When you join the TrustHub Group, you become an employee of TrustHub Group Ltd. In the course of this relationship, we will collect, store and use data about you. Your data helps us to employ you, pay you, contact you, provide a service to you, meet our contractual obligations to you, meet our legal obligations as an employer and improve our services. This policy explains what this all means in practice.
When you trust us with your personal data, we have a responsibility to protect it and respect it. These obligations are outlined in the General Data Protection Regulation (GDPR), which governs data protection and privacy for all individuals in the European Union.
The GDPR protects each of us as individuals, because it stops companies using our personal data in a way that we’re unhappy with, or didn’t even know about. It also puts a responsibility on these companies to keep any data they hold about us up-to-date and secure.
We hold a significant amount of personal data about people who are currently employed by TrustHub Group or who were in the past. We also hold data about recruiters, suppliers and our own staff . We take our responsibility to these individuals seriously.
This privacy policy explains how we process your personal data.
Data We Collect About You:
Most of the data we collect about you will be for normal employment reasons. In addition, there’s likely to be some information you give to us voluntarily. This section explains the data that we will typically collect about you.
We consider all data about you that we collect before, during and after your employment to be part of your ‘employment record’.
Data that you give to us
Mandatory information
To employ and pay you, we need certain details from you:
- Name and title
- Date of birth
- Home address
- Phone number
- Email address
- National Insurance Number, if you have one
- Bank details
- A certified copy of your photographic ID (usually your passport)
- Sex (we take this from your passport)
- Nationality
- A certified copy of your work visa, if required
- Occupation
- Industry
- Details about your student loan, if applicable
- Details about your work assignments
- Information about your working situation to help us allocate you the most appropriate tax code
- The P45 your previous employer gave to you (if you have one)
- Details about the recruitment agencies you work with
- Your candidate reference number, if your agency has given you one
You usually give us these details when you complete our registration form, or we may follow up with you later to ask for them.
We will collect most of this data directly from you, however since it’s likely that your recruitment agency already holds this information and copies of your certified photographic ID and work visa, we may receive it from them as part of their referral to us.
These details are mandatory because without them, we may be unable to employ you, fulfil all of our employment obligations, deduct the correct amount of tax from your pay or provide you with the level of fast, user-friendly service that we aim for.
If anything changes or you spot any mistakes in the data that we hold about you, it’s important that you let us know. We will update our records but may keep an archived copy of your old information too.
For all of the data we’ve covered in this section, our lawful basis for collecting it is contract. This is because it’s necessary in order for us to fulfil our obligations to you.
Ad hoc information
During your employment, you might provide us with additional data about yourself. Due to the nature of a normal employer/employee relationship, it could include data such as:
- Accident reports
- Emails you send us
- Details of your work assignments
- Details about your qualifications and training
- Details about holidays or other breaks from work
- Medical information
- Future/former employers
- Evidence to support statutory benefit applications
If you choose not to provide us with any of these details, it may be impossible for us to meet our obligations to you or to provide you with the service that you’ve asked for.
For all of the data we’ve covered in this section, our lawful basis for collecting it is contract. This is because it’s necessary in order for us to fulfil our obligations to you.
We encourage you to only share information with us that is relevant for employment purposes, or that you are comfortable sharing conversationally. In data protection law, there’s a list of ‘special category’ data, which is data that is considered to be particularly sensitive. For example, it includes details relating to your health, trade union membership or religion. When you give us ‘special category’ data, the law requires that we can identify both our lawful basis for processing the data and an additional separate condition to cover the fact that is ‘special category’.
In the event that you disclose sensitive information to us for employment purposes, our additional condition for storing and acting on it is that it’s necessary for carrying out our employment obligations.
In the event that you share sensitive information to us in conversation, we may keep a record of it incidentally but we would not do anything else with it. Our condition for doing so is that it has been manifestly made public by you.
Voluntary information
During your employment, you might choose to take part in surveys, polls or competitions that we organise, or contribute photos or comments for articles we’re writing. Or you may answer optional questions on forms that you complete. For example, on our registration form we ask for your Twitter username so that we can follow you and say hello.
