Reviewed March 2022
This policy explains what personal data (information) we hold about you, how we collect it, and how we use and may share information about you during your employment application process, your employment and after it ends. We are required to notify you of this information under applicable data protection law.
In this policy references to ‘employee’ or ‘employment’ include references to agency workers, independent contractors, freelancers, volunteers, interns and any other non-employee workers.
Please ensure that you read this policy (sometimes referred to as a ‘privacy notice’) and any other similar policy or notice we may provide to you from time to time when we collect or process personal information about you (including in particular: ‘the Society of Authors – Privacy Policy: General’, which should be read in conjunction with this policy).
Who collects the information
The Society of Authors, a company incorporated and registered in England and Wales with company number 00019993 and its registered office at 24 Bedford Row, London, England, WC1R 4EH (SoA) is a ‘data controller’ and gathers and uses certain information about you. This information may also be used by our affiliated entities and group companies and accordingly references to ‘we’, ‘us’ or ‘our’ means the SoA.
Data protection principles
We will comply with the data protection principles when gathering and using personal information, as set out in the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018 (DPA), any laws which implement any of the foregoing, any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
About the information we collect and hold
We may collect the following information before, during and after your employment (including during the recruitment process):
- Your name, date of birth, personal and work contact details (i.e. address, home and mobile phone numbers, email addresses) and emergency contacts (i.e. name, relationship and home and mobile phone numbers);
- Information collected during the recruitment process that we retain during your employment (including details of your qualifications, education, experience and employment history (including job titles, remuneration packages and working hours), information about your personal interests and hobbies, details of any written tests or assessments undertaken by you as part of the interview process, interview notes and other materials generated during the interview process, details of your referees and letters of reference);
- Details relating to your employment contract information, including details of salary and benefits, bank/building society, National Insurance and tax information;
- Your nationality and immigration status and information from related documents, such as your passport, driving licence or other identification and immigration information;
- Details of your pension arrangements, and all information included in these and necessary to implement and administer them;
- Information regarding your fitness for work, and information in your sickness and absence records (this may include sensitive personal information regarding your physical and/or mental health);
- Details of your spouse/partner and any dependants;
- Equal opportunities information, including your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs (this constitutes sensitive personal information);
- Information regarding your criminal record in a criminal records certificate (CRC) or enhanced criminal records certificate (ECRC) and/or the results of Disclosure and Barring Service (DBS) checks;
- Your trade union membership (this constitutes sensitive personal information);
- Information on grievances raised by or involving you (depending on the nature of the grievance this may include sensitive personal information);
- Information on conduct and/or other disciplinary issues involving you (depending on the nature of the issue this may include sensitive personal information);
- Details of your appraisals and performance reviews, performance management/improvement plans (if any), your time and attendance records, information regarding your work output, and information in applications you make for other positions within our organisation;
- Your image, in photographic and video form;
- Your voice, in audio form; and
- Details of your public use of social media social media, such as LinkedIn.
Certain of the categories above may not apply to you if you do not progress beyond the recruitment stage or if you are an agency worker, independent contractor, freelancer, volunteer, intern or any other non-employee worker.
How we collect the information
We may collect this information from you, your nominated referees, public locations (e.g. LinkedIn), your managers, your fellow employees, your personnel records, your trade union, your doctors, pension administrators, the Home Office, the DBS, overt audio and visual recordings and/or consultants and other professionals we may engage (e.g. to advise us generally and/or in relation to any grievance, conduct appraisal or performance review procedure).
Why we collect the information and how we use it
We will typically collect and use this information for the following purposes:
- for the performance of a contract with you, or to take steps to enter into a contract;
- for compliance with a legal obligation (e.g. our obligations under applicable tax, pensions and health and safety legislation);
- for the purposes of our legitimate interests or those of a third party (e.g. a benefits provider) i.e. to help with note taking, to ensure that accurate records of work calls and meetings are kept. To ensure the safety of all participants at physical and online meetings and events, but only if these are not overridden by your interests, rights or freedoms;
- because it is necessary for carrying out obligations or exercising rights in employment law;
- for reasons of substantial public interest (i.e. equality of opportunity or treatment, promoting or retaining racial and ethnic diversity at senior levels, promoting or retaining female and LGBTQIA+ employment at senior levels, promoting or retaining neurodiversity at senior levels, regulatory requirements); and
- to defend any legal claims that may be brought against us in connection with your employment, or to establish, bring or pursue any claim against you e.g. to enforce post-termination restrictions (this will typically involve passing information on to our legal advisers, who will be subject to strict professional and contractual duties of confidentiality).
