations where we collect personal information or Sensitive Personal Information from other sources. For example, we may collect the following:

• Certain background information (set out above) from recruitment agencies engaged by the Group or academic institutions and other training providers.

• Information about any “live” criminal proceedings, collected from local bodies dealing with criminal records checks, including through third party records checking agencies (where it is lawful to process such information).

• Information about your previous employment (including your employment record) and other information about your suitability to work at the Group from any referee provided by you.

• Certain information on your performance, conduct or other information relevant to formal internal procedures (e.g. disciplinary or whistleblowing procedures) organisations you routinely work with.

• Information about your health, including your fitness to carry out work and/or any accommodations or adjustments to be considered from your GP, other specialist medical adviser or the Group’s appointed medical expert.

• Information on accidents or incidents from the Group’s insurers and their appointed agents, where they are involved.

• Information on tax payable from local tax authorities and the Group’s appointed payroll agents and tax / financial advisers.

• Information about your entitlement to participate in, or receive payments or benefits under, any insurance or pension scheme provided by the Group, from the relevant benefit provider or its appointed agent.

4. Purposes for processing personal information

(i) Employment or work related purposes

When you are accepted for a role at the Group, the information collected during the recruitment process will form part of your ongoing staff member record. Further information on the personal information collected, and the way in which we handle it, during the recruitment process, is available in the Group’s Recruitment Privacy Notice https://www.william-reed.com/William-Reed-Group-Recruitment-Privacy-Notice

Once you become a staff member with the Group, we collect and use your personal information for the purpose of managing our employment or working relationship with you – for example, your employment records and contract information (so we can manage our employment relationship with you), your bank account and salary details (so we can pay you) and details of your spouse and dependents (for emergency contact and benefits purposes).

We process our staff members’ personal information through a human resources system (“HR System“), which is a tool that helps us to administer HR and staff member compensation and benefits and which allows staff members to manage their own personal information in some cases. This will involve transferring your personal information to our HR System provider’s servers in United Kingdom.

(ii) The Group’s Group global directory

We maintain a global directory of staff members which contain your professional contact details (such as your name, location, photo, job title and contact details). This information will be available to everyone in the William Reed Group to facilitate global cooperation, communication and teamwork.

(iii) Other legitimate business purposes

We may also collect and use personal information when it is necessary for other legitimate purposes, such as:

• to help us conduct our business more effectively and efficiently – for example, for general HR resourcing, IT security/management, accounting purposes, or financial planning;

• to enable communication between colleagues and with other contacts via a number of forums (including email, video conferencing, instant (or similar) messaging and telephone);

• to record the allocation of, maintain and recover Company devices and property;

• to provide certain information in connection with proposed or actual sales or purchases of all or part of the Group’s business; and

• to investigate violations of law or breaches of our own internal policies and workplace rules – whether by you or any other staff member. For instance, we may monitor your browsing or communications activity or location when using our devices or systems, if we reasonably suspect that you have been involved in phishing scams, fraudulent activity or activities in competition with or inconsistent with your work for the Group;

• to contact you, your partner / spouse and/or defendants in an emergency and ensure business continuity (for example, when you are absent from work or in an emergency).

(iv) Law-related and other purposes

We also may use your personal information where we consider it necessary for complying with laws and regulations, including collecting and disclosing staff member personal information as required by law (e.g. for tax, health and safety, anti-discrimination and other employment laws), under judicial authorization, to protect your vital interests (or those of another person), or to exercise or defend the legal rights of the Group’s global group.

(v) Consent

In some limited circumstances, we may use your personal and Sensitive Personal Information where we have obtained your consent to do so. Where we seek your consent, you will always have an opportunity to refuse.

5. Who we share your personal information with

We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.

(i) Transfers to other Group Companies

As mentioned above, we will share your personal information with other members of the Group around the world in order to administer human resources, staff member compensation and benefits at an international level on the HR System, as well as for other legitimate business purposes such as IT services/security, tax and accounting, and general business management.

(ii) Transfers to third party service providers

In addition, we make certain personal information available to third parties who provide services to us. We do so on a “need to know basis” and in accordance with applicable U.K. and European data privacy law.

