Privacy notice
1. About this notice
1.1 This privacy notice explains how and why we collect and process personal data, the types of data we process, our lawful bases, the rights of data subjects and how they can exercise those rights.
1.2 We are the data controller when we process personal data.
1.3 We are based in the United Kingdom therefore must comply with the UK GDPR, the Data Protection Act 2018 and any legislation or regulation which replaces or amends these. As many of the individuals we support reside in EEA countries, which must also comply with the EU GDPR.
1.4 We work to increase disability inclusion during the recruitment process, in the workplace, at university and before professional bodies. We do this by ensuring that students, applicants, employees, professional bodies, universities and employers understand the correct application of the Equality Act 2010, and organisations’ duties to provide disability-related adjustments in accordance with statutory requirements. We also help organisations to put in place best practice disability.
1.5 Individuals must have a disability according to the Equality Act definition in order to register with us. As part of the registration process, individuals provide us with information about their disability. This is special category data. When processing special category data we must have additional safeguards in place.
2. Our purposes for processing data
2.1 The personal data we hold is collected, retained and generated in order to fulfil one or more of our purposes.
2.2 The following are our purposes for processing the personal data of EmployAbility staff.
| Type of Personal Data | Purpose |
|---|---|
| Bank details | To ensure the effective administration of staff |
| Criminal record checks | To ensure staffing needs are met appropriately |
| CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility | To ensure staffing needs are met appropriately |
| Health and disability-related information about employees | To ensure the effective administration of staff, to comply with employment law in respect of employee absences, and to comply with our legal duties under the Equality Act |
| Responding to a rights request under the UK GDPR | To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
| Litigation and regulatory investigations | To defend or issue claims or to co-operate with investigations by authorised bodies |
| Non-health personnel records | To ensure the effective administration of staff |
2.3 The following are our purposes for processing the personal data of disabled individuals we support.
| Type of Personal Data | Purpose |
|---|---|
| Complaints | To comply with our legal duties under the UK GDPR to investigate complaints by data subjects |
| Contact details for marketing purposes (individuals) | To provide disabled individuals with information about career opportunities and related events |
| Disability information about individuals applying directly to a client organisation. | To assist disabled applicants to obtain the workplace adjustments they are entitled to under the Equality Act or equivalent legislation during the recruitment process. |
| Disability information about individuals applying to a client organisation for internships, graduate programmes, and experienced hire roles. Our services include personalised support, adjustments advice for recruitment and the workplace, advocacy, skills enhancement and placement. | To assist disabled applicants to obtain the workplace adjustments they are entitled to under the Equality Act or equivalent legislation during recruitment, and provide assistance to disabled applicants to access careers |
| Disability information about individuals requiring assistance in obtaining adjustments from higher education institutions, examining and regulatory bodies. | To assist disabled people to obtain the adjustments they are entitled to under the Equality Act at a higher education institution they attend, or in sitting exams or otherwise meeting qualification requirements from a professional examining body or regulatory |
| Disability information about individuals employed by a client organisation in respect of workplace adjustments. | To assist disabled workers to obtain the workplace adjustments they are entitled to under the Equality Act. |
| Information indicating how individuals became aware of our services | To understand how individuals and organisations became aware of our services |
| Litigation and regulatory investigations | To defend or issue claims or to co-operate with investigations by authorised bodies |
| Monitoring individuals’ satisfaction with our services | To ensure the standards of our services and improve upon them where appropriate |
| Participation in a scholarship programme | To run scholarship programmes in with employers for disabled students |
| Participation in EmployAbility’s Alumni Programme | To provide networking, mentoring and community for disabled individuals we have previously supported |
| Research | To carry out research in respect of disability-related issues |
| Responding to a rights request under the UK GDPR | To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
| Statistical analysis | To analyse take-up rates and success of our services, disability prevalence, and trends |
