Michells & Butlers Employee Privacy Policy
ABOUT THIS DOCUMENT
Mitchells & Butlers is made up of different legal entities, brands and outlets, details of which can be found at www.mbplc.com (Group). This privacy policy is issued by Mitchells & Butlers Leisure Retail Limited (company number 01001181 with its registered office at 27 Fleet Street, Birmingham B3 1JP) on behalf of the Group so when we refer to "we", "us" or "our" in this privacy policy, we are referring to the relevant company within the Group that is responsible for processing your data. Mitchells & Butlers Leisure Retail Limited is the controller and you can contact the data protection officer ("DPO") at Data Protection Officer, [email protected], 27 Fleet Street, Birmingham B3 1JP.
We are committed to protecting the privacy and security of your personal data in accordance with the provisions of the applicable data protection legislation. Personal data means information we hold about you from which you can be identified, directly or indirectly, and which may be held on paper, electronically, or otherwise. It does not include anonymous data (where identity has been removed).
This privacy policy applies to our prospective, current and former employees (including apprentices), workers, contractors and those on work experience placements or seconded to us. It aims to give you information on how we will collect and process your personal data before, during and after your working relationship with us. This privacy policy does not form part of any contract of employment or other contract to provide services.
It is important that you read this privacy policy in full, together with any other privacy policy we may provide on specific occasions (e.g. our Guest Privacy Policy or Candidate Privacy Notice) when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information. This privacy policy supplements the others and is not intended to override them.
CONTACT DETAILS
If you have any questions about this privacy policy, or about how we handle your information, including any requests to exercise your legal rights, please contact the Group Data Protection Manager ("DPM") at [email protected].
You have the right to make a complaint at any time to the Information Commissioner's Office ("ICO"), the supervisory authority regulating most UK data and information laws (phone: 0303 123 1113 or at www.ico.org.uk/concerns). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please give us the opportunity to resolve this issue for you by referring it to your line manager or to [email protected] in the first instance.
1. WHAT PERSONAL DATA DO WE PROCESS?
In order to run our business, we collect and process the types of information listed below about you. We do this through the recruitment and on boarding process. Most of this information is provided directly by you but sometimes from an employment agency, recruitment partner or service provider (for example, to verify your right to work in the United Kingdom or your address) or collected in the course of work or work-related activities throughout the period of you working for us:
- Contact Data: personal contact details such as addresses, telephone numbers and personal email addresses;
- Identity Data: including your name, title, username (or any similar unique identification numbers that we may apply to you), date of birth, gender, marital status, next of kin, beneficiaries (for benefits purposes), emergency contact information and dependants (and in the case of any information provided by you relating to others you will be responsible for any necessary consent/s and/or have shared the contents of this notice with the individuals concerned as appropriate);
- Recruitment Data: including copies of right to work documentation, references and other similar information including a CV, application form or cover letter received as part of the recruitment process;
- Financial data: National Insurance number, bank account details, credit or other payment card, payroll records, salary, annual leave, pension, benefits and tax status information, including any relevant voucher or transaction activity;
- Employment Data: location of employment or workplace, details of when and where you worked, including images obtained from CCTV (or other similar technologies) and other information obtained through electronic means such as swipe card records and photographs;
- Personnel Data: including job titles, work history, working hours, training records, performance (including disciplinary and grievance) information, and professional memberships;
- Systems Data: information about your use of our information and communication systems;
- Licence Data: a copy of your driving licence, and any premises licence held by you.
Sensitive Data: we may also process the following categories of more sensitive personal data, where we are legally able to do so, including:
- Special Category Data: information about your race or ethnicity, religious or philosophical beliefs, trade union membership, sex life or sexual orientation and political opinions, also information about your health (including any medical condition or disability status, health and sickness records, which could include family related leaves), and potentially genetic or biometric data, for example to deal with health or discrimination issues or claims, to administer our pensions and share schemes, to monitor and manage sick leave, pay and administer benefits requested by you and to take decisions as to your fitness for work, and equal opportunities compliance, monitoring and reporting;
- Criminal Conviction Data: information about criminal allegations, convictions and offences (where it is appropriate given the nature of the role, for example where we are advised of charges or convictions in relation to company owned or leased vehicles, licensing applications or where relevant to your right to work status).
The provision by you of some of your personal data is a statutory or contractual requirement and there are certain consequences if you do not provide us with this personal data. For example, we may be unable to pay you or to provide a specified benefit without this information and we may be in breach of our legal obligations.
2. HOW WE PROCESS YOUR PERSONAL DATA
We only process your personal data when allowed to do so by law. Most commonly, we will process your personal data:
- where the processing is necessary to perform the contract we have entered, or are about to enter, with you,
- where we need to comply with a legal or regulatory obligation,
- for our legitimate interests (or the legitimate interests of others) where your interests and fundamental rights do not override those interests, and/or
- in specific circumstances with your consent (please note that you have the right to withdraw your consent at any time by contacting us at [email protected]).
The below table sets out how we process your personal data. Please contact the DPM [email protected] if you would like more information.