Participation in anything like this is always voluntary and we will always explain what we will do with the data you’re giving to us. Our lawful basis for collecting this data is legitimate interests. If you change your mind about allowing us to use data that you submitted voluntarily, you can let us know by emailing adminteam@trusthubpayroll.com
Data we create
To help us manage your employment efficiently and smoothly, we create some data about you:
- We assign you a payroll number, which is a unique identifier that we use to identify you to HMRC. If you leave TrustHub Group and then re-join in the future, you will be assigned a new payroll number for each period of employment.
- We keep notes in our CRM system, e.g. records of conversations we’ve had with you, and may refer to you in emails as we strive to meet our duties as an employer.
Our lawful basis for doing these things is contract, because it is necessary in order to fulfil our obligations to you.
- Throughout your employment, we will generate pay advice slips and statutory documentation such as a P60. As your employer, these are legal requirements and so our lawful basis for doing this is legal obligation.
Data we collect from third parties
It’s likely that we will collect data about you from third parties:
- Your recruitment agency will routinely provide us with details about the number of days and hours you work and the agreed daily/hourly rate. We use this information to pay you, so our lawful basis for this is contract.
- HMRC may share information to ensure that we deduct the correct amount of tax, e.g. your tax code. Our lawful basis for this is legal obligation.
- Since it’s likely that your recruitment agency already holds copies of your photographic ID and work visa and would be able to certify them for us we may request a copy from them. Our lawful basis for this is contract.
- We may learn data about you from publicly available sources, such as social media profiles or news articles, which we find using data you have provided to us (e.g. your name or email). We may refer to this information in internal communications, if we feel it’s useful to us in some way – for example, it’s an interesting customer insight. Our lawful basis for doing this is legitimate interests.
- Our employee pension is provided by NEST. Through their online login system, we have access to certain details about you, such as your date of birth, gender and pension contributions. We do not store or process this data. You can read NEST’s privacy notice on their website.
You have the right to object to any processing that is based on legitimate interests. To let us know that you object, please email adminteam@trusthubpayroll.com
How we use your data
We collect your data so that we can provide you with the service you’ve asked for, meet our legal obligations as an employer, run our business and manage our relationship with you effectively, lawfully and appropriately. We will use your data in the following ways:
- To meet our legal, regulatory and statutory obligations
As your employer, we are required to carry out certain duties involving your personal data, including:
- Verifying that you have the right to work in the UK prior to your employment commencing and in some cases, at set intervals thereafter
- Providing you with a contract of employment
- Making the correct tax and National Insurance deductions from your payments
- Deducting student loan repayments from your payments, where applicable
- Providing you with appropriate insurance cover
- Enrolling you in a pension when certain criteria are met
- Send you mandatory communications related to your enrolment in the pension
- Providing you with statutory sick pay
- Providing you with maternity/paternity/adoption/shared parental pay
- Ensuring that you receive your rights under the Agency Workers Regulations 2010
- Reporting any workplace accidents or injuries that you’re involved in
- Ensuring that you receive the correct amount of holiday pay
- Producing a P60 for you each year
- Producing a P45 for you at the end of your employment
- Run payroll for you and transfer payments to your bank account
- To comply with court-ordered attachment of earnings orders or deductions of earnings orders (for example, if you owe child maintenance)
Sharing Your Data with Third Parties because of a Legal Obligation
In order to meet these obligations, there are times when we need to share your data with third parties. These occasions are:
- We have to share some of your data with a pension provider, to meet our automatic enrolment obligations under the Pensions Act 2008. This includes your contact details, date of birth and gender. Our pension provider is the National Employment Savings Trust (NEST) – a privacy policy is available on their website.
- Upon their request, we may be required to share your data with the Pensions Regulator.
- We have to share some of your income, personal and contact details with Her Majesty’s Revenue & Customs (HMRC) in order to meet our obligations as an employer. HMRC has a personal information charteron its website.
- To comply with the Agency Workers Regulations 2010, we may need to share information with your recruitment agency about your assignments. This would be most likely to happen if you start an assignment at a workplace where you’ve worked before via a different agency or when you reach 12 weeks at a certain workplace. We recommend reading your agency’s privacy notice.