2.4 The following are our purposes for processing personal data belonging to staff working for our client organisations.
| Type of Personal Data | Purpose |
|---|---|
| Client orrganisation’s contacts and staff (non-disability data) | To provide contracted services |
| Client organisation’s contacts and staff (disability data) | To provide certain contracted services, including disability-inclusion and mental health audits, and Adjustments@Work |
| Complaints | To comply with our legal duties under the UK GDPR to investigate complaints by data subjects |
| Responding to a rights request under the UK GDPR | To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
| Contact details for marketing purposes (organisations) | To provide organisations with promotional material about our services |
| Information indicating how organisations became aware of our services | To understand how individuals and organisations became aware of our services |
| Monitoring organisations’ satisfaction with our services | To ensure the standards of our services and improve upon them where appropriate |
| Litigation and regulatory investigations | To defend or issue claims or to co-operate with investigations by authorised bodies |
3. Sources and types of data we hold
3.1 We process the following types of personal data, categorised by source.
Information provided to us by the data subject
This includes basic identifying information (such as names, qualifications, phone number, email addresses and work history), and health information relating to disability. Where we carry out an audit for an organisation, it may also include data subjects’ opinions about the organisation’s attitude to disability or their experiences as an employee. If we are conducting a research project it may include additional detailed health information or subjective opinions provided by the data subject. Data subjects also provide us with testimonials, articles, blogs and videos.
Information we generate about the data subject
This includes our assessment of an individual’s adjustments’ needs, their suitability for a role or event to which they apply or any alternative which we think may be more appropriate.
Information from third parties other than the data subject
This includes feedback from our partner employers and other organisations a data subject may have applied to, or reasons for an organisation refusing to provide adjustments. An organisation employing the data subject may provide us with adjustments’ contacts or decision-makers.
4. Our lawful bases
4.1 The following are our lawful bases for processing personal data belonging to EmployAbility staff.
| Type of Personal Data | Lawful Basis | Additional Condition |
|---|---|---|
| Bank details | Contract- To which the data subject is party (employees) or at the request of the data subject prior to entering into the contract (job applicants) – employment contract | Employment, social security and social protection |
| Criminal record checks – Includes criminal offence data. | Contract – To which the data subject is party – employment contract | |
| CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility | Legitimate interest – Meeting staffing needs | |
| Disability-related reasonable adjustments relevant to applicants for roles with EmployAbility – Includes special category data. | Contract – To which the data subject is party (employees) or at the request of the data subject prior to entering into the contract (job applicants) – employment contract | Employment, social security and social protection |
| Health and disability-related information – Includes special category data. | Contract – To which the data subject is party – employment contract | Employment, social security and social protection |
| Responding to a rights request under the UK GDPR – Data subjects who are or have been EmployAbility staff or applicants to a role with EmployAbility, have the rights in respect of the processing of their personal data. Compliance with or refusal to comply with a request is a processing activity. – Includes special category data. | Compliance with legal obligation | Consent |
| Litigation and regulatory investigations | Compliance with legal obligation | Establishment, exercise or defence of legal claims |
| Personnel records – Relating to performance, disciplinary and absence records, references and other employee information. | Contract – To which the data subject is party – employment contract |
