Introduction

At The Employment Services Partnership Limited, we are committed to keeping your personal and business information safe. This is our privacy notice, in which we tell you honestly how we use and look after your personal data. This privacy notice tells you what to expect us to do with your personal information if you choose to share it with us: this could be if you use our services or products or use our website. We will tell you what information we collect about you; how we use this data; with whom we share it; and how we store it and keep it safe.

Please use the Glossary to understand the meaning of the terms used in this privacy notice.

We may update our privacy notice from time to time. We will communicate significant updates to you via email if we have your email address. You can also check this page for recent updates. If you would like a pdf version of this privacy notice, email [email protected]

We last updated this privacy notice in January 2026.

Who we are

We are The Employment Services Partnership Limited (ESPHR). ESPHR from WorkNest is a trading name of The Employment Services Partnership Ltd. We offer personalised employment law advice and technology for busy HR professionals.

ESPHR is proud to be part of the WorkNest family, a family of specialist companies in Axiom GRC, dedicated to helping businesses thrive by providing expert support across key operational areas.  As part of  Axiom GRC, we bring together the most gifted practitioners in people management, health, safety and wellbeing, employment law, professional training, and business technology. We are proud to offer a broader range of services to help protect and nurture organisations of every size.

The Employment Services Partnership Limited is a company registered in England and Wales with company number 04694032 and whose registered office is at 20 Grosvenor Place, London, England, SW1X 7HN.

ESPHR is the data controller of personal information we collect. ESPHR is registered with the Information Commissioner’s Office as a data controller under reference Z8246532.

We have appointed a Data Protection Officer. For any queries, concerns, or complaints you may have about how ESPHR collects, uses or stores your personal information a data controller, you can contact our Data Protection Officer, Bryony Hayter at [email protected]

Or you can write to:

Bryony Hayter

Data Protection Officer

ESPHR

68 Milton Park

Abingdon

Oxfordshire

OX14 4RX

Your legal rights

As a data subject, under UK data protection law you have the right to:

• Access: ask for copies of all information we have about you
• Rectification: ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete
• Erasure: ask us to delete your personal information
• Restriction of processing: ask us to limit the processing of your personal information
• Objection to processing: say no to the processing of your personal information
• Data portability: ask that we transfer the personal information you gave us to another organisation, or to you
• Withdraw consent: if ESPHR has asked your consent to use your data for a particular reason, you have the right to take back that consent so that ESPHR cannot use your data like that in the future. However if you choose to withdraw your consent this will not change anything that ESPHR has used your data for in the past with your consent.

You can choose to use any of these rights for free by contacting us at [email protected], or writing to us at our address (see ‘Who we are’) with your request.

ESPHR has one calendar month to respond to you from the time we receive your request. ESPHR does not have to agree to carry out your request, but if we do not agree we have to tell you why.

Keeping your information safe

It is your choice to share your personal information with us and you do so at your own risk. We take information security seriously at ESPHR. We work hard to make sure that your personal information is looked after securely, and that we only process data in the ways that we say we do in this privacy notice. We put in place ways to protect personal data against unauthorised access, alteration, or disclosure.

We make sure that your personal information is only seen by people who need to access it to do their job. We check who has access to all personal information regularly.

Our staff complete data protection and cyber security training so that they know how best to look after your personal information.

However, even though we are very careful we can never 100% guarantee the security of any information you give to us. If you are not happy or have concerns about how we look after your personal information, please contact our Data Protection Officer at [email protected].

Legal basis for using your information

Under UK data protection law we must have what is known as a legal basis for collecting and using your information. There are six legal bases, sometimes known as lawful bases:

• Consent: your permission.
• Performance of a contract: when we deliver the services you have requested.

• Legitimate interests: see the next section of our privacy notice.

• Vital interest: to save a life.
• Legal requirement: when we comply with UK law.
• Public interest: when data processing is beneficial for public good.

For business clients

What information do we collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

• Identity data includes first name, last name, username or similar identifier, title, date of birth and gender.

• Contact data includes billing address, email address and telephone numbers.
• Company information: company name, postcode, number of employees.