- We would share information if requested to do so by a law enforcement agency or in response to a court order. Similarly, we have a duty to disclose information about possible criminal acts (for example money laundering) or security threats to the relevant bodies.
- We are obliged to report certain workplace accidents or injuries to the Health and Safety Executive (HSE) under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations, 2013. HSE has a privacy notice on their website.
- We may share your data with our insurers, Arthur J. Gallagher, in order to ensure that we have appropriate insurance cover for someone in your job role. We would also share data with them in the event that you make a claim, in order to resolve it. You can read their privacy notice on their website.
- In certain circumstances, we may need to check your immigration status. For example, we would do this if you were in the process of applying for or renewing your work visa and didn’t yet have the necessary documentation to show us. We would ask for your permission to submit your details to the Employer Checking Service provided by the Home Office, so that we could confirm you had the right to work in the UK while your application was ongoing. We may also verify your identity and the validity of your identity documents using software called ProveID powered by Experian.
- If a government body requests that we share confirmation of your earnings and/or employment, we will do so. Examples include the Department for Work and Pensions, Child Maintenance Service or the Home Office. The information requested often includes your National Insurance number, dates of employment, home address, copies of your pay advice slips/P45/P60 and a copy of your ID.
Our lawful basis for this processing is legal obligation.
- To fulfil our contractual obligations to you
Before you sign up with TrustHub Group , we tell you about all the things we would do for you if you joined. When you join, we’re making a promise to provide you with that service. This creates a contractual obligation. To meet this obligation, we use your personal data to achieve the following:
- Answer your queries
- Communicate with you about your payroll, employment and career and to tailor our communications to your circumstances
- Centralise your income for work through any number of recruitment agencies
- Provide you with a package of perks and discounts
- Provide references for mortgages, jobs, loans, tenancies etc.
- Assist with loss of earnings claims e.g. for jury service
- Process your expense claims in line with our expense policy
- Welcome you into our community of contractors
- Provide you with a reliable payroll service
- Provide an efficient, user-friendly, transparent service with exceptional customer care
Sharing for the purpose of fulfilling our obligations to you
We only share your data with third parties when it’s absolutely necessary. We only work with organisations that we trust, or who you have asked us to cooperate with. This is a list of the occasions when we would share your data with a third party in order to meet our contractual obligations:
- In order to provide you with a reliable, predictable payroll service, we work very closely with your recruitment agencies and may notify them when you join us so they know you’re we’re ready to run payroll for you. We may also let them know when you leave our employment or share your name and other personal information to help us both identify you.
- You can view some of the personal data that we hold on you by logging into your account. To do this you will need to enter your username and password. We may also refer to data that we hold about you in phone or email discussions with you, after completing our security checks.
- We will speak to your recruitment agency to help resolve queries relating to your payroll or employment, as it’s in both yours and our interests to get thing sorted out quickly.
- If a non-government body requests that we share confirmation of your earnings and/or employment, we will ask for your permission to respond. Common examples include solicitors, banks and new employers.
- We bank with National Westminster Bank. All payments that we make to your bank account naturally involve a level of data sharing with our bank. Natwest has a privacy notice on their website.
- There may be times when you ask us to share data – for example, if you’re applying for a mortgage and need us to provide your bank with details about your income or if you have nominated a third party to speak to us on your behalf about your pay or employment (e.g. your spouse or a conciliation service like Acas).
Our lawful basis for this processing is contract.
What we don’t do with your data
- We will not pass your details to any third party not mentioned in this policy, unless we have your consent to do so. Should we need to introduce a new third party, for example because the law changes, we would update this privacy policy.
- If we’re making a decision that could have a significant effect on you, we would not base it solely on automated processing. To clarify, decisions related to your employment status or disciplinary matters would all involve a human.
- We will not send you any unsolicited marketing, except when we believe it’s something you’d be interested in and are permitted to do so by the Privacy and Electronic Communications Regulations.
- We will not transfer your personal data outside the European Union, except to countries that have been recognised by the European Commission as providing adequate protection for your data.
When you interact with us
There are various methods you might use to communicate with us, like email or phone. For each interaction method, there is different privacy information that we need to make you aware of. We recommend reading each section that applies.