4.2 The following are our lawful bases for processing the personal data of disabled individuals we support.
|
Supported Individuals Type of Personal Data |
Lawful Basis | Additional Condition |
|---|---|---|
|
Complaints Data subjects who are disabled individuals registered with or supported by us, have the right to complain if they are unhappy with the way we process their personal data. Addressing complaints is a separate processing purpose. Includes special category data. |
Compliance with legal obligation |
Substantial public interest We have suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The Schedule 1 DPA condition relied upon is regulatory requirements. |
|
Contact details for marketing purposes (individuals) We provide individuals with our newsletter, and targeted material about opportunities and events. Includes special category data. |
Consent | Consent |
|
Disability information about individuals applying directly to a client organisation. We provide one-off advice only and these individuals are not registered with EmployAbility. Includes special category data. |
Consent | Consent |
|
Disability information about individuals requiring assistance in obtaining adjustments from higher education institutions, examining and regulatory bodies. |
Contract | Employment, social security and social protection law |
|
Disability information about individuals applying to a client organisation for internships, graduate programmes, and experienced hire roles. Our services include personalised support, adjustments advice for recruitment and the workplace, advocacy, skills enhancement and placement. These individuals register with EmployAbility. Includes special category data. |
Consent | Consent |
|
Disability information about individuals employed by a client organisation in respect of workplace adjustments. We provide one-off advice only and these individuals are not registered with EmployAbility. Includes special category data. |
Consent | Consent |
|
Information indicating how individuals became aware of our services Includes special category data. |
Legitimate interest Ensuring as many individuals as possible benefit from our services. |
Legitimate activity of not-for-profit body We have appropriate safeguards in place and this processing relates only to those we support.
|
|
Litigation and regulatory investigations Includes special category data. |
Compliance with legal obligation | Establishment, exercise or defence of legal claims |
|
Monitoring individuals’ satisfaction with our services Includes special category data. |
Legitimate interest Ensuring the quality of service provision to disabled individuals and making improvements where necessary |
Legitimate activity of not-for-profit body We have appropriate safeguards in place and this processing relates only to those we support. |
|
Participation in a scholarship programme This may include proof of identity and bank details. Includes special category data. |
Consent | Consent |
|
Participation in EmployAbility’s Alumni Programme Includes special category data. |
Consent | Consent |
|
Research To invite participation in research projects in order to better inform and provide evidence-based information about issues related to disability. Includes special category data. |
Consent | Consent |
|
Responding to a rights request under the UK GDPR Data subjects who are disabled individuals registered with or supported by us, have the rights in respect of the processing of their personal data. Compliance with or refusal to comply with a request is a processing activity. Includes special category data. |
Compliance with legal obligation | Consent |
|
Statistical analysis To analyse take-up rates and success of our services, disability prevalence, and trends Includes special category data. |
Legitimate interest | Research purpose |
4.3 The following are our lawful bases for processing personal data belonging to staff working for our client organisations.
|
Client Organisation Type of Personal Data |
Lawful Basis | Additional Condition |
|---|---|---|
|
Client organisation’s contacts and staff (non-disability data) To provide contracted services to organisations we process the names and contract details of staff at such organisations |
Legitimate interest Providing contracted services to organisations |
|
|
Client organisation’s contacts and staff (disability data) Some of the services we provide to clients, such as our Adjustments@Work service and disability-inclusion and mental health audits, may involve processing health data. Includes special category data. |
Legitimate interest Providing contracted services to organisations |
Consent |
|
Complaints Data subjects who are employed by one of our clients have the right to complain if they are unhappy with the way we process their personal data. Addressing complaints is a separate processing purpose. Includes special category data. |
Compliance with legal obligation |
Substantial public interest We have suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The Schedule 1 DPA condition relied upon is regulatory requirements. |
|
Responding to a rights request under the UK GDPR Data subjects who are employed by one of our clients have the rights in respect of the processing of their personal data. Compliance with or refusal to comply with a request is a processing activity. Includes special category data. |
Compliance with legal obligation | Consent |
|
Contact details for marketing purposes (organisations) We provide organisations with promotional material about our services and with legal updates. |
Legitimate interest Marketing our services to clients and prospective clients |
|
| Information indicating how organisations became aware of our services |
Legitimate interest Ensuring our marketing strategy to organisations is effective. |
|
| Monitoring organisations’ satisfaction with our services |
Legitimate interest Ensuring the quality of our services and making improvements where necessary |
|
| Litigation and regulatory investigations | Compliance with legal obligation | Establishment, exercise or defence of legal claims |