• Financial data includes bank account and/or payment details.
• Transaction data includes details of services we have provided to you.
• Engagement data: webinars you have attended, interactions with emails.
• Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Profile data includes your username and password, downloads made by you, your interests, preferences, feedback and survey responses.
• Usage data includes information about how you use our website and services.
• Marketing and communications data includes your preferences in receiving marketing from us and your communication preferences.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

Sometimes, we will ask you to provide special category data to us if necessary so that we can provide the best service to you. We will take particular care to process special category data securely and will process it in keeping with the contract in place between us.

How do we collect information, and why do we have it?

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
  • Communicate with us about, or enter into a contract for, our services;
  • Create an account on our website;
  • Subscribe to our service or publications;
  • Download any resource available on our website;
  • Request marketing to be sent to you;
  • Seek advice as part of contracted services; or
  • Give us some feedback.
• Automated technologies or interactions. As you interact with our website, we collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie notice for further details.
• Third parties or publicly available sources. We receive personal data about you from various third parties and public sources as set out below:
  • Technical data from analytics providers, such as Google, based inside and outside the EU;
  • Contact, financial and transaction data from providers of technical, payment and delivery services based inside the EU;
  • Identity and contact data from publicly available sources such as Companies House and the Electoral Register based inside the EU.
  • Identity and contact data from publishers of business information.

How do we use personal information?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Where you provide your consent to us.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please email [email protected] if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by contacting [email protected] Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of any use you make of ESPHR’s services, which we will continue to process pursuant to the contractual obligations between us.

Do we process children’s information?

ESPHR may collect children’s information where a child is concerned in a case on which we are advising in the course of carrying out services for our client. ESPHR is committed to protecting children’s personal data. All information relating to a child’s welfare is handled in strict accordance with data protection legislation, including the UK GDPR and the Data Protection Act 2018.

Key measures include:

• Lawful and limited collection: information is only collected where necessary to fulfil safeguarding obligations or respond to incidents, and always with a clear lawful basis.
• Secure storage and access controls: records are stored securely, with access restricted to authorised personnel involved in safeguarding or incident management.
• Confidentiality and sharing protocols: information is shared only when essential for safeguarding purposes, and in line with statutory guidance and multi-agency protocols.
• Retention and disposal: data is retained only for as long as necessary and disposed of securely in accordance with the company’s data retention policy.
• Training and awareness: Staff handling children’s information receive regular training on safeguarding, confidentiality, and data protection responsibilities.

These safeguards ensure that children’s rights and welfare are prioritised while ESPHR to meet its legal and ethical duties.

What if you fail to provide personal data?

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

How long do we keep your information?

We will only keep your personal information for as long as we need it to deliver services to you, and for as long as UK legislation tells us we must keep it.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Please see our Data Retention Policy for further information.

Do we share your information?

ESPHR will never sell, rent or lease your personal information, or insights generated from your information.

We will sometimes share anonymised information within the Axiom GRC group. These companies are also all backed by Inflexion and provide different, and complementary, aspects of the services that ESPHR as a whole provides to its clients.

We will sometimes share your information with trusted external third parties, including:

• Service providers, acting as processors, who provide IT and system administration services such as email management platforms, online surveys and client relationship management systems.

• Professional advisers, acting as processors, including lawyers, bankers, auditors and insurers based within the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.

• HM Revenue & Customs, regulators and other authorities in the United Kingdom who require reporting of processing activities in certain circumstances.

These organisations will not use or process your information for any purpose other than what we have asked them to do.

In some exceptional circumstances, we may need to share your personal information to protect you or someone else. We will share as little information as is needed, and we will share it in a way that keeps it safe.

Here are the reasons we may need to share your personal information:

• We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies.
• You are at risk of serious harm, neglect, death or threat to personal safety.
• You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety.
• We believe a crime is happening or may happen if nothing is done to stop it. This includes financial fraud.

Do we send your information outside of the UK?

Where possible, we keep your personal information inside the UK. However, we share your information with companies that work for us as processors that process and store information outside of the UK and Europe.

When this is the case, we make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK.

For more information, contact our Data Protection Officer at [email protected].

For individuals whose personal data is processed in the course of client services

How do we use your data?

