Direct Line Group is committed to protecting the personal data of all prospective, current and former employees that we collect during their employment and provision of associated services. This Privacy Notice summarises:
- Who ‘we’ are
- The categories of data we collect and the purposes of processing
- How we share your data
- How we retain and protect your data
- Your rights under Data Protection law
- How you can contact us
For the purposes of this Privacy Notice, references to ‘employees’ includes candidates, recruited workers (including contractors, temporary staff and agency personnel) and people who have ceased employment with us.
2. Who ‘we’ are
DL Insurance Services Limited is the data controller in respect of the information covered by this Privacy Notice.
3. Categories and sources of data collected
To fulfil our contractual, legal, regulatory and other obligations as an employer, we collect the following types of data:
- Personal details, such as name, date of birth, bank details.
- Contact details, such as home address, telephone numbers, email addresses.
- Further contact details for individuals nominated by you for emergency purposes and where relevant for providing products and services (i.e. beneficiaries of Life Insurance).
- Identification documentation and images, including images of you at interview and screening stage and data such as proof of eligibility to work in the UK, official identification references (i.e. National Insurance number).
- Information provided during recruitment, such as previous work history, education and training, criminal history and employment references.
- Information created during your employment, such as job history, training, performance management, salary and bonus information, benefit selections, sickness and absence history, disciplinary and grievance proceedings, employment litigation, medical information, health and safety.
- Demographic information, such as gender, race, ethnicity, sexual orientation, religion
- Information created during the performance of your work, including communication in the form of emails, IT system logging, monitoring use of our systems and assets, and other correspondence.
We collect most of your personal data from the information you provide during your recruitment, which is further supplemented over the course of your employment relationship with us. We also obtain information about you from a range of other sources, as outlined below:
- During the recruitment process, we will obtain data about you from external sources, such as your previous employer(s) and may review publicly available information regarding your experience and qualifications on professional social sites, such as LinkedIn.
- We may also obtain data from your previous employer if we acquire any part of that business or all or substantially all of its assets.
- During recruitment and periodically during employment, we will obtain data from credit reference agencies and relevant bodies in relation to criminal history, or reports of fraudulent behaviour (e.g. CIFAS).
- The benefit election decisions that you make and associated details (such as financial contributions, levels of cover etc) will be provided to us by our benefit provider(s). This facilitates administration of payroll and benefits, as well as paying individual benefit providers.
- We will receive information from external companies where they provide services that you utilise during your employment. For example, details of travel and accommodation bookings that you have made. This facilitates staff expense administration and allows for appropriate management oversight of expenditure.
- Governmental and other public bodies may provide us with personal data about you where necessary and in line with their obligations. For example, Department of Work & Pensions (DWP), HM Revenue & Customs, HM Courts & Tribunal Service. These typically relate to instances where deductions are to be made from your pay because of a legally binding decision that has been made about you (e.g. failure to pay child maintenance).
- Your People Manager will capture data during your employment in relation to aspects such as absence and performance management.
- We also collect personal data about you indirectly as part of our logging and monitoring of IT system usage and physical access to our premises, as described further in Section 4 “Purpose and Legal Basis of processing”.
- We may collect other data where we have used cookies to collect information from your computer or portable electronic devices. Please see our cookies policy for more information.
For us to enter and maintain a contractual employment relationship, it may be necessary for you to provide additional personal data from time to time.
If you do not provide information that we require, either for compliance with our statutory obligations or where required by the terms of your employment contract with us, the following consequences may arise:
- We may not be able to offer you a job where you don’t provide information requested during the recruitment process. For example, where this prevents us from being able to complete all required background checks.
- Your contract may be terminated during employment. For example, where you withhold information requested to support internal investigations or disciplinary proceedings.
Where your information is provided, adverse findings may result in your application being rejected or employment offer being withdrawn, disciplinary action or termination of your employment.
4. Purpose and Legal Basis of processing
We and/or persons acting on our behalf may process your personal data for any of the following purposes:
- Manage all aspects of recruitment activity, such as reviewing your application, assessing your suitability for employment opportunities as well as identity and background checking.
- Manage all aspects of an employer-employee relationship, including, but not limited to, pay and benefits, accounting and auditing, travel and expenses, training, absence, performance appraisal, disciplinary and grievance processes, communications, equal opportunities monitoring and other general administrative and human resource related processes.
- Undertake appropriate assessments where relevant for Health & Safety or Occupational Health reasons and share the resulting information to enable appropriate support or other action to be taken.
- Manage all aspects of terminating employment and support post-employment activities (such as provision of references).
- Maintain emergency contact and beneficiary details (which involves us holding information on those you nominate in this respect).
- Perform money laundering, financial and credit checks for fraud and crime prevention and detection.
- Administer the security and access of our buildings, IT platforms and applications.
- Monitoring and assessing compliance with our policies and standards.