For example, some personal information will be available to:

• third party companies who provide us with pension and benefits, payroll and expense services and tax services;

• providers of our HR System(s) and HR-related services;

• third parties who provide, support and maintain our IT and communications infrastructure (including for data storage purposes);

• third parties who provide services in relation to staff training and/or qualifications;

• third parties who conduct staff surveys on our behalf;

• auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under a contractual prohibition of using the personal information for any other purpose.

Further details of these third party providers can be obtained from the HR Department.

(iii) Transfers to other third parties

We may also disclose personal information to third parties on other lawful grounds, including:

• To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process, including, but not limited to, a subpoena, government audit or search warrant;

• In response to lawful requests by public authorities (including for national security or law enforcement purposes);

• As necessary to establish, exercise or defend against potential, threatened or actual litigation;

• Where necessary to protect the vital interests of you or another person;

• In connection with the sale, assignment or other transfer of all or part of our business; and/or

• With your consent.

6. Legal basis for processing personal information

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. Some of the bases we rely on are set out above.

In summary, we will normally collect personal information only where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, where we need the personal information to perform a contract with you (i.e. to administer an employment or work relationship with us), where the processing is necessary to comply with a legal obligation or (in limited circumstances) where we have your consent to do so. In some cases, we may also need the personal information to protect your vital interests or those of another person.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided at Section 11 below.

Where we request personal information from you, you can choose not to provide personal data to us. However, unless otherwise indicated, the information we request from you is required in order to enter into our contract of employment with you or to comply with legal obligations on us. Failure to provide it prevents us from effectively administering our contractual relationship with you including any related employment benefits.

7. Transfer of personal information abroad

As we operate at a global level, we need to transfer personal information to countries other than the ones in which the information was originally collected. These countries may have data protection laws that are different to the laws of the country of origin (and, in some cases, may not be as protective). When we export your personal information to a different country, we will take steps to ensure that such data exports comply with applicable laws. In particular, if we transfer personal information from the European Economic Area to a country outside it, such as the United States, we will implement measures to provide an adequate level of data protection under UK and EU law.

Our Group Companies operate around the world so that when we collect your personal data, we may process it in any of these countries. Specifically, the HR Department in Crawley has access to HR data globally and makes decisions about how HR data should be processed globally. Similarly, the Group may enter into arrangements with third party service providers that process your personal information in other countries around the world, including via sub-processors.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Notice. These include:

• implementing the European Commission’s Standard Contractual Clauses (under Article 46.2 of the General Data Protection Regulation) for transfers of personal information between our Group companies, which require all such companies to protect personal information they process from the EEA in accordance with European Union data protection law. Our Standard Contractual Clauses can be provided on request.

• similarly, we rely on Standard Contractual Clauses (under Article 46.2 of the General Data Protection Regulation) in the context of our arrangements with our third party service providers and further details can be provided upon request.

• reliance on other measures to provide an adequate level of data protection in some limited circumstances. For example, in some cases (pursuant to Article 45 of the General Data Protection Regulation), we may rely on the fact that a US-based recipient of the personal information has self-certified to the EU-US Privacy Shield.

8. Data retention periods

Personal information will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice or as otherwise required by applicable law. Generally this means your personal information will be retained until the end or your employment, employment application, or work relationship with us plus a reasonable period of time thereafter to respond to employment or work-related inquiries or to deal with any legal matters (e.g. judicial or disciplinary actions), document the proper deductions during and on termination of your employment or work relationship (e.g. to tax authorities), to provide you with ongoing pensions or other benefits and/or to establish or defend the Group in relation to legal claims against it (where data is retained for this purpose, it will be retained for 6.5 years after the termination of your employment).

9. Your data privacy rights

You may exercise the rights available to you under applicable data protection laws as follows:

• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided at Section 11 below.

• In addition you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided at Section 11 below.

• If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

• You have the right to complain to a data protection authority about our collection and use of your personal information. Your local data protection authority is the Information Commissioner’s Office (the ICO), and you can contact the ICO via email (casework@ico.org.uk) or phone (0303 123 1113). Of course, we would prefer you to raise any concerns with the Group directly first (on the contact details set out below).

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

10. Updates to this Notice

This Notice may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you on the company intranet and indicate at the top of the Notice when it was most recently updated. We encourage you to check back periodically in order to ensure you are aware of the most recent version of this Notice.

11. Contact details

Please address any questions or requests relating to this Notice to the Group Company Secretary by email (robert.proctor@wrbm.com) or alternatively, you can raise any concerns with your line manager or HR department.