If you are an employee or former employee of our client, we may process your personal data in the course of providing contracted services to our client. We will use your personal data to provide employment law advice to our clients. We may use your personal data to:

• Gather, review, draft and disclose correspondence, evidence and other documents
• Form an opinion or position to provide advice

The legal basis we use for processing your data is often performance of a contract. If you are a witness or providing evidence, then we or our client may also seek your consent.

We may also have a legal obligation to process or share your personal data with legal authorities.

What data do we process?

• Name and contact details (e.g. address, phone number, email address)
• Employment history (e.g. job titles, dates of employment, roles and responsibilities)
• Workplace performance data (e.g. appraisals, disciplinary records)
• Contractual information (e.g. terms of employment, changes of contract, pay, benefits)
• Correspondence and HR records (e.g. emails, grievance, or disciplinary letters)

The following are special categories of data:

• Health, including disability
• Sexual orientation
• Sex life
• Racial or ethnic origin
• Trade union membership
• Political affiliation
• Religious or philosophical beliefs

Do we share your data?

We may share your data with the following individuals or organisations:

• Data Protection Officer for ESPHR for the purpose of acting on subject requests or investigating complaints.
• Our client.
• Providers of technical applications and software.

In some exceptional circumstances, we may need to share your personal information to protect you or someone else.

Here are the reasons we may need to share your personal information under these circumstances:  

• We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies. 

• You are at risk of serious harm, neglect, death or threat to personal safety. 

• You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety. 

• We believe a crime is happening or may happen if nothing is done to stop it. This includes money laundering and financial fraud. 

How long do we keep your data?

The later of:

• The duration of the contract with the client; or
• For seven years after the last act about which there has been a complaint and/or from any threat or the conclusion of legal proceedings.

Do we send your data outside of the UK?
Where possible, we keep your personal information inside the UK. However, we share your information with companies that work for us as processors that process and store information outside of the UK and Europe.

When this is the case, we make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK.

Complaints

For any queries, concerns, or complaints you may have about how ESPHR collect, use or store your personal information, you can contact our Data Protection Officer at [email protected].

Or you can write to:

Data Protection Officer

ESPHR

68 Milton Park

Abingdon

Oxfordshire

OX14 4RX

If we cannot resolve the issue, you can also make a complaint to the Information Commissioner’s Office (ICO: the UK supervisory authority for data protection):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ICO helpline number: 0303 123 1113

ICO website: ico.org.uk

Glossary

Anonymise: to change data so that it cannot be linked to an individual person.

Cookie: a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience.

Consent: permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under data protection law.

Contractual performance: the data processing needed to carry out an agreement with an individual. One of the ways that processing data can be justified under data protection law.

Data Controller: an organisation (or person) that makes decisions about how and why data is processed.

Data minimisation: collecting the smallest amount of personal data that you need.

Data Processor(s): an organisation (or a person) that carries out the instructions of the Data Controller and processes data on behalf of the Data Controller.

Data Protection Officer: a person who is an expert in data protection and looks after the interests of the data subject.

Data subject: the individual whose personal data is being processed.

Encrypted: encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.

Generative artificial intelligence (also generative AI or GenAI): is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.

Information Commissioner’s Office (ICO): the UK’s independent body set up to uphold information rights. The ICO has the power to investigate organisations which do not obey Data Protection laws.

Joint Controllers: two or more Data Controllers who together decide how and why data is processed.

Legal/lawful basis/bases: six reasons recognised by UK GDPR for processing personal information.

Legitimate interests: a strong reason (or reasons) for a Data Controller to process data for no other reason than that it is beneficial to the Data Controller if it does not have an adverse effect on the data subject. This is one of the ways that processing data can be justified under GDPR law, although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.

Personal information: any information about a real, living individual. For example, name, telephone number, address, health conditions, or qualifications. Information about organisations, such as annual turnover, is not personal information. Information about individuals working at organisations – for example, a business email address, or a job title – is personal information.

Privacy notice: a publicly displayed explanation of how organisations process data.

Purpose limitation: one of the principles of GDPR – personal data should only be used for the reasons it was collected.

Public interest: beneficial for the public. One of the ways that processing data can be justified under GDPR law.

Retention schedule: a table of how long organisations should store data.

