Privacy Notice - For Job Applicants, Employees and Contractors

Introduction

This Privacy Notice applies to all job applicants, employees, contractors, temporary staff and any other individuals who personally provide services to the Sure Group.

The Sure Group takes your privacy very seriously and we will comply with the applicable data protection laws. This Privacy Notice is intended to set out your rights and answer any queries you may have about how Sure collects and uses your personal data. If you need more information, please contact the Sure Data Protection Officer on [email protected]

Unless we inform you otherwise during the recruitment process, the Sure legal entity operating in the island you are located will be your data controller (e.g. in Guernsey (Sure (Guernsey) Limited) and will be the company to which you provide your consent for the processing of your personal data.

This privacy policy does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Who are the Data Controllers?

Jersey

Sure (Jersey) Limited

Foreshore Limited

Guernsey

Sure (Guernsey) Limited

Isle of Man

Sure (Isle of Man) Limited

This Privacy Policy is issued on behalf of the Sure Group so when we mention Sure, "we", "us" or "our" in this Privacy Policy, we are referring to the relevant company in the Sure Group responsible for processing your data.

Data Protection Officer

We have a designated Data Protection Officer, their contact details are as follows: Address: The Data Protection Officer Sure The Powerhouse Queens Road St Helier Jersey JE2 3AP Email: [email protected]

Data Protection principles

We will comply with data protection law which states that the personal information we hold about you must be: 1. Used lawfully, fairly and in a transparent way. 2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. 3. Relevant to the purposes we have told you about and limited only to those purposes. 4. Accurate and kept up to date. 5. Kept only as long as necessary for the purposes we have told you about. 6. Kept securely.

What information do we collect and process?

We collect and process personal data about you from when you apply for a job with us.

The personal data we process for job applicants during the application process may include:

• your name, home address, email address and/or phone numbers;

• your gender, date of birth, marital status, nationality and Social Security number (where you provide this to us);

• your educational and employment history;

• other information contained within your CV or other documents or information you submit to us;

• information from the selection process, if any;

• references and assessments relating to your work for previous employers;

• information to confirm your identity and right to work, such as a copy of your passport;

• information relating to your feedback on our organisation.

• Information from other sources: to the extent permitted by local law, we may collect information in relation to, or from, your contact with or from third parties, including recruiters, clients, employment research firms, occupational health providers, websites and other publicly accessible information on the Internet;

• Automated collection of Information: if/when you make an application through our [website], we may collect information sent to us by your device including, data about the pages you access, your computer IP address, device identifiers, the type of operating system you are using, your location, mobile network information, standard web log data and other info.

For employees (current and former) the following additional personal data is processed:

• information collected during the recruitment process;

• any updates on the information listed above in respect of applicants;

• details of your next of kin and dependents;

• emergency contact information;

• payroll information including bank information, payroll records, social security information and tax status;

• salary, annual leave, pension and benefits information;

• Start date and, if different, the date of your continuous employment;

• leaving date and your reason for leaving;

• location of employment or workplace;

• details of your performance as an employee of Sure;

• information regarding your job history and employment dates for Sure;

• grievance or disciplinary information;

• detains of training and qualifications attended and attained;

• details of your use of our IT infrastructure, including audit logs;

• CCTV footage of you and other information obtained through electronic means such as swipe card records whilst on Sure premises;

• Security clearance details including basic check sand higher security clearance according to your job.

• some employees, such as Customer Service Centre employees may have their phone calls recorded;

• photographs;

• any other information you provide to us.

For employees, we may also collect, store and use the following "special categories" of more sensitive personal information:

• information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;

• trade union membership;

• information about your health, including any medical condition, health and sickness records, including:

o details of any absences (other than holidays) from work including time on statutory parental leave and sick leave;

o details of medical certificates and occupational health reports

o where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes; and

• Information about criminal convictions and offences.

What is the source of this information?

For applicants we obtain this information directly from you, our personnel, through our systems and equipment, as well as from third parties such as recruitment agencies, background checking companies or former employers. We may also obtain it from your public profiles available online.