- to process any complaints or support training and development.
We seek to ensure that our information collection and processing is always reasonable and proportionate. We will notify you of any material changes to information we collect or to the purposes for which we collect and process it.
How we may share the information
We may also need to share some of the above categories of personal information with other parties, such as HR consultants, professional advisors, insurers, pension administrators, external contractors and potential purchasers of some or all of our business or on a re-structuring. Where possible, information will be anonymised or pseudonymised. Where this is not possible, we will seek to ensure that the recipient of the information is bound by confidentiality obligations.
Where information may be held
Information may be held at our offices and any third party agencies, service providers, representatives and agents as described above in the UK. Information may be transferred internationally, including to countries that do not have data protection laws equivalent to those in the UK, for the reasons described above. Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) on the basis of legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law.
How long we keep your information
We keep your information before, during and after your employment for no longer than is necessary for the purposes for which the personal information is processed.
If your application for employment is unsuccessful, we may ask if you would like us to retain your personal information for a period of twelve (12) months. If you agree, we may contact you should any further employment opportunities arise during that period (after which period your data may be deleted or anonymised).
If your application for employment is successful, we will retain your personal information for the duration of your employment with us, and for a period of up to six (6) years thereafter (in line with the Statute of Limitations) (after which period your data may be deleted or anonymised).
Otherwise, we will keep your information for the period(s) specified in the Privacy Policy – General and in Annex 1, below.
Your right to object to us processing your information
Where our processing of your information is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or we have another legal ground for the process (e.g. to comply with our legal and regulatory obligations; for the performance of a contract with you or if the processing is for the establishment, exercise or defence of legal claims).
Please contact us if you wish to object in this way.
Your rights to correct and access your information and to ask for it to be erased
Please contact us if (in accordance with applicable law) you would like to correct or request access to information that we hold relating to you or if you have any questions about this policy. You also have the right to ask for some/all of the information we hold and process to be erased (the right to be forgotten) in certain circumstances. We will provide you with further information about the right to be forgotten, if you ask for it.
Keeping your personal information secure
We have appropriate organisational, security and technical measures in place to prevent personal data from being accidentally lost, or used or accessed unlawfully, e.g.:
- We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner after GDPR training and are subject to a duty of confidentiality.
- If you engage in an email exchange with us, whilst we cannot guarantee the security of email communications, your email correspondence will be stored securely on our email and, if appropriate, employee filing systems.
- Data files shared by us with any third parties will be password protected.
- Before introducing any new systems or technologies relevant to the processing of your personal data, we will where necessary and appropriate undertake and complete a data protection impact assessment (DPIA) identifying any associated risks.
- When processing any special category personal data, we will anonymise or pseudonymise that data (e.g. by removing identifiers such as names and addresses) to minimise the damage that may be caused by a data breach.
- We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to contact us
You can contact us by post, email or telephone if you have any questions about this policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are shown below:
Our contact details | Our Data Protection Officer’s contact details |
The Society of Authors 24 Bedford Row London England WC1R 4EH info@societyofauthors.org 020 3880 2230 | Emma Boniwell Head of Membership and Author Communities eboniwell@societyofauthors.org 020 3880 2230 |
How to complain
We hope that we can resolve any query or concern you raise about our use of your information. If not, contact the Information Commissioner at ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.