UK GDPR: UK General Data Protection Regulation. This is a law designed to protect personal data stored on computers, or in an organised paper filing system. This law is the UK version of a law that is applied across many European countries.

Data Protection Policy

1. Policy Introduction

1.1. Introduction

1.1.1. This policy deals with the roles and responsibilities of The Employment Services Partnership Limited, ESP Solicitors Limited and ESP Safeguard Limited (“ESP”) and its staff with regard to the processing of personal data.

1.1.2. References to “we”, “us” or “our” refer to ESP itself.

1.1.3. We process personal data about a range of data subjects, such as employees, clients, employees of clients and suppliers. We process personal data for a number of purposes such as the provision of legal services to our clients as well as employee administration and the management of the business. It is critical to ESP that we are able to use personal data in this way. In order to continue to be able to do so, we must comply with the all applicable data protection legislation. As ESP operates only in the UK, the applicable data protection laws are: Data Use and Access Act 2025, UK General Data Protection Regulation, and the Data Protection Act 2018 (the “Data Protection laws”).

1.2. Policy on Personal Data

1.2.1. We endeavour to ensure that personal data is processed in accordance with the Data Protection Laws and in particular the seven Data Protection Principles.

1.2.2. We have put in place systems of work and procedures to ensure that we comply with the Data Protection Laws. We aim to provide all employees with sufficient information, instruction and training as is necessary in order to identify personal data and process it appropriately.

1.2.3. Our directors have agreed this policy.

1.2.4. This policy will be reviewed at regular intervals and revised where it is considered appropriate to do so having regard to legislative change, codes of practice, guidance from the Information Commissioner’s Office (“ICO”), good data protection practice and case law.

1.2.5. Any breach of this policy will be taken seriously and may result in disciplinary action.

1.2.6. All employees and contractors of ESP have a duty to ensure that they are fully aware of this policy and that they comply with its directions.

1.2.7. If you have any questions or queries in relation to this policy, you must contact the Data Protection Officer at ESP at [email protected].

2. Definition of Data Protection Terms

The following terms are used throughout this policy. It is important that you understand their meaning. Many of the terms are set out in the Data Protection Laws.

2.1. “Data” is information which is stored electronically, on a computer, or in certain paper-based filing systems. The Data Protection Laws are not restricted to information held on computers. Electronic data includes data kept on computer and other digital devices such as laptops, tablets, smart phones, mobile phones and digital cameras. Well-ordered paper based filing systems such as an HR filing cabinet with employees listed alphabetically will be covered by the Data Protection Laws.

2.2. “Data subjects” for the purpose of this policy include all living individuals about whom we hold personal data. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal data.

2.3. “Personal data” is any information relating to an identified or identifiable living individual.

2.4. “Data controllers” are the people who, or organisations which, determine the purposes for which, and the manner in which, personal data is processed. They have a responsibility to establish practices and policies in line with the Data Protection Laws.

2.5. “Data processors” include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data behalf of ESP.

2.6. “Processing” is any activity that involves use of the data. We will process personal data when we obtain, record or hold the data, or carry out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

2.7. “Special category personal data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic data, biometric data, physical or mental health or condition or sexual life. Special category personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.

3. Legal obligations on Processing

3.1. If we process personal data we must do so in accordance with the seven Data Protection Principles. These state that personal data must be:

3.1.1. Processed lawfully, fairly and transparently;

3.1.2. obtained for a specified and lawful purpose and processed compatibly with that purpose;

3.1.3. adequate, relevant and necessary for the purpose for which it is processed;

3.1.4. accurate and up to date;

3.1.5. kept in a form that identifies the Data Subjects for no longer than necessary; and

3.1.6. processed in a manner that ensures its appropriate security.

3.1.7 managed by the data controller in a way that enables them to demonstrate compliance with the other principles.

4. Notification

4.1. Unless an organisation is exempt, it must notify the ICO if it processes personal data. ESP Solicitors Ltd and the Employment Services Partnership Limited are currently registered as Data Controllers with the ICO.

4.2. We are obliged to keep the notification up to date at all times. Should any of the details provided as part of the notification change, these must be notified to the ICO. ESP’s Data Protection Officer is the person tasked with keeping the notification up to date and any queries or concerns regarding this should be addressed to them.