Activity | Personal Data | Basis for Processing |
---|---|---|
Activity To perform our legal, personnel, administrative and management purposes (including to administer and perform our obligations under the contract we have entered into with you) and to enable us to meet our legal obligations as an employer, for example:- to check your entitlement to work in the UK, - to pay you, deduct tax and NI contributions for employees, - for workforce monitoring, scheduling and management, - to engage in business operations, management and planning activity, including accounting and auditing, - to comply with health and safety obligations, provide occupational health services and to take decisions regarding your fitness to work and any reasonable adjustments you may require, - to monitor, determine and manage performance including training, appraisals, promotions, dealing with leaves of absence, which may include sickness absence or family related leave, to comply with employment and other laws; - to develop improved ways to manage and operate our business, for example we may use your personal contact details to contact you for employee surveys or other similar initiatives like data analytics studies designed to analyse workforce demographic, knowledge, expertise, recruitment strategies, retention and attrition rates, - to confer benefits (such as providing any applicable insurances or liaising with your pension or share scheme provider) in connection with your employment; - if you apply for an ill-health pension under a pension arrangement operated by a group company, we will use information about your physical or mental health in reaching a decision about your entitlement; - if you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, we will use information about your physical or mental health, or disability status in reaching a decision about your entitlements under the share plan; and for the purposes of equal opportunities compliance, monitoring and reporting. | Personal Data Contact DataIdentity Data Recruitment Data Financial Data Employment Data Personnel Data Systems Data Licence Data Sensitive Data - in limited circumstances, for example it may be necessary for us to process Special Category or Criminal Conviction data to fulfil our obligations under employment or social security law. | Basis for Processing Performance of a contract with you.Necessary to comply with a legal obligation. Necessary for our legitimate interests of being able to effectively manage and develop our business, to retain and attract staff, improve employee engagement, and to improve working practices and business performance. Consent - for example when we obtain explicit consent from you to obtain an occupational health report or to process Criminal Conviction Data as part of the recruitment process. |
Activity - To deal with legal claims or disputes involving you or other employees, workers and contractors, which may include gathering evidence for possible grievance or disciplinary hearings including, where the law permits, that captured by CCTV or by other appropriate monitoring or surveillance technologies in order to prevent and detect criminal activity or malpractice.- To prevent or detect fraud or other criminal activity, or to respond to other legitimate requests for information. | Personal Data Contact DataIdentity Data Recruitment Data Financial Data Employment Data Personnel Data Systems Data Licence Data Sensitive Data - in limited circumstances it may be necessary for us to process for example medical or criminal data as necessary for dealing with health or discrimination claims, or for carrying out our obligations under employment or social security law. | Basis for Processing Performance of a contract with you.Necessary to comply with a legal obligation. Necessary for our legitimate Interest being to resolve disputes and prevent fraud or other criminal activity. |
Activity To monitor your use of our information and communication systems to ensure compliance with our IT policies, to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. | Personal Data Identity DataEmployment Data Personnel Data Systems Data | Basis for Processing Performance of a contract with you.Necessary to comply with a legal obligation. Necessary for our legitimate interest being to run our business, to ensure network security and to prevent potential criminal behaviour. |
We will only process your personal data for the specific purpose or purposes notified to you (unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose) or for any other purposes specifically permitted by the data protection laws, and only to the extent necessary.
Examples of other purposes permitted by data protection laws (and we would expect such occasions to be rare), are where it is needed to protect your (or someone else's) vital interests and you are not capable of giving your consent, or where you have provided express consent.
We will not usually need your consent to process your information for the purposes set out above but there may be limited circumstances (for example the obtaining of an occupational health report to enable us to make reasonable adjustments or to facilitate your return to work) where we will approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Some of the above grounds will overlap and there may be several grounds which justify our use of your personal data.
3. OUR RETENTION OF YOUR PERSONAL DATA
We can only keep your personal data for as long as is necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The precise length of time we hold your personal data for varies depending on the individual circumstances, but in determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We will periodically review the data we hold in order to determine whether it should be retained, securely destroyed or, where appropriate, retained for a further period in anonymised form.
In general we will retain your personal data for the duration of your employment or engagement with us and for up to 7 years after you leave us. Beyond the initial 7 year period we will retain a basic level of data about staff (name, job title, dates of service and reason for leaving) in order to enable us to comply with any obligations that we may have relating to verification of employment, or related benefits.
For more information on how long the different aspects of your data is likely to be kept before being destroyed, please contact the DPM at [email protected].
4. HOW WE KEEP YOUR PERSONAL DATA SECURE
We take the security of your personal data very seriously and have in place appropriate security measures at all times, including where we share your information with our suppliers and partners, to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Please take care of your own information. For security tips and tricks when using the internet, Wi-Fi and smartphones or tablets, please visit www.getsafeonline.org.
