Riverside Group Privacy Notice for Employees, Workers, Contractors and Volunteers


What is the purpose of this document?

The Riverside Group Limited (TRGL) is committed to protecting the privacy and security of your personal information.

This privacy notice tells you:
  • what information we process and why
  • the lawful basis for processing in each case
  • how long we will retain it
  • how it will be kept safe, and
  • what your rights are

  • It applies to all our employees, workers, contractors, and volunteers during your work for us and after it.

    It is important that you read this notice, and any other privacy notice we may provide on specific occasions, so that you know why and how we use your information.

    TRGL is ‘data controller’ and as such we are responsible for deciding how we hold and use personal information about you. However, it doesn’t become our information. Under data protection law you have rights and we have responsibilities.

    Your basic right is that we must process your information lawfully, fairly and transparently. This privacy notice, which follows guidance given by the Information Commissioner’s Office at Privacy Notices, is part of being transparent so you can check we are being lawful and fair.

    In the spirit of transparency we will avoid jargon, but please note that ‘personal information’ is information about you from which you can be identified, whether directly or indirectly; and that ‘processing’ personal information, includes obtaining, recording, using, sharing, holding and deleting it.

    This notice does not form part of your contract of employment or contract to provide services.

    The data protection principles

    We will comply with data protection law. It says the personal information we process about you must be:

    1. Processed lawfully, fairly and transparently

    2. Obtained only for specific, explicit and legitimate purposes and not processed in any way that is incompatible with them

    3. Adequate, relevant and limited to the purposes and necessary for them

    4. Accurate and up to date

    5. Retained for only as long as is necessary for the purposes

    6. Kept securely

    The types of information we process

    We will process the following categories of personal information about you:

  • Contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • Date of birth
  • Gender
  • Marital status and dependants
  • Next of kin and emergency contact information
  • National Insurance number
  • Bank account details, payroll records and tax status information
  • Salary, annual leave, pension and benefits information
  • Start date
  • Location of employment or workplace
  • Copy of driving licence
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process
  • Employment records (including job titles, work history, working hours, training records and professional memberships)
  • Compensation history
  • Performance information
  • Disciplinary and grievance information
  • CCTV footage and other information obtained through electronic means such as swipe card records
  • Information about your use of our information and communications systems
  • Photographs

  • We may also process sensitive (‘special category’) information relating to

  • Racial or ethnic origin
  • Sexual orientation
  • Religious or philosophical beliefs or political opinions
  • Trade union membership
  • Health
  • Biometric identity (of ex-military staff)
  • Criminal convictions or pending prosecutions

  • How do we obtain your personal information?

    We will collect information about you in the application and recruitment process, either from you or an employment agency, and health information about you as part of your pre-employment health check.

    We might also collect information from third parties including former employers, the Home Office (for visa checks), the Disclosure and Barring Service,

    We may collect additional work-related information in the course of your work for us.

    How we will use your information?

    We will only process your personal information when the law allows us. That will chiefly be in the following circumstances:

    1. Where we need to perform the contract we have entered into with you

    2. Where we need to comply with another legal obligation

    3. Where it is necessary for our legitimate interests, or those of a third party, and your interests or fundamental rights and freedoms do not override those interests

    We may also process your personal information in the following situations, which are likely to be rare:

    1. Where it is necessary to protect the vital interests of you or someone else

    2. Where it is needed in the public interest or for official purposes

    Situations in which we will use your personal information

    The situations in which we will process - including in some case disclose - your personal information include;

  • Determining the terms of your work for us
  • Making a decision about your recruitment or appointment
  • Checking you are legally entitled to work in the UK
  • Paying you and, if you are an employee, deducting tax and National Insurance contributions
  • Providing benefits to you such as car allowance, London allowance, market supplement
  • Liaising with your pension provider
  • Administering the contract we have entered into with you
  • Business management and planning, including accounting and auditing
  • Conducting performance reviews, managing performance and determining performance requirements
  • Making decisions about salary reviews and compensation
  • Assessing qualifications for a particular job or task, including decisions about promotions
  • Gathering evidence for possible grievance or disciplinary hearings
  • Making decisions about your continued employment or engagement
  • Making arrangements for the termination of our working relationship
  • Education, training and development requirements
  • Dealing with legal disputes involving you, or other employees, workers, contractors or volunteers, including accidents at work
  • Ascertaining your fitness to work
  • Managing sickness absence
  • Complying with health and safety obligations
  • To prevent fraud
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies (applying the Information Commissioner’s Employment Practices Code)
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • To conduct data analytics to review and better understand employee retention and attrition rates
  • Monitoring diversity and equality

  • The list is not exhaustive but the situations involve the performance of our contract with you or compliance with other legal obligations, and/or the pursuit of legitimate interests that are not overridden by your rights or interests. (If you think they are, you should speak to your manager or TRGL’s Data Protection Officer.