4.3. It is important that we make sure the notification is accurate and up to date.

5. Data Protection Best Practice

5.1. We must process personal data in accordance with the Data Protection Laws. We are responsible for:

5.1.1. Explaining to all relevant staff the importance of data protection;

5.1.2. providing staff with adequate training (where necessary), information, instruction and supervision to ensure personal data is processed in accordance with the Data Protection Laws;

5.1.3. assuming overall responsibility for compliance with the Data Protection Laws;

5.1.4.selecting someone to be responsible for ensuring compliance with the Data Protection Laws and making this person known to staff. This person is the Data Protection Officer.

5.1.5. maintaining a record of how personal data is kept and processed and notifying the ICO in accordance with the Data Protection Laws;

5.1.6. maintaining a record of any breaches of our obligations under the Data Protection Laws and, where necessary, notifying the ICO and, on some occasions, the data subjects of any such breaches.

5.2. We must:

5.2.1. Be aware of the issues regarding data protection;

5.2.2. consider the rights of data subjects who may be affected by our data processing actions;

5.2.3. process personal data in accordance with this policy;

5.2.4.report any data subject access requests or other questions regarding data protection to the Data Protection Officer; and

5.2.5.   report any actual or suspected breach of this policy to the Data Protection Officer immediately.

6. Processing Personal Data

6.1. All personal data should be processed in accordance with the Data Protection Laws, ESP’s Privacy Notice, ESP Solicitors’ Privacy Notice and this policy.

6.2. Personal data is data relating to an individual. It includes employee data, supplier data, customer data and prospect data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations will be covered.

6.3. Examples of personal data are employee details including employment records, any third party data, for example information relating to a supplier and any information processed by us in relation to the employees of our clients to whom our trusted third party legal advisors provide legal advice. Recorded telephone conversations, notes of legal advice given by our trusted third party legal advisors relating to a specific individual as well as photographs taken of staff or CCTV images are also personal data.

6.4. We will process personal data when we obtain, record or hold the information or data or carry out any operation with the personal data.

6.5. We must assume that whatever we do with personal data will be considered to involve processing it in accordance with the Data Protection Laws and we must therefore only process data if:

6.5.1. We have consent to do so. If we are relying on consent to process the data we must make sure that the consent covers us for the precise reason we want to process the personal data. Any consent relied on must be clear, specific as to the use intended and unambiguous;

6.5.2. it is necessary to fulfil a contractual or legal obligation or as part of the employer/employee relationship (for example processing the payroll); or

6.5.3. there is another legitimate reason to process the data, and the data subject’s rights are unduly impacted by the processing (for example, reviewing personnel records for a business being acquired); or

6.5.4. doing so is necessary to protect someone’s life (for example, passing on medical information in the case of a medical emergency).

6.6.If paragraph 6.5 is not satisfied, we must contact the Data Protection Officer before processing the personal data to ensure that ESP can legally carry out the proposed activity. 

7. Information, Instruction and Supervision

7.1. Data protection advice for ESP employees is available from the Data Protection Officer who will arrange for advice from external advisers if necessary.

7.2. We will ensure that all new staff, particularly those with access to personal data, are trained on our data protection policy as soon as possible after they are recruited. The level of training for each individual employee will depend on the level of access and responsibility for processing personal data. Please also see section 8 (Competency for Tasks and Training).

7.3.  If any member of staff feels that they need additional training, they should contact the Data Protection Officer who will arrange for additional training to be provided.

7.4. If any member of staff considers that any task or work they have been asked to undertake involves the processing of personal data and are unsure whether or not the task or work would be in breach of the Data Protection Laws, this should be discussed with the Data Protection Officer who will be able to provide guidance and advice as to what to do.

8. Competency for Tasks and Training

8.1. We recognise that our employees are a key factor in supporting our effective and efficient operation and helping us to comply with data protection laws and good practice. We are committed to ensuring they receive training and development to help fulfil our legal and good practice obligations regarding the processing of personal data.

8.2. In the first instance, all new employees will receive an appropriate “on the job” induction into ESP. The induction will cover data protection. The level of training will be dependent on the employee’s position.