5. Retaining data
5.1 We retain personal data for different lengths of time, depending on the purpose for which we process the data.
5.2 The following are our retention periods for personal data of EmployAbility staff.
|
EmployAbility Staff Type of Personal Data |
Retention Period |
|---|---|
| Bank details | 2 years after the end of employment |
| Criminal record checks | 6 months |
| CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility | 6 months after communicating to the data subject that they were unsuccessful |
|
Disability-related reasonable adjustments relevant to applicants for roles with EmployAbility Includes special category data. |
6 months after communicating to the data subject that they were unsuccessful |
| Health and disability-related personnel records |
6 years after the end of employment |
| Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing A pseudonymised record is kept in respect of all-data erasure requests. |
| Litigation and regulatory investigations | 10 years |
| Non-health personnel records | 6 years after the end of employment |
5.3 The following are our retention periods for processing personal data belonging to disabled individuals we support.
|
Supported Individuals Type of Personal Data |
Retention Period |
|---|---|
| Complaints | 10 years |
| Contact details for marketing purposes (individuals) |
4 years We request renewed consent at the end of this retention period. |
| Disability information about individuals for whom we are advocating to a university of professional body |
6 years We request renewed consent at the end of this retention period. |
| Disability information about individuals applying directly to a client organisation. | 1 year |
| Disability information about individuals applying to a client organisation for internships, graduate programmes, and experienced hire roles. Our services include personalised support, adjustments advice for recruitment and the workplace, advocacy, skills enhancement and placement. |
6 years for students and graduates 4 years for experienced hires We request renewed consent at the end of these retention periods |
| Disability information about individuals employed by a client organisation in respect of workplace adjustments. | 1 year |
| Information indicating how individuals became aware of our services | 6 months |
| Litigation and regulatory investigations | 10 years |
| Monitoring individuals’ satisfaction with our services | 6 months |
| Participation in a scholarship programme |
6 years We request renewed consent at the end of this retention period |
| Participation in EmployAbility’s Alumni Programme |
10 years We request renewed consent at the end of this retention period. |
| Research |
10 years We request renewed consent at the end of this retention period. |
| Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing A pseudonymised record is kept in respect of all-data erasure requests. |
| Statistical analysis |
Indefinite With ongoing monitoring of data and erasure where it is no longer relevant. |
5.4 The following are our retention periods for personal data of staff working for our client organisations.
|
Client Organisation Type of Personal Data |
Retention Period |
|---|---|
| Client orrganisation’s contacts and staff (non-disability data) |
1 year In the case of an ongoing relationship, one year after the end of that relationship, unless we agree otherwise by contract, or by asking for your consent to retain your contact details. |
| Client organisation’s contacts and staff (disability data) | 2 months |
| Complaints | 10 years |
| Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing A pseudonymised record is kept in respect of all-data erasure requests. |
| Contact details for marketing purposes (organisations) |
4 years We request renewed consent at the end of this retention period. |
| Information indicating how organisations became aware of our services | 6 months |
| Monitoring organisations’ satisfaction with our services | 6 months |
| Litigation and regulatory investigations | 10 years |
6. Data subjects’ rights
6.1 Data subjects can exercise their rights by contacting us at our dedicated data protection email address, or in any other way they find convenient.
6.2 We may ask for confirmation of a data subject’s identity exercising a right before we comply with a request.
6.3 In most cases, we should be able to comply with a request free of charge and within one month. In limited circumstances we may charge an administration fee, or extend the deadline for responding to the request. Where this is the case, we will provide the data subject with our reasons. We will also provide the data subject with an explanation if we cannot comply with a request.
