This is the Foundling Museum’s HR privacy notice.

Our charity number is 1071167. Our address is 40 Brunswick Square, London WC1N 1AZ.

We are the Data Controller for the processing activities outlined in this privacy notice.

This notice applies to our employees, job applicants, volunteers, freelancers, trustees.

 

How and when do we collect information about you?

You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement.

In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.

 

What types of information is collected about you and who provides it?

We keep several categories of personal data on our employees/freelancers/job applicants/trustees and volunteers to carry out effective and efficient processes, for example contracts of employment, references or risk assessments relating to safe working practices e.g. ‘Risk Assessment for new or expectant mothers’. We process this data in Breathe HR which is a system only Foundling Museum employees have access to.

Specifically, depending on your type of engagement with the Foundling Museum, we may process or store the following types of data:

  • personal details such as name, address, phone numbers
  • name and contact details of your next of kin
  • your photograph, your gender, marital status
  • footage of the organisation events where you may appear
  • information of any disability or other medical information you have disclosed
  • right to work documentation
  • information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc
  • National Insurance number, bank account details and tax codes
  • information relating to your employment with us (e.g., job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings.
  • internal and external training modules undertaken
  • information on time off from work including sickness absence, family related leave etc
  • aisk assessments where applicable, eg Risk Assessment for New and Expectant Mothers, Manual Handling or other
  • IT equipment use including telephones and internet access
  • your photo for Breathe HR

We may also process special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data. We may also process criminal records information if the role involves DBS check, either enhanced or basic.

 

How is the information used?

We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee agreement, without which we would be unable to employ you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation.

 

Lawful basis for processing

We mainly use ‘contractual obligation’ as a lawful basis for processing your personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees and volunteers. We may also have legal obligation to process and share your data, for example, we need to share salary information with HRMC or use some of your data to enrol a new employee on a pension scheme. When processing special category of data, we may use your consent.

We may rely on our legitimate interest for processing activity such as keeping supervision, 121 and appraisal records; using your image and bio in press releases relating to your recruitment where applicable/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity. When relying on legitimate interest, we may undertake a balancing test (Legitimate Interest Assessment) to ensure your rights are upheld.

When processing criminal records (for example, to perform DBS check), the organisation relies on the lawful basis of legitimate interest, and Condition 10 from Schedule 1, DPA 2018, (“preventing or detecting unlawful acts”).

 

How long do we keep your data?

We only keep your employee data for as long as we need it for, which will be for the duration of your employment/engagement and for minimum period of 6 years after your employment/engagement has ended, in line with our retention policy. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 6 months.

Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting your DPO if you want to know more about retention periods.

Data is destroyed or deleted in a secure manner as soon as the retention date has passed.

 

Confidentiality – who do we share your data with?

Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function, for example bank details for salary payments. All employees have been trained in ensuring data is processing in line with UK GDPR and the Data Protection Act (2018).

Data in relation to your salary is shared with HRMC as part of our legal obligation. Data may be shared with third parties for the following reasons for the administration of payroll, pension, HR functions, administering other employee benefits and for the purposes of validating a mortgage or a rental application, subject to employee consent. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

We have a section on our website or social media where we upload the name and job title of our employees. It is in our legitimate interest to have such information available on the website, but you have the right to object. Please see section Your rights as Data Subject.

 

Your rights

  • Right to be Informed: You have the right to be informed about how we are using your data. If you think we are doing something with your information that we have not told you about in this Privacy Notice, you can object to this;
  • The Right of Access: You can request access to a copy of the personal data that we hold about you;
  • The Right to Rectification: If you think that the personal data we hold about you is inaccurate or incomplete, you have a right to request that it be rectified;
  • The Right to Erasure: You can ask us to delete your personal data where it is no longer necessary for us to use it, where you have withdrawn consent (if we process based on consent), or where we have no lawful basis for keeping it;
  • The Right to Restrict Processing: You can ask us to restrict the personal data we use about you where you have asked for it to be erased or where you have objected to our use of it;
  • Right to Data Portability: You can ask us to provide you, or a third party (if possible), with some of the personal data we hold about you in a structured, commonly used, electronic form, so that it can be easily transferred; and
  • Right to Object: You can object to the processing of your personal data. You should note that this right does not apply in all circumstances, for example, where we are processing information because it is necessary to complete a contract.

You can contact your DPO at enquiries@foundlingmuseum.org.uk  to exercise your rights outlined above. We will treat your information with respect and will not share it with any other organisation.

 

Changes to privacy notice

This Privacy Notice is effective as of the ‘last updated’ date above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Notice at any time and you should check this Privacy Policy periodically. If we make any substantial changes to this Privacy Notice, we will notify you by placing a prominent notice on our website.