8.3. In addition, all new employees will undertake a probationary period under the supervision of an experienced employee until they achieve the appropriate standards and efficiency required for our employees. Additional training on data protection issues may be provided as appropriate.

8.4. Employees should only process personal data where they have received adequate training to do so. This applies equally to full time, part time and temporary employees.

8.5. Records of training undertaken by employees are kept by ESP’s HR department.

9. Monitoring the Use of Personal Data

9.1. We are committed to ensuring this policy is put into practice and that appropriate working practices are being followed. To this end, the following steps will be taken:

9.1.1. All employees who deal with personal data will be made aware of data protection issues and encouraged to work towards continuous improvement in the way we process personal data;

9.1.2. employees who handle personal data on a regular basis or who process sensitive or other confidential personal data will be monitored; and

9.1.3. spot checks may be carried out by managers.

9.2. Complaints on our data protection practices may be received from:

9.2.1. Employees;

9.2.2. suppliers;

9.2.3. our clients;

9.2.4. employees of our clients; or

9.2.5. others whose personal data we handle.

9.3.  The Data Protection Officer will be responsible for investigating any complaints about our data protection practices in order to deal with any data protection breaches and to see what improvements can be made to prevent recurrences of such breaches. The results of such investigations will be reported to the directors who will be responsible for arranging for any improvements to be carried out.

9.4. Where we engage in a new way of processing personal data, we shall review that new method and ensure that any personal data so processed is done in accordance with the law and good practice.

10. Handling and Storing Personal Data and Data Security

10.1. We shall:

10.1.1. Take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of personal data. The Data Protection Laws require procedures and technologies to be implemented to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:

10.1.1.1. “Confidentiality” means that only people who are authorised to use the data can access it;

10.1.1.2. “Integrity” means that personal data should be accurate and suitable for the purpose of which it is processed; and

10.1.1.3. “Availability” means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore only be saved on our central computer system instead of individual PCs, laptops, smart phones and other employee owned devices;

10.1.2. ensure that staff who handle personal data are adequately trained and monitored;

10.1.3. ensure that passwords and physical security measures are in place to guard against unauthorised disclosures; and

10.1.4. where employees are allowed to work from home or use their own device for work, employees must ensure they comply with ESP’s policies and procedures in respect of such activities.

10.2. Paper Records

10.2.1. Manual data refers to paper and other non-digital personal data, records (such as copies of photographs or plans) which are recorded as part of a relevant filing system or with the intention that it should form part of such a system.

10.2.2. A relevant filing system is any set of information relating to individuals which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. To be covered by the Data Protection Laws, manual files have to have the same ready accessibility as a computerised file. For example, this could include employment records. However, it is good practice to treat all personal data, however stored or held, in accordance with the principles set out in the Data Protection Laws.

10.2.3. We shall ensure that all written records containing personal data shall be reviewed in accordance with paragraph 10.2.4 and a record shall be kept of all such reviews.

10.2.4. ESP also strives to minimise its use of paper records and operates a ‘clean desk’ policy to minimise the amount of paper that is being used and stored.

10.2.5. Manual records containing personal data must be reviewed in order to ensure that the data contained within them is accurate, not excessive, up to date and adequate for their purpose. All files shall be reviewed on a bi-annual basis for this purpose and in any event we must review manual records as and when they are periodically reviewed or retrieved for whatever purpose.

10.2.6. Any documents containing personal data or special category personal data should not be left on a desk on view when the desk is unattended.

10.3. Special category personal data

10.3.1. We must:

10.3.1.1. Take particular care of special category personal data and, where we have access to such information, we must make sure we process it properly and in accordance with the Data Protection Laws;

10.3.1.2. unless data is being processed in accordance with an employment contract or for medical purposes or in relation to a criminal investigation, we must make sure we obtain the explicit consent of an individual before processing sensitive data relating to them; and

10.3.1.3. store all sensitive data with adequate security measures to prevent unauthorised disclosure. Such measures will include lockable cabinets and password protection and encryption of automated data.  We will also ensure that only those who need to access this information have access to it.

10.4. Technical Security measures

10.4.1. We will ensure that all computers have protection against malicious software/viruses and that software is not installed and information is not downloaded without first being checked for viruses and other malware. We will keep up to date with patches, fixes and new releases to ensure that our systems are protected against known security issues.