Annex 1
Data retention periods for HR documents:
Document | Minimum Retention Period | Authority/Justification |
---|---|---|
Employee Relations | ||
Application forms and interview notes (for unsuccessful candidates) | 6 months to a year | Recommended practice (CIPD) Defamation Act 1996 1-year limitation (in respect of any shared comments) |
Applications (successful) | 6 months following end of probation period – may retain useful data eg skills | Assess and verify suitability for role Limitation incl. EC for unfair dismissal and discrimination claims etc. |
Authorised absence records (annual leave, time of for dependents, jury service etc.) | 2 years from when the entry was made | Working Time Regulations 1998 Part II |
CCTV – relevant footage relating to an investigation or formal process | *consider any insurance obligations* Extend normal retention period of CCTV for 6 months following a formal outcome or any appeal outcome | Recommended practice (ICO) Limitation incl. EC for unfair dismissal and discrimination claims etc. |
Collective agreements | 6 years after ending | Limitation Act 1980 – limitation for breach of contract and negligence |
Contracts, offer letters and variations (including any flexible working outcome) | 6 years following end of employment | Limitation Act 1980 – limitation for breach of contract |
Criminal record checks and disclosures (eg a DBS certificate) | 6 years following end of employment | Limitation Act 1980 – limitation for negligence (made by public etc.) |
Capability and disciplinary documents (substantiated) | 2 years following the issue of the warning | TUPE 2006 Case law permitting expired warnings to be referred to (but not built upon). Unreasonable to refer back after 2 years |
Driving licence (if required) | *consider any insurance obligations* Duration drives on business plus 3 years | Limitation Act 1980 – 3-year limitation for negligence for a known act/incident |
Driving offences | Remove once the conviction is ‘spent’ unless subject to exemptions. | Rehabilitation of Offenders Act 1974 |
Drug and alcohol testing records | 6 years from a positive result 6 months from a negative result | Tribunal limitation incl. EC for breach of contract and discrimination claims etc. |
Flexible working request documents | 18 months following outcome (including any appeal outcome) | 12-month statutory embargo on a further request plus 6-month tribunal limitation incl. EC for auto-unfair dismissal and discrimination claims etc. |
Grievance documents | 6 months following end of employment | Limitation incl. EC for ‘last straw’ constructive dismissal and discrimination claims etc |
Investigations – no case to answer | 6 months following conclusion | Limitation incl. EC discrimination claims etc |
Maternity medical records | 3 years after the end of the tax year in which the maternity period ends | The Statutory Maternity Pay (General) Regulations 1986 as amended |
Medical capability documents and records incl. OH reports | 6 months following end of employment | Equality Act 2010 Limitation incl. EC for unfair dismissal and discrimination claims etc. |
Monitoring (eg vehicle trackers) | 6 months rolling unless there is an overriding reason or on-going relevance of the record | Recommended practice (ICO) |
Professional insurance (including insurance for driving on business), licence to practice and professional registrations. | *consider any insurance, regulatory or supervisory obligations eg GMC, NMC, CQC, FCA* 6 years following end of employment | Limitation Act 1980 – limitation for negligence (made by public etc.) |
Qualifications | 6 years following end of employment | Limitation Act 1980 – limitation for negligence (made by public etc.) |
Right to work checks | Two years after employment | Recommended practice (Home Office) |
Redundancy details, calculations of payments, refunds, notification to the Secretary of State | 6 years from the date of redundancy | Recommended practice (CIPD) Limitation Act 1980 |
Redundancy – documentation | 6 years following end of redundancy | Limitation Act 1980 |
References received for employment | *consider any insurance, regulatory or supervisory obligations eg GMC, NMC, CQC, FCA* 6 months following end of probation period | Assess and verify suitability for role Limitation incl. EC for unfair dismissal and discrimination claims etc. |
References issued for employment | 1 year | Defamation Act 1996 1-year limitation (in respect of any shared comments) |
References and correspondence that may produce legal affects (mortgage, loan, etc) | 3 years following issue | Limitation Act 1980 – limitation for negligence when immediately aware |
Sickness records and unauthorised absence records | 6 months following end of employment Pseudonymise where feasible | Limitation incl. EC for unfair dismissal and discrimination claims etc. Recommended practice (data laws) |
Sickness and injury records (work related) (other than those listed under ‘Health and Safety’) | 15 years | 3 years for personal injury claim 15 years for negligence (in respect of latent damage) Limitation Act 1980 |
Subject access request letters | 1 year following completion of a request | May charge a fee for repeat copies. May be unreasonable to charge a fee after 12 months. |
Trust deeds, rules and minute books | Permanently | Recommended practice (CIPD) |