6.4 Data subject have the following rights:
| To receive copies of personal data | Data subjects have the right to see copies of the personal data we hold about them. Asking to see copies of data is called a subject access request. |
| To have personal data erased | This is a condition right, which applies in particular circumstances. If consent is the legal basis for processing a data subject’s request will be complied with unless we need to retain it for legal purposes. We will not erase personnel records or complaint records before the end of the retention period. We will not erase data where we rely on legal obligation or public task as the lawful basis for processing. |
| To withdraw consent | Where consent is the lawful basis for processing, a data subject may withdraw that consent at any time. |
| To rectification | A data subject has the right to have inaccurate personal data corrected, and incomplete personal data completed. |
| To object to processing | In certain circumstances, data subjects have the right to object to our processing their personal data. If we rely on legitimate interest as our lawful basis for processing or if a data subject believes the information we hold about them is inaccurate or incomplete. The right to object does not apply where our lawful basis for processing is legal obligation or contract with the data subject. |
| To make a complaint | Data subjects may complain to the ICO if they believe we have infringed their rights when processing their personal data. |
| To data portability | Data subjects have the right to receive the personal data they provided to a controller, and have the controller transfer that data to another controller, where the lawful basis for processing is consent or contract. |
7. How we protect personal data
7.1 We have extensive controls in place to maintain the security of our information and information systems. The data we process is protected with safeguards appropriate to its sensitivity.
7.2 Employees have access to different categories of personal data on a need-to-know basis.
7.3 All employees are provided with data protection and security training, and are required to act in accordance with applicable data protection legislation and our policies. Employees are prohibited from any unauthorised use or disclosure of personal data to a third party.
8. Transfer of data outside the UK
8.1 If a data subject applies for a role outside the UK with one of our employer partners, we may transfer their personal data to that jurisdiction. We will request specific consent to transfer data outside of the UK.
8.2 For certain non-UK roles, it may be necessary to transfer personal data to a country which has not been designated as adequate by the UK government (‘non-adequacy country’). Where it is we request the data subject’s explicit consent to do so, drawing their attention to the additional risks.
8.3 Individuals wishing to further understand the protections given to personal data we transfer to a non-adequacy country should contact us at dataprotection@employ-ability.org.uk.
9. Sharing personal data with third parties
9.1 We may discuss an individual’s application and adjustment needs with an employer partner to whom the individual has applied. In most cases we will not tell the employer about the applicant’s disability, but if it is necessary to do so to ensure the individual receives appropriate adjustments, we will seek separate consent. Our employer partners may provide feedback on applications. They may also retain information about an applicant if they are unsuccessful, in case they are suitable for a future role, and where this is the case we expect them to seek separate and specific consent to do so from the applicant.
9.2 We may have discussions about an applicant’s adjustment needs with any third party employer who is not one of our partners but to whom we advocate on the applicant’s behalf. Such employers may provide feedback to EmployAbility on occasion. Applicants must consent to our sharing their data with such a potential employer.
9.3 We do not sell, share or lease personal data, other than as described in this privacy notice, unless the data subject gives us consent to do so.
9.4 We may disclose personal data in order to meet a legal or regulatory requirement. In the case of a suspected criminal offence, personal data may be shared with the police.
9.5 If personal data has been provided to us in respect of a matter about which we are providing advocacy support, we may share that information with the organisation to which we are making submissions about reasonable adjustments.
9.6 We do not share information about applicants for roles with EmployAbility.
9.7 Employees’ personal data may be shared with insurers, our accountants or our legal advisors.
9.8 A student or graduate’s personal information may be shared with their university, where that university is one of our partners, or if it is not one of our partners but we are advocating for the student. The student or graduate’s personal data will only be shared with their consent.
9.9 Personal data about those we have supported may be shared on our website or in our newsletter with the individual’s consent, for example where they act as a Campus Ambassador, write an article, win an award or provide a testimonial.
10. Marketing
10.1 When an individual registers with us, they receive a welcome email which describes the information we will send to them about current opportunities and other news. Anyone who does not wish to receive this material can opt out at any time, either via the welcome email, or by clicking the unsubscribe link in any direct marketing communications they receive.
11. Automated decision-making
11.1 We do not use personal data to make automated decisions.
12. How we store data
12.1 We store data electronically on our database or in the cloud.
13. Cookies
13.1 Our website uses only cookies which are strictly necessary for the essential functions of our website.
14. Contact
14.1 Our dedicated email for matters relating to protection is dataprotection@employ-ability.org.uk.
15. Update and review
15.1 We may update this privacy notice from time to time.