6. Your rights
The Honourable Society of the Middle Temple (‘the Inn’) respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data with regards to HR activities. It is for current and former staff of the Inn, including full-time, part-time, permanent, and fixed-term employees, independent contractors, consultants and other outsourced and non-permanent workers. It is also relevant for individuals applying for jobs at the Inn.
The document is provided in a layered format so that you can click through to the specific areas set out below. It is also available as a PDF document at the bottom of this page.
This privacy notice should be read in conjunction with the document “HR Privacy Notice: Further Information” (available at the bottom of this page), which provides more detailed information about the personal data that the Inn uses in relation to HR activities. Schedules 1-4 that are referred to in this privacy notice can be found in the Further Information document.
This privacy notice should also be read in conjunction with the Inn’s other Data Protection policies and notices which can be viewed on the Inn’s website: https://www.middletemple.org.uk/about-us/data-protection. These other documents provide more general information about how the Inn uses and stores your data. If you would like more information please contact the Inn’s Data Protection Officer at email@example.com
1. Important information and who we are
The Inn is a Data Controller and is therefore responsible for your personal data (referred to as, “we”, “us” or “our” in this privacy notice).
We have appointed a Data Protection Officer (DPO), who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
DPO Contact DetailsSarah Cates Data Governance Manager The Honourable Society of the Middle Temple Middle Temple Treasury Ashley Building Middle Temple Lane London EC4Y 9BT Tel: 020 74274800 Email: Data.Protection@middletemple.org.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
Changes to the Privacy Notice
This version was last updated on 18 September 2020 and historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
2. How we collect and use your information
Collection of your data
During the course of your time working with the Inn, we will collect, obtain and hold a range of data about you that may be able to identify you directly or indirectly (personal data). We cannot administer our employment or other relationship with you without your personal data. If and when you cease to be employed by us, we will continue to hold some data for a predefined period of time in order to fulfil our remaining tasks and obligations.
Further details of the personal data we collect, where we get it from and what we do with it are set out in Schedule 1 in the HR Privacy Notice: Further Information document.
Much of this data is data that you provide to us directly when you apply for employment with us, when you complete our application forms or correspond with us and in the course of performing your job.
If we do not receive information directly from you, we either generate it ourselves, or we receive it from third parties, such as:
- HM Revenue and Customs (HMRC)
- Pensions scheme providers
- Individuals or organisations that you name as a referee.
We request data from you when you:
- Submit an application for a job at the Inn
- Provide us with new starter and payroll information and start working with us
- Update your personal record via the Human Resources system during your employment or ask us to update your record in any way
- Supply emergency contact details - in which case we will assume that the person whose details you give us are happy for these details to be shared with us by you
- Request shared parental leave, in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer
- Share it during the course of your employment, for example this may include, but is not limited to: during correspondence with you, during the annual performance review or appraisal process, during disciplinary processes, if you need to take sick leave, or if your role changes.
The purposes of processing your information
We process your personal data for particular purposes in connection with your work with us, and the management and administration of the Inn’s business.
We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data. There are six such permitted lawful bases for processing personal data. The table at Schedule 3 in the HR Privacy Notice: Further Information document sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.
Please note that where we have indicated in the table at Schedule 3 that our processing of your personal data is either:
- necessary for us to comply with a legal obligation; or
- necessary for us to take steps, at your request, to potentially enter into an employment contract with you, or to perform it
and you choose not to provide the relevant personal data to us, we may not be able to enter into or continue our contract of employment or engagement with you.
We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand the diversity of the Inn’s workforce.
Special category personal data (including criminal data)
Sensitive personal data, called “Special Category” data in the legislation, receives extra protection under data protection law. The Inn can only process it if we have an additional lawful basis to rely on and meet higher standards for safeguarding it.
The table at Schedule 4 in the HR Privacy Notice: Further Information document sets out the different purposes for which we process your Special Category personal data and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.
Who your information is shared with
Whilst you are working with us, we will need to share certain information both internally between departments and with external parties. As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need. There is guidance and governance in place to help staff to ensure that only the necessary data is made available to other departments or third parties who would not otherwise have access to it.
Some information must be shared by HR with other departments to complete essential tasks related to your employment, such as payroll, occupational health, pensions and arranging access to IT services.
Other purposes for which personal data may need to be shared internally include:
- Analysis to ensure our compliance with equality of opportunity and diversity legislation
- Allow for line managers to provide staff with sufficient support in their role
- Strategic analysis, planning and forecasting
- Investigating alleged employee misconduct
Third parties with whom information about staff may need to be shared by the Inn include:
- Governmental departments, statutory and regulatory bodies including the Department for Work & Pensions, Information Commissioner’s Office, Her Majesty’s Revenue and Customs (HMRC) or Health and Safety Executive (HSE) to meet statutory reporting obligations
- Employment-related benefits providers and other third parties in connection with your benefits (such as pension trustees)
- Disclosure and Barring Service to obtain criminal record checks for certain roles
- Law enforcement agencies for the prevention or detection of crime
- External auditors
- Legal advisors to the Inn
- Emergency response services as necessary to protect your vital interests or those of another person.
We may also share your personal data with third parties, as authorised directed by you.
From time to time we may ask third parties (e.g. service providers and/or sub-contractors) to carry out certain business functions for us, such as the administration of our payroll and the hosting of our HR IT systems (which will include maintenance, development and upgrade). These third parties will process your personal data on our behalf (as our Data Processor). We will disclose your personal data to these parties so that they can perform those functions, however we will enter into a written contract imposing appropriate security standards on them to ensure that they process your personal data in accordance with Data Protection legislation.
3. International transfers
If any of our processing activities require your personal data to be transferred outside of the European Economic Area (the member states of the EU plus Iceland, Liechtenstein and Norway), we will only make that transfer if:
- the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
- the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- you explicitly consent to the transfer.
Please note that the Inn uses an external third party processing organisation for its cloud-based HR and payroll solution. In using this, some of your personal data will be transferred outside of the European Economic Area, to the USA. The personal data is shared in accordance with Binding Corporate Rule (BCR’s), which ensure that high standards of privacy are met in accordance with the General Data Protection Regulation (GDPR).
4. How long do we keep your personal data for?
If you are employed or engaged by us we will keep your personal data during the period of your employment/engagement and then, after your employment/engagement with us ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others. Full details of our data retention periods are contained in Schedule 2 in the HR Privacy Notice: Further Information document.
We will only retain the majority of your personal data for a limited period of time. This will depend on a number of factors, including:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of information that we hold about you; and
- whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
Any personal data contained in any work related correspondence or records may be retained for longer, dependant on the retention period of the file that your personal data is held on.
Some basic information about our former staff is transferred to the Inn’s Archives for permanent preservation so that it can be professionally managed in order to facilitate future historical research enquiries. All relevant safeguards are met in relation to this archival processing.
When it is no longer required in line with its retention period, personal information is securely and permanently destroyed.
5. How do we protect your data?
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Please see the Inn’s Data Protection Policy on the Inn’s website https://www.middletemple.org.uk/about-us/data-protection for more detailed information about security of data.
6. Your rights
You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
What does it mean?
Limitations and conditions of your right
Right of access
Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).
If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity.
Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.
Right to data portability
Subject to certain conditions, (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/) you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine-readable format.
If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.
This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.
Rights in relation to inaccurate personal or incomplete data
You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number or immigration status.
This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to object to or restrict our data processing
Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.
This right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.
Right to erasure
Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.
We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Right to withdrawal of consent
Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.
If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
If you wish to exercise any of your rights please contact our Data Protection Officer at firstname.lastname@example.org in the first instance. You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.