10.4.2. We must always store personal data electronically on our central computer system, rather than on local drives, devices or at home.

10.4.3. All computers and documents containing personal data should be password protected and all passwords should be kept secret at all times. Employee passwords should include a mixture of letters and numbers and not be easy to guess or use common combinations – such as “1234”.

10.4.4. We must store devices containing personal data carefully if taken out of the work place. Laptops, tablets, smart phones and other mobile devices should be stored securely and not left unattended in cars or in public places or on top of desks or table tops at home left unattended overnight.

10.4.5. We must not use personal computers for work purposes unless this has first been cleared with our IT department.

10.4.6. We must ensure that individual monitors are positioned so they do not show confidential information to passers-by. This is particularly important if employee PC displays employee data or sensitive data. PCs should be logged off when left unattended.

10.5. Organisational Security Measures

10.5.1. Manual records

We must keep manual records secure by the use of locked cabinets. Access to such records should be restricted to those employees whose job requires access. Where a manual record is in constant use we must take appropriate security measures. These include operating a ‘clean desk’ policy, removing bins from the office space and replacing them with confidential paper disposal areas and requiring all computers to be locked when not in use.

10.5.2. Telephone enquiries

When we deal with telephone enquiries, we must be careful about disclosing any personal data held by us. In particular, we must:

10.5.2.1. Check the caller’s identity to make sure that information is only given to a person who is entitled to it;

10.5.2.2. suggest that the caller puts their request in writing, where we are not sure about the caller’s identity or where their identity cannot be checked; and

10.5.2.3. refer to the Data Protection Officer for assistance in difficult situations

10.5.3. Building access

Building access codes must be kept secret. Where security passes are in place we will take measures to ensure that all staff wear such passes in a prominent, visible position. Any stranger seen in entry-controlled areas should be reported immediately to the most senior member of staff available.

10.5.4. Deletion or destruction of data

Where personal data needs to be deleted or destroyed, adequate measures should be taken to ensure that such data is properly and securely disposed of and it must be destroyed in accordance with ESP’s Data Retention Policy. This will include the destruction of files and back up files and the physical destruction of manual files. The sale or destruction of IT equipment including PCs, laptops, smart phones and other mobile devices should be treated as a data processing activity.

10.6. General guidance

10.6.1. The measures outlined above should guard against accidental loss or destruction of or damage to personal data. The measures taken should be appropriate for the harm which will be caused by such accidental loss, destruction or damage.

10.6.2. Particular care should be taken of sensitive data and security measures should reflect the importance of keeping such sensitive data secure, see section 10.3 (Special Category Personal Data).

10.7. Policy update

We shall ensure all security policies and procedures are regularly monitored and reviewed to ensure that data is being kept securely. Policies and procedures shall be reviewed against good data protection practice including ICO guidance and case law. Where policies and procedures are found to be inadequate, prompt and appropriate action shall be taken in order to rectify such inadequacies. This shall include a review of the security sections and the consideration and implementation of replacement provisions to rectify such inadequacies.

11. Security Breach, Notification and Reporting

11.1. Introduction

We shall ensure that personal data is stored and used in accordance with this policy and the law. However, breaches may occur despite our best efforts. It is therefore essential that on discovering a breach has occurred, the breach is reported in accordance with ESP’s Data Breach Procedure to ensure that the impact of the breach on data subjects is minimised and our liability for the breach can be limited as much as possible. Reporting and thorough investigation of incidents also helps to ensure that potential risks and problems are identified early and appropriate changes are made to minimise the possibility of future data protection breaches occurring.

11.2. What is a data security breach?

11.2.1. The sixth data protection principle provides that personal data must be processed in a manner that ensures its appropriate security.

11.2.2. A data security breach is where the security or integrity of data is compromised and is likely to include loss, misuse or unauthorised use of personal data.

11.2.3. The key feature of a data security breach is the release (no matter how caused) of personal data to a third party who is not authorised to view, hold or otherwise process the information.