- Promotional and marketing materials and activities, including photos and videos.
- Communication and provision of requested products and services to employees.
- Compliance with legal and regulatory obligations, court orders and execution of our legal rights. For example, this can include processing attachment of earnings order or responding to lawful requests from the DWP concerning your employment status.
- Any other legitimate business purpose or as otherwise permitted by any applicable law or regulation to facilitate the organisation and delivery of activities that support your ongoing employment relationship with us. For example, your details may be shared with providers of conference or entertainment facilities where appropriate as part of arranging work-related events.
For each of the purposes outlined above, one or more ‘Legal Bases’ for processing apply. The relevant conditions are outlined below, in order of our level of reliance upon them:
- Necessary for entering into or performance of a contract - This accounts for most of your data processing and encompasses everything from recruitment, pay and benefit administration to performance management.
- Necessary for compliance with a legal obligation - Some data must be processed to comply with legislative or regulatory requirements. This includes examples such as tax, national insurance, statutory sick pay, statutory maternity pay, family leave and work permits, as well as criminal history checks and equal opportunities monitoring. This includes ‘statute’ (i.e. Acts) and ‘common law’, which covers things like contract law and duty of care.
- Necessary for legitimate interests – This is only used where processing that we wish to undertake doesn’t quite fit under the other conditions. For example, calls made to our HR support teams (which are recorded for audit and training purposes), supporting organisational development activities (such as reorganisations, or for talent management purposes) and where you appear in images or videos used for promotional purposes.
A separate set of conditions apply to processing of ‘special categories’ of data due to their increased sensitivity. For example, this includes racial or ethnic origin, sexuality and medical information. Whilst we do process some data that fall within these categories, it is typically given to us by you, voluntarily, under one of the following conditions:
- Necessary for carrying out obligations or exercising rights under employment law - This may for example include review of sickness and absence information to identify where support may be required or action taken.
- Necessary for reasons of substantial public interest - This applies when we use data for diversity monitoring purposes i.e. to ensure that our processes are not discriminatory.
- Necessary for purposes of occupational health or assessment of working capacity of an employee - This covers processing such as the medical screening of employees working in high risk roles (for Health & Safety purposes) or occupational health assessments where employees need additional support.
Please note the legal basis used has an impact on what rights you have, as described further in Section 9 “Your Rights”. As this is a complex area that is difficult to present concisely, we encourage you to get in touch to discuss any questions or concerns using the details shown in Section 11 “How to contact us”.
We may monitor employees' use of our information assets (such as email communications; access to files and shared drives and internet usage) in accordance with the Acceptable Use Policy. Monitoring is undertaken to:
- Confirm compliance with the Cyber Risk Minimum Standard and Information Security Mandatory Requirements.
- Protect personal information of our customers and employees.
- Investigate or detect unauthorised use, wrongful use or abuse of our services, systems or other materials to assist with security, crime prevention and fraud purposes.
5. How we share your data
To fulfil the purposes for which personal data is processed, we may share personal data (including, from time to time, special categories of data) with a range of individuals, external companies and other organisations, in line with the obligations of your employment contract and your working relationship with us.
Any disclosures of personal data are made using the minimum personal data necessary for the specific purpose and circumstances. Information is only shared with third party organisations where deemed necessary to fulfil the contractual employment relationship with you, to comply with legal or regulatory obligations or where you have consented to the disclosure of your personal data to such persons.
We may obtain and share personal data on a regular and ongoing basis with a wide variety of organisations, which may include but is not limited to:
- Third parties who process your personal data on our behalf (such as the providers of our core HR, payroll and benefit systems, or our bank for the purposes of paying you salary and expenses). This may include the transfer of special categories of data for the purposes of providing Occupational Health and Income Protection services.
- Third party providers of employee benefits and other organisations that provide services to you (such as our industry event organisers and logistic firms for delivery or collection of business-related items from your home address to support remote working practices).
- Other financial institutions, credit referencing agencies or regulatory bodies, typically for identity verification, fraud and financial crime detection or prevention purposes.
- Any prospective buyer in the event we sell any part of our business or its assets or if substantially all of our assets are acquired by a third party, in which case your personal data could form part of one of the assets we sell.
- Any regulatory, exchange body, enforcement, or court where we are required to do so by applicable law or regulation or at their request.
- Central government, government agencies and departments, local authorities, law enforcement and other public bodies (i.e. Her Majesty's Revenue and Customs, Department for Work and Pensions, Child Support Agency).
- Your relatives or guardians where there is a duty to do so i.e. to protect your or another person's vital interests or where it is in the interests of your relatives or guardians (and on balance does not infringe your rights).
- Any subsidiary of the ultimate holding company, Direct Line Insurance Group plc, as required for the proper conduct of our business.