5. HOW WE SHARE YOUR PERSONAL DATA
We will not disclose your personal data to a third party (including third party service providers and other legal entities in our Group) unless we are satisfied that we are legally entitled to do so - for example, where it is required by law, necessary to administer our working relationship with you or where we have another legitimate interest in doing so. Where we do share your information we will do so in accordance with the laws applicable to us and for the purposes set out above. We will require third parties to respect the security of your data and treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may disclose your personal data to the following parties:
- other Group companies, including new companies joining the Group, (acting as controllers or processors) for internal administrative purposes, as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance, support and hosting of data.
- selected third party service providers or business partners who:
- help us to run our business (mainly acting as processors, but sometimes controllers) - for example, companies who provide us with IT systems, services and support, consultancy services, payroll, benefits and training provision and administration, e.g. systems such as PeopleNet and Mable;
- our professional advisors (acting as controllers or processors) - for example, our lawyers, accountants, other consultants, insurers and insurance brokers, when they need it to provide advice to us or help to run our business;
- selected other third party benefits and rewards partners and providers which we make available to Group personnel (acting either as controllers or processors) depending on the services that you are signed up to with them - for example, the share scheme, your pension or insurances, such as life and medical, cycle to work scheme, and pickaperk. For these providers we will usually pass on a basic level of identity information, verify your employment and deal with deductions. Primarily you will interact directly with these providers on their websites, so we would encourage you to review their privacy notices. It will be apparent to you which third party you are dealing with but should you require additional information please contact the DPM.
- where necessary we will share your personal data with other third parties (acting as controllers or processors), for example in the context of the possible sale or restructuring of our business or any part or aspect of it, always under appropriate confidentiality provisions.
- we will also share your personal data with a regulator, law enforcement agency or other parties where they request it and we may lawfully disclose it, or to otherwise comply with our legal obligations and the making of statutory and routine disclosures. For example, for the prevention and detection of crime, to report serious health and safety incidents and to report salary and employment details. This would include to entities such as Her Majesty's Revenue and Customs (HMRC), the Health and Safety Executive, police, local authority, pensions regulators, potential employers (references), the courts, benefits and/or child support agencies and any other central or local government bodies (acting as controllers or processors).
Some of the providers referred to above will be based, or will access your data from, outside the European Economic Area ("EEA"), in which case see section 6. International Transfers below.
It is necessary that the third parties referred to above will change from time to time and if you would like any further information about these entities please contact [email protected].
6. INTERNATIONAL TRANSFERS
In general, we process your personal data within the European Economic Area ("EEA"). However, some of the third party companies that we deal with to provide us with services to help us run our business in an efficient way are based outside of the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data outside of the EEA, we ensure a similar degree of protection in respect of your personal data by ensuring at least one of the following safeguards is implemented:
- We only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- We will use specific contracts approved by the European Commission which give personal data the same protection as it has in the EEA; or
- Where we use third parties based in the US, we may transfer personal data to them if they are part of the Privacy Shield which requires them to provide similar protection for personal data shared between the EEA and the US.
If you have any questions in relation to this section, please contact [email protected].
7. YOUR RIGHTS
In certain circumstances, by law you may have the right to request access, transfer, rectification and/or erasure of the personal data that we process about you. You may also have the right to object to and/or restrict our processing of your personal data in the circumstances described below. Some further details of the rights are set out below. However, to learn more about your rights, visit the ICO website at www.ico.org.uk.
Under certain circumstances, by law you have the right to:
- Request Access: you may request access to your personal data, which enables you to receive a copy of the personal data that we hold about you to check that we are processing it lawfully. Where we can we will provide you with direct access to the data that we hold about you for this purpose.
- Request Rectification: you may request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Where we can we will provide access so that you can make these changes yourself to ensure that the data we hold about you is kept accurate and up to date.
- Request Erasure: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with law. Note, however, that we may not always be able to comply with your erasure request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing: you may object to how we are processing your personal data where we are relying on a legitimate interest (of ours or a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In these cases, we may have compelling legitimate grounds to process your information which override your rights and freedoms and this will be notified to you, if applicable, at the time of your request.
- Request Restriction of processing: you may request that we restrict how we process your personal data. This enables you to ask us to suspend the processing of your personal data in certain circumstances, for example if you want us to establish its accuracy or that we have a valid reason for processing it.
- Request Transfer of certain data: this right relates only to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you. In those circumstances you may request that we transfer your personal data to you or a third party.
- Withdraw your Consent to processing: on the rare occasions where we have relied on your consent to process your personal data you will have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not, for example, be able to provide certain benefits to you such as our dine with us discount, or those benefits where we require your consent to access medical reports or records. We will advise you if this is the case at the time you withdraw your consent.
To exercise any of these rights please contact the DPM, [email protected]
8. CHANGES TO THIS PRIVACY POLICY AND TO YOUR DETAILS
We will need to update this privacy policy from time to time as the law and/or our business changes and develops. While you continue to have a working relationship with us, we will endeavour to provide you with access to the updated privacy policy when we make any substantial updates. Otherwise, a copy of this policy will be available by request to the DPM at [email protected].
It is important that the personal data that we hold about you is accurate and current. Please keep us informed if your personal data changes, or if you become aware of any inaccuracies in the data we hold about you, either by updating your information in our systems where you are able to, or by advising your manager, or the DPM at [email protected].