Examples of breaches would be:

11.2.3.1. An employee leaving a piece of personal data about another employee or the employee of a client (such as their address, date of birth etc.) on a desk when the employee leaves the desk so that other employees who do not have permission to view the information can see it;

11.2.3.2. the sending of an e-mail containing personal data (for example a database) to a third party that is not entitled to see it, for example, by entering the wrong email address;

11.2.3.3. the loss of a folder of papers or an electronic device such as a memory stick containing personal data in a public place; and

11.2.3.4. the theft of a laptop, tablet, smart phone, mobile or digital device (such as a camera) containing personal data, such as a database or e-mails.

11.3. Who can report breaches?

11.3.1. Data security incidents can be reported by:

11.3.1.1. ESP;

11.3.1.2. an employee;

11.3.1.3. a client;

11.3.1.4. an employee of a client;

11.3.1.5. a supplier; or

11.3.1.6. a member of the public.

12. Dealing with Data Subject Access Requests

12.1. What is a Data Subject Access Request?

12.1.1. Data subjects have a right of access to a copy of their personal data.

12.1.2. A subject access request is any request from a data subject which indicates that the person wants to know what information is kept about him or her.

12.1.3. A subject access request can be made in any form, including verbally, so all ESP staff must be conscious of the risk of a subject access request being made and missed.

12.1.4. If a verbal request for information is received, we will ask the data subject to put the request in writing to ensure that ESP responds to it accurately and in a timely manner. This is not a requirement, however, and we will deal with any verbal requests in accordance with our obligations under the Data Protection Laws.

12.1.5. Internal data subject access requests will be treated as being of equal importance to external data subject access requests.

12.2. How ESP Responds to Data Subject Access Requests?

All Data Subject Access Requests will be dealt with in accordance with ESP’s Data Subject Access Request Policy.

13. Employee Personal Data

13.1. In the course of recruitment and employment we will collect, retain and process information consisting of personal data including special category personal data about employees.

13.2. All employment records, including application forms, interview notes, sickness notes, annual leave records, promotion and appraisal notes, training records, disciplinary and dismissal notes and reports, references (whether confidential or otherwise and whether given or received) and general personnel file notes must be processed in accordance with the Data Protection Laws.

13.3. Personnel records and all written information regarding an employee, including appraisal, career progression and discussions regarding salary should be set out in a manner which contemplates that it may be disclosable as personal data under the Data Protection Laws. All records should therefore be clear and fair and where opinions are expressed these should be shown to be such.

13.4. The information we hold for the above purposes will be retained for the duration of an employee’s employment. The purposes for which we hold any information about the employee after the end of employment are for use solely for any residual employment related matters including (but not limited to) the provision of job references, processing applications for re-employment, matters relating to retirement benefits and allowing us to fulfil contractual or statutory obligations.

13.5. Where employee records are maintained for organisational analysis, we will take care to ensure that only that personal data is kept which is necessary to satisfy the purpose for which it is kept. Where possible, such data should be anonymised.

13.6. All disciplinary actions, commentary, reports and any reports relating to a dismissal of an individual shall be written in a manner which is fair and accurate.

13.7. All employee records shall be regularly reviewed to ensure that they are accurate, not excessive, up to date and adequate for their purpose.

13.8. Use of personal data in recruitment

13.8.1. All recruitment advertisements must contain information which enables applicants to identify that they are applying to us.

13.8.2. The interview notes of all applications should be written in consideration that these will amount to personal data under the Data Protection Laws. All interview notes should therefore be a fair and accurate representation of the interview. Any opinions expressed should be included in a manner which contemplates that they may be disclosable at a later date.

13.8.3. Where an individual candidate is interviewed but we wish to offer the individual employment other than in the post which the individual has applied for, care must be taken to ensure that the individual has consented to his data being used for this purpose. Candidate details must not be shared with other organisations unless specific permission has been obtained from the candidate to so do.

13.8.4. Any decision to shortlist candidates, where such decision making is made in writing, should be done in a manner which is fair and lawful.

14. Client Data

14.1. Much of our clients’ data has the potential to be, and data that relates to the employees of our clients is most likely, personal data covered by the Data Protection Laws.

14.2. All client records which contain personal data, including (but not limited to) employment records, must be processed in accordance with the Data Protection Laws and this Policy.

14.3. We shall arrange for all client personal data records to be regularly reviewed to ensure that they are accurate, not excessive, up to date and adequate for their purposes.