6. Where we may transfer your data
The personal data we collect from you may be processed in (including accessed in or stored in) a country or territory outside the United Kingdom, which may not enforce the same level of protection by law or regulation. To safeguard your data, we put in place contractual obligations with third parties, to define technical and organisational measures to provide appropriate protection.
7. How we retain your data
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. Our approach to data retention is formalised within the Information Management Minimum Standard. This is supported by the Record Retention Schedule, which defines the retention period for each type of record held.
- Data related to applications submitted by external candidates (i.e. individuals not currently employed by us) are by default only retained for 2 years. We may extend this, with agreement from the candidate, to allow us to highlight suitable roles when they arise.
- Data related to former employees is generally retained for at least 6 years following the end of their employment with us, due to the legal and regulatory obligations we operate under. There will be exceptions where we need to keep your personal information for longer, such as for specific Health & Safety purposes.
Please be advised that you may be able to directly access and remove your own personal data held on our systems, using our Employee Self-Service functionality. Further information is provided in the ‘Changing Personal Details’ people process and Quick Reference Guides on the corporate intranet.
8. How we protect your data
We are committed to protecting your personal data and maintain a robust Information Security framework to ensure it remains confidential and secure. Our approach to Information Security is formalised within the Cyber Risk Minimum Standard and supported by further policies, requirements for Third Party Suppliers and security awareness initiatives.
9. Your rights
Under Data Protection law, you have various rights in relation to your own data (i.e. where you are the ‘data subject’), which are summarised below:
- Right of Access - You have the right to request a copy of all the personal information that we have about you. Please note, you can directly access some of your own personal data held on our systems, using Employee Self-Service functionality.
Further information is provided on the corporate intranet in the ‘Changing Personal Details’ people process and Quick Reference Guides.
- Right to Rectification - You have the right to ask us to update information that we hold about you where it is incorrect or incomplete. Please note that you can update some of your own personal data yourself using Employee Self-Service functionality.
- Right to Erasure - You have the right to request the deletion of your personal data, for example where processing is no longer necessary for the purposes for which the data were collected.
- Right to Restriction of Processing - You can ask us to stop processing your data (i.e. we cannot make any further changes, delete, or share it). For example, this could be where you wish to challenge the accuracy of data or where you make use of your ‘Right to Object’.
- Right to Data Portability - You are entitled to an electronic copy of the data that you provided to us as part of entering into, or performance of your employment contract. The right is limited to data that are processed ‘by automated means’, so typically applies only to the information you submitted as part the recruitment process.
- Right to Object - You can object to processing conducted under the ‘Legitimate Interest’ condition (as outlined in Section 4“Purpose and Legal Basis of processing“) and we must then cease processing unless we can demonstrate compelling grounds.
- Right to withdraw consent - We do not process any data for employment purposes based on consent. Although language like that has been used in the past, the law is clear that consent must be freely given and that this is unlikely to be the case in an employer/employee relationship.
- Automated decision-making and profiling - You have the right not to be subject to a decision which is based solely on automated processing (including profiling), which would have a significant or legal effect on you. In an employment context, this might include e-recruiting practices whereby failure to achieve a set score on an application test by itself would lead to your application being rejected.
Whilst this right doesn’t apply when the processing is necessary for entering into a contract, in any event you have the right to contact us to express your point of view and challenge the decision.
To exercise these rights, please contact us as described in Section 11 “How to contact us”.
Please note that there will be situations where exceptions apply under Data Protection law that we may rely on. For example, we will not be able to delete your personal information where it is required for legal purposes (e.g. tax records for HMRC). We will tell you if we are unable to comply with your request, or how your request might impact you, when you contact us.
This can be a complex area and we will happily help address any questions or concerns you have in relation to processing of your data.
10. How we update this Privacy Notice
We may update this Privacy Notice at any time, in accordance with applicable legislative and regulatory requirements or our internal policies and processes. Employees may be notified of significant changes, for example via their People Manager or an intranet article.
11. How to contact us
If you would like to discuss any aspect of this Privacy Notice or anything else about the personal data we collect on you, please contact us using the details below.
- Specific queries in relation to exercising your Rights should be directed to:
Post Direct Line Group, HR Services, 9th Floor, The Headrow, Leeds, LS1 8HZ
- For all other HR queries, please email HRmatters@directlinegroup.co.uk
- For all other privacy queries, please contact our Privacy & Information Management team.
- You may also contact our Data Protection Officer by the following means:
Post The Data Protection Officer, DL Insurance Services Limited, Churchill Court, Westmoreland Road, Bromley, BR1 1DP
If you have any concerns or complaints in relation to the processing of your data for employment purposes, we ask that you contact us first to give us the chance to understand the issue and see how we can address it.
In any event, you have the right to lodge a complaint with our supervisory authority, the Information Commissioners Office. To report a concern to the ICO:
- Telephone helpline 0303 123 1113
- Textphone service 01625 545860