For employees from yourself, your colleagues and managers as well as third parties.

We may also collect personal information from the trustees or managers of pension arrangements operated by a group company.

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

How do we use this information and what is the legal basis for this use?

We process the personal data listed above in accordance with:

• In our legitimate interest where the information is provided by a job applicant including to assess your job application;

• To perform the contract, we have entered into with you where you have been employed by Sure;

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• to enable us to comply with our legal and regulatory obligations;

We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your vital interest (or someone else’s vital interest);

• Where it is needed in the public interest or for official purposes. 

• Where we need to protect your interests (or someone else's interests).

In order to:

• to make recruitment decisions;

• for normal employment purposes;

• to prevent and detect fraud and other wrongdoing;

• to support the services, we provide to our clients;

• to establish, exercise or defend our legal rights;

• to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution; and

• to manage risk

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

How we use particularly sensitive personal information

"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

• In limited circumstances, with your explicit written consent.

• Where we need to carry out our legal obligations or exercise rights in connection with employment.

• Where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme].

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

• information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws;

• absence reporting

• information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance;

• if you apply for an ill-health pension under a pension arrangement operated by a group company, we will use information about your physical or mental health in reaching a decision about your entitlement;

• [information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting;]

• trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Criminal Convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our privacy notice.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways:

With whom and where will we share your personal data?

We may have to share your data with third parties, including third-party service providers and other entities in the group but we require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal information outside the EU but if we do, you can expect a similar degree of protection in respect of your personal information.

We may share your personal data for the purposes of intra-group administration. We may also share your personal data with our professional advisors such as our auditors and external legal and financial advisors.

Personal data may be shared with government authorities and/or law enforcement officials if mandated by law or if needed for the legal protection of our legitimate interests in compliance with applicable laws. Personal data may also be shared with third party service providers who will process it on behalf of Sure for the purposes above such as death in service or healthcare administration. In the event that any part of our business is sold or integrated with another business, your details may be disclosed to our advisors and those of any prospective purchaser and would be passed to the new owners of the business.

We will share personal data regarding your participation in any pension arrangement operated by a group company with the trustees or scheme managers of the arrangement in connection with the administration of the arrangement.

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

How long will you keep my personal data?

We will not keep your personal information for longer than is necessary and will only retain the personal information that is necessary to fulfil the purpose.

In relation to job applicants, we will keep your personal information for as long as we need it to process your application. If your application results in employment with us, the information provided may be retained for purposes of your employment. Information may also be retained to consider your candidacy for other positions that may be of interest to you unless you indicate otherwise.

We are also required to retain certain information by law or if it is reasonably necessary to meet regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions.

Where is my data stored?

The personal data that we collect from you may be transferred to, and stored outside the European Union (EU). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers, in which case the other country's data protection laws will have been approved as adequate by the European Commission or other applicable safeguards are in place. Further information may be obtained from our Data Protection Officer.

Security of my data

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our Data Protection Officer.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long is my data retained?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available on the intranet or from our Data Protection Officer.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the business we will retain and securely destroy your personal information in accordance with our data retention policy.

Your Rights as a Data Subject

Data subjects in the European Union or jurisdictions with equivalent data protection laws (to The European Data Protection Regulation) have certain rights in respect to their personal data. These rights include: • to withdraw consent to processing previously given, • to access to your data (Subject Access Request), • to have your data corrected, or updated, • to have your data deleted, • to have access to your data restricted, • to have your data provided to a third party, • to object to any particular processing. • To make a complaint to the relevant data protection authority. Any request to relating to the above rights should be addressed in the first instance to the Sure Data Protection Officer at [email protected]

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Complaints

If you wish to raise a complaint in regard to our processing of your data you may do so by writing to our Data Protection Officer at the address above, or emailing [email protected]

You may also complain directly to the relevant data protection regulator, contact details, instructions for making a complaint and other useful information may be found on their websites:

Guernsey: www.odpa.gg

Isle of Man: www.inforights.com

Jersey: www.jerseyoic.org

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Version 4.0 March 2020