    How we use sensitive information including information about criminal convictions

    The law places additional safeguards and conditions on processing ‘special categories’ of information (see above) and information about criminal convictions or current criminal proceedings.

    We have a policy document in place that explains how we comply with the data protection principles and sets out our policies in respect of retention and erasure.

    We may process the information in the following circumstances:

    1. With your explicit written consent but only in the limited circumstances set out below

    2. Where it is needed to perform obligations or exercise rights relating to your employment that the law imposes or confers on you or us

    3. Where it is needed in the public interest, for equality and diversity monitoring, or in relation to our occupational pension scheme, or to prevent crime.

    Unless you are a contractor or volunteer in which case we may not rely on the circumstances set out in paragraph 2 above.

    We may also process special category information where it is needed in relation to legal claims; or to protect your vital interests, or someone else's, when you are not capable of giving your consent; or where you have already made the information public.

    Our obligations as an employer

    The circumstances in which we will process special category information about you include:

  • Information relating to leaves of absence, which may include sickness absence or family related leave, to comply with employment law
  • Information about your physical or mental health, or disability status, to ensure your health and safety at work and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence, and to administer benefits
  • Information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • Trade union membership information to pay trade union premiums, to register the status of a protected employee, and to comply with employment law obligations.

  • Do we need your consent?

    We don’t need your consent to process special category information in order to perform obligations or exercise rights relating your employment that the law imposes or confers on you or us. However, we may ask for your written consent when it is not clear that the particular reason for processing falls within the employment law condition, or we feel we should seek your consent in the particular circumstances.

    When we do ask for your consent, we will provide you with full details of the proposed processing and reasons for it so that you can carefully consider whether you wish to consent. Consent must be freely given. It is not a condition of your contract with us that you agree to any request for consent from us, nor will the refusal of consent ever be held against you.

    Your right to withdraw consent

    You can withdraw your consent at any time. You should inform your manager and/or TRGL’s Data Protection Officer. We will no longer process your information for the purpose or purposes you consented to, unless there is another lawful basis and a continuing need to process the information for the particular purpose. We will tell you about it if we do.

    Your duty to inform us of changes

    It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

    If you fail to provide personal information

    If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers or customers). In certain circumstances we may be unable to continue to employ you.

    Change of purpose

    We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for another reason we will notify you and explain the legal basis which allows us to do so.

    Information security

    We have put in place measures to protect the security of your information. We will employ measures to ensure security compliance by working towards a framework to ensure confidentiality, integrity and availability of your data. We will have security policies in place and will apply a risk based approach to the protection of personal data using appropriate technology, robust procedural controls and continual assessment of the effectiveness of these controls.

    Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

    We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and where they are subject to a duty of confidentiality. [

    We have put in place procedures to deal with any suspected information security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

    We may transfer your information outside of the EU in limited circumstances. If we do you can expect a similar degree of security and protection as if it were processed within the EU.

    How long will we keep your information?

    We will only retain your personal information for as long as necessary for the purposes we obtained it, including any legal, accounting, or reporting requirements. Details of retention periods for different types of information are set out in our retention schedule which applies the relevant law and best practice this can be found on the RIC.

    When we can we will anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

    Once you are no longer a TRGL employee, worker or contractor we will retain and securely destroy your personal information in accordance with our information retention schedule.

    Your rights to access, correction, erasure, and restriction

    You have the right by law to:
  • Request access to your personal information (commonly known as a ‘subject access request’ or ‘SAR’). This entitles you to a copy of the personal information we hold about you and to check that we are lawfully processing it. (The link to the guidance of the Information Commissioner’s Office (ICO) is access.)
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. (The link to the ICO’s guidance is rectified.)
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). (The link to the ICO’s guidance is erased.)
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. (The link to the ICO’s guidance is object).
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it. (The link to the ICO’s guidance is restricted.)
  • Request the transfer of your personal information to another party. (The link to the ICO’s guidance is portability.)

  • If you want to exercise any of these rights please contact TRGL’s Data Protection Officer in writing.

    We may need specific information from you to help us confirm your identity and confirm your right to access the information or exercise any of your other rights. (This is an appropriate security measure to ensure that personal information is not disclosed to someone who has no right to receive it.)

    Data Protection Officer

    We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

    Changes to this notice

    We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

    If you have any questions about this privacy notice, please contact hr.support@riverside.org.uk