When we speak on the phone
If you speak to us on the phone, we transcribe the key information of the call and store it on your record in our CRM software.
Our lawful basis for this processing is legitimate interests. You have the right to object to any processing that is based on legitimate interests. To let us know that you object, please email adminteam@trusthubpayroll.com
If you phone us, the advisor who answers your call will be able to see the number you are calling from, unless you withhold it. We will not store this data.
Remember that additional privacy information may apply, if you have a working relationship with us.
When we email you
We sometimes track when a recipient opens our email and what links they clicked on. We do this using, for example, UTM codes, read receipts, temporary redirections and short links. Sometimes this involves sharing a limited amount of your data with a specialist third-party service provider. These customer insights help us to tailor our future support and communications, so our lawful basis for this processing is legitimate interests.
Most emails that we send you will go via either Microsoft Exchange. Which service we choose depends on various factors, like the number of recipients and the design of the email. If we have a working relationship with you, it’s likely that we will use a combination of services to contact you at different times. Here’s what you need to know about each of them.
Microsoft Exchange
When we email you, we keep a note of:
- The date/time that the email was sent
- Your email address
- The recipients’ email addresses
- The subject line
- Your IP address
We only use this information for troubleshooting mail delivery and protecting our email system from spam, malware and viruses. This is done via a third-party provider, GFI, who have a privacy policy on their website. We keep this data for six months and then delete it. Our lawful basis for this processing is legitimate interests.
Other systems
We sometimes send emails via other third-party communication services. For example, if you complete a form on our website you will receive an automated confirmation email that is sent via the service we used to build the form. Other than sometimes tracking when you open the email and what links you’ve clicked on (as explained at the top of this section), we don’t collect any other data about you when we send these emails.
When you email us
When we email you, we keep a note of:
- The date/time that the email was sent
- Your email address
- The recipients’ email addresses
- The subject line
- Your IP address
We only use this information for troubleshooting mail delivery and protecting our email system from spam, malware and viruses. This is done via a third-party provider, GFI, who have a privacy policy on their website. We keep this data for six months and then delete it. Our lawful basis for this processing is legitimate interests.
We obviously also receive a copy of the content of your email. We will read your message and take the appropriate action in response. If you’re a customer, we may store the whole email or details from it in your CRM record. It would then be retained in accordance with our retention policy for employees, enquirers or recruiters.
Remember that additional privacy information may apply, if you have a working relationship with us.
Storing your data
We will keep your employment record for six years after the date your employment ends. If your employment ends but then restarts again less than six years later, we will restart the clock. In other words, your employment record will be retained until it has been a full six years since you were last employed by us. This is a common scenario and allows us to provide a seamless service.
Our lawful basis for this retention policy is firstly because we have a legal obligation under the Income Tax (Pay As You Earn) Regulations 2003. This law requires us to retain PAYE records for a period of three years from the end of the tax year that they relate to.
Outside of that requirement, we believe it’s in your and our legitimate interests to retain your employment record for six years. There are a few reasons behind this:
- Service: it allows us to provide an extended post-employment service – for example, access to your pay advice slips, job references and answering queries. Employment is our service and it doesn’t stop with a P45.
- Tax advice and support: we want to be able to support with any tax assessments that you are subject to in future. The nature of contracting means that you’ll often have multiple employers and maybe even become a director of your own limited company, so it can get complex. It’s not uncommon for ex-employees to ask us for old income and tax records to support with these cases. HMRC has a maximum of six years to raise a tax assessment against someone, as per the Taxes Management Act 1970.
- Contractual disputes: the Prescription and Limitation (Scotland) Act 1973 and Limitation Act 1980 allow a period of five and six years respectively in which to bring a contractual-related claim to court. Of course we hope this need never arises, but if it did, it would be helpful to all parties to have your employment record to hand and for us to be able to protect our position in the event of legal proceedings.
You have the right to object to any processing that is based on legitimate interests. To let us know that you object, please email adminteam@trusthubpayroll.com
Your Rights under GDPR
The GDPR gives you certain rights over your own data. Firstly, you have the right to be informed about the collection and use of your personal data – that’s what our privacy policy aims to explain.