Whistle-blowing – reports and documents linked to an investigation which is partially or wholly substantiated. | 6 months following the outcome of the report or any remedial action taken because of the report | Public Interest Disclosure Act 1998 (‘PIDA 1998’) Employment Rights Act 1996 |
Whistle-blowing – documents linked to an entirely unsubstantiated claim | Remove immediately any personal data | Recommended practice (IAPP) |
Health and Safety | ||
Accident books, records and reports | 15 years | 3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980 |
Assessments under health and safety regulations and records of consultations with safety representatives and committees | Indefinitely | Recommended practice (CIPD) |
First aid training | 6 years after employment | Health and Safety (First-Aid) Regulations 1981 |
Fire warden training | 6 years after employment | Fire Precautions (Workplace) Regulations 1997 |
H&S representatives training | 5 years after employment | Health & Safety (Consultation with employees) Regulations 1996 |
H&S training – employees | 5 years after employment | H&S Information for Employees Regulations 1989 |
Health records made in connection with health surveillance (according to HSE) | 40 years | Recommended practice (HSE) The Control of Substances Hazardous to Health Regulations 1999 and 2002 |
Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos | Medical records – 40 years from the date of the last entry; Medical examination certificates – 4 years from the date of issue | The Control of Asbestos at Work Regulations 2002 and the Control of Asbestos Regulations 2012 |
Medical records and details of biological tests under the Control of Lead at Work Regulations | 40 years from the date of the last entry | Control of Lead at Work Regulations 2002 |
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH) | 40 years from the date of the last entry if person is identifiable and the record represents exposure, otherwise at least 5 years. | The Control of Substances Hazardous to Health Regulations 1999 and 2002 |
Medical records under the Ionising Radiations Regulations 1999 | Until the person reaches 75 years of age, but in any event for at least 50 years | The Ionising Radiations Regulations 1999 |
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH) | 5 years from the date on which the tests were carried out | The Control of Substances Hazardous to Health Regulations 1999 and 2002 |
Risk assessments | Indefinite | Recommended practice (CIPD) |
Statutory and regulatory training | 6 years after employment | Limitation Act 1980 |
Payroll and Finance | ||
Accounting records | 3 years (private company) 6 years (public) | Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006 |
Expense accounts | 6 years following year end (public companies) | Companies Act 1985, section 222 as modified by the Companies Act 1989 and Companies Act 2006 |
Income tax and NI returns, income tax records and correspondence with HMRC | Not less than 3 years after the end of the financial year to which they relate | The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended |
Inland Revenue/HMRC approvals | Permanently | Recommended practice (CIPD) |
National minimum wage records | 3 years after the end of the pay reference period following the one that the records cover | National Minimum Wage Act 1998 |
Statutory Maternity Pay records, calculations, certificates (Mat B1s) and leave | 3 years after the end of the tax year in which the maternity period ends | The Statutory Maternity Pay (General) Regulations 1986 as amended and Maternity & Parental Leave Regulations 1999 |
Statutory Adoption Pay records, calculations, matching certificates and leave | 3 years after the end of the tax year in which the maternity period ends | Maternity & Parental Leave Regulations 1999 |
Statutory Paternity Pay records, calculations and leave | 3 years after the end of the tax year in which the maternity period ends | Maternity & Parental Leave Regulations 1999 |
Statutory Shared Parental Pay records, calculations, certificates (Mat B1s), notices and leave | 3 years after the end of the tax year in which the maternity period ends | Maternity & Parental Leave Regulations 1999 |
Wage/salary records (also overtime, bonuses, expenses) | 6 years | Taxes Management Act 1970. |
Benefits | ||
Pension scheme investment policies | 12 years from the ending of any benefit payable under the policy however no information should ever be retained unless it is a necessary consequence of the funding | Recommended practice (ICO) |
Pension records | 12 years after benefit ceases. Avoid access unless required | Recommended practice (CIPD) |
Retirement Benefits Schemes – records of notifiable events | 6 years from the end of the scheme year in which the event took place | The Retirement Benefits Schemes (Information Powers) Regulations 1995 |
Private medical | Avoid access unless required as part of making a reasonable adjustment etc | Recommended practice (ICO) |
Working time | ||
Timesheets, overtime records and other documents relating to working time | 2 years from date on which they were made | Working Time Regulations 1998 Part II |
Young people and children | ||
Records relating to children and young adults | Until the child/young adult reaches the age of 21 | Limitation Act 1980 – limitation for negligence (made by public etc.) Conditions for processing may need to be reviewed when a child turns 13 |