The privacy information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. If you feel that we haven’t met this standard, please let us know. There’s a lot of information to convey and we’ve done our best to make it readable.
You have the right to access the personal data that we hold on you, and to have inaccurate or incomplete data rectified. In certain circumstances, you have the right to have your personal data erased (also known as the ‘right to be forgotten’), to restrict processing and to request a copy of your data in a format that you can pass to another organisation (known as data portability).
You also have the right to object to direct marketing or any processing that is based on legitimate interests. To let us know that you object, please email adminteam@trusthubpayroll.com and explain exactly what data processing it is that you’re concerned about.
For any data processing that is based on consent, you have the right to withdraw your consent at any time. To withdraw your consent, please email adminteam@trusthubpayroll.com and explain exactly what data processing it is that you want to withdraw your consent for.
If you have a concern about how we use your information, you have the right to lodge a complaint with the Information Commissioner’s Office.
Definitions
Our privacy policy uses some data protection-related words and phrases that you might not be familiar with, so we’ve defined them here for quick reference:
Consent (as it relates to data protection): this is one lawful basis that companies may use for processing your personal data. It means you have explicitly opted-in (e.g. by ticking a box) to this specific type of processing and you must have done so freely. If you change your mind later, you can withdraw your consent at any time.
Contract (as it relates to data protection): this is one lawful basis that companies may use for processing your personal data. It means that the company needs to process your data to fulfil their contractual obligations to you or because you asked them to do something before potentially entering into a contract. Before you join our service, we tell you about all the things we would do for you if you did so. This promise that we make to you creates a contractual obligation.
CRM (or ‘Customer Relationship Management’ software): a database where we store data about our customers. We use CRM to manage our relationships with our customers securely and smoothly.
Data controller: a company who determines the purposes and means of processing personal data. TrustHub Group Ltd is a data controller.
Data processor: a company who is responsible for processing personal data on behalf of a controller.
General Data Protection Regulation (or GDPR for short): a law that governs data protection and privacy for all individuals in the European Union. It came into force on 25th May 2018. You can read it online.
The Information Commissioner’s Office (ICO): an independent body that was formed to uphold information rights and promote data privacy in the UK. They are responsible for enforcing the GDPR in this country and our privacy policy was created in line with their guidance.
TrustHub Group Ltd: when we say ‘TrustHub Group ’, ‘we’ or ‘us’, we are referring to TRUSTHUB GROUP Ltd.
Lawful basis: companies must have a valid lawful basis to process personal data. There are six lawful bases that can be used, and businesses choose the most appropriate one for each situation. If no lawful basis applies, the processing cannot take place.
Legal obligation: this is one lawful basis that companies may use for processing your personal data. It means that the company has an obligation to carry out the processing because there is a specific legal provision or source of guidance that tells them they must do so.
Legitimate interests: this is one lawful basis that companies may use for processing your personal data. It can be used when the organisation believes that the processing is in either their own or someone else’s best interests, but only if the individual would reasonably expect their data to be used in this way and it has a minimal privacy impact on them. The organisation takes on extra responsibility for considering and protecting the individual’s rights and interests and must be able to demonstrate that they’ve done so. You have the right to object to any processing that is based on legitimate interests.
Personal data: basically, it’s any information about you that could identify you, either directly or indirectly. It includes everything from your name and email address to the cookies that are placed on your device when you visit a website.
Privacy and Electronic Communications Act (or PECR for short): a law that gives people specific privacy rights in relation to electronic communications, like marketing emails and cookies. These rights are in addition to the rights that the GDPR provides. It is enforced by the ICO.
Processing data: this covers anything that a business does with an individual’s data. Broadly, it means collecting, using, disclosing, retaining or disposing of their personal data.
Public task: this is one lawful basis that companies may use for processing your personal data. It applies only when they exercise official authority or they’re acting in the public interest and as such, we don’t rely on this particular lawful basis for any of our data processing.
Special categories of personal data: this is data that the GDPR considers to be more sensitive than other types of data and so needs to be better protected. This includes information about your health, sexual orientation, religion and trade union membership.
Vital interests: this is one lawful basis that companies may use for processing your personal data. It applies only when they need to protect someone’s life.