15 December 2019
myroyalmail is updated daily

People Privacy Notice

People Privacy Notice

Welcome to Royal Mail Group’s people privacy notice.  

Royal Mail Group is committed to respecting your privacy and protecting your personal data. This privacy notice will explain how we process personal data and tell you about your privacy rights.

We’ve updated the privacy notice to take into account the requirements of the General Data Protection Regulation (GDPR).

This privacy notice covers the specific areas set out below. 

1. About Royal Mail Group and this privacy notice

2. Personal data we hold for employment purposes

3. How we use personal data

4. Security of personal data

5. Who do Royal Mail Group share data with?

6. Transfers of personal data outside of the UK

7. How long do we keep personal data?

8. Your legal rights

9. Automated processing

10. How to contact us

 

 

 

1. About Royal Mail Group and this privacy notice

This privacy notice is intended to provide you with information about how Royal Mail Group collects and processes personal data of people who work for, or who have applied to work for, Royal Mail. This includes, but is not limited to, personal data we collect from you as part of the recruitment process, when you sign up for benefits and; information which is collected or created in the course of work-related activities.

Royal Mail Group includes Royal Mail and Parcelforce Worldwide. Your contract or terms of employment will let you know which part of Royal Mail Group will be responsible for your data.

In this notice ‘employee’ applies to current and former employees, workers and contractors. This notice does not form part of or create any contract of employment or other contract to provide services. We may update this notice at any time

What is personal data?

Personal data means any information which relates to a living individual who can be identified either directly or indirectly by reference to an identifier such as their name, email address and other personal details.

Where can I find further information about how employee personal data is used?

You can find further details of how information will be used in specific circumstances within Royal Mail Group’s employment policies and guides. These policies can be found on the Policy and Information site on PSP. Non-PSP users can access the policies on Royal Mail Group’s intranet: https://intranet.royalmailgroup.com/HumanResources/Pages/HRPolicies.aspx

All letters and forms related to these policies and guides can be accessed through PSP. Employees who do not have access to PSP can ask their manager for copies of the documents, who will be able to access all guides, letters and forms through PSP.

Where you sign up to different employee schemes or benefits, the accompanying information and terms and conditions for those services will explain the use of personal data for that scheme or service.

Where you use information and communication systems (such as IT platforms and communication tools) we may provide privacy notices which explain how data will be handled by Royal Mail Group and, where applicable, our IT providers.

This privacy notice does not override those notices and should be read together with any other privacy notice or fair processing notice we may provide on specific occasions where we are collecting or processing personal data.

 

 

 

2. Personal data we hold for employment purposes

Royal Mail Group needs to process employee personal data for specific purposes. This includes information that you provide to us and information which is created in the course of your employment. For more details of the personal data we process, and where this information comes from, see the table below.

Categories of data

Description

Source

Personal details

This includes your name; date of birth; gender; home address; telephone number(s); other contact details; emergency contact and family details.

This information is normally provided by you when you apply for a job and subsequently when updating your records. You may provide information on a form submitted to your line manager or HR or; you may input information directly into PSP and other systems (e.g. SuccessFactors and My Bundle).

 

Work History, education and training details

Educational and professional qualifications; job applications and CVs; employment history; references and other information obtained as part of the application process; professional memberships; training records throughout your time working with Royal Mail Group. 

Some of this information will be provided by you yourself when you apply for a job or if you apply for a new position within Royal Mail Group.

 

We will also receive some information from third parties such as previous employers, employment agencies, training providers and; background check providers (e.g. Disclosure and Barring Service).

Employment records

Right to work documentation; position and work location; documentation required for specific roles (e.g. drivers’ records); attendance records; employment history; job titles, duties and working hours.

 

Some of this information will be provided by you yourself or created/collected during your time working for Royal Mail Group.

Financial and pay records

Bank account details; payroll records; pension records; tax records; employee benefits; voluntary deductions and salary sacrifice arrangements.

This information will be created throughout your period of employment. Some information will be provided by you (e.g. bank account details, pension arrangements and optional flexible benefits).

Shareholder records

This includes details of any Royal Mail Free Shares you have been given; any Royal Mail shares that you have bought yourself; records of dividends you may have received

This information will be created during your period of employment; when you purchased shares and during certain administration activities for the company.

Performance information

Information relating to your performance in work. Such as information recorded in appraisals.

 

This information will be created throughout your period of employment. Some information will be provided by you, such as evidence during the appraisal process or created by relevant employees, such as your line manager, in the course of their work duties.

Conduct and grievance information

Records of conduct or grievance cases. For example, grievances raised by or against you and information relating to your conduct including records of how these cases are handled and resolved.

This information will only be created where appropriate and in accordance with relevant policies. Information will be provided by you or other employees or members of the public. Information will also be created in the course of handling and resolving cases.

 

Information obtained through our systems and other electronic means

 

This includes information relating to your use of business information and communication systems; CCTV footage and other images or audio recordings; information collected through new technology (including data relating to employment movements on RMG premises, in RMG vehicles or on delivery).

This information will be created during your employment. Information will be obtained from technology deployed in our premises and vehicles.

Information about race or ethnicity

Ethnicity details.

This information will be obtained from you if you choose to provide it.

Union Membership

Where required, this will include details of your membership, requests for deductions from your pay and records of deductions made.

Any request for deductions to be made from your salary will come from you/your trade union.

Information about your health

 

This includes information about absences, medical conditions, sickness records and; occupational health assessments and other records.

 

Some of this information will be provided by you yourself when provide details of absences or your health in relation to work.

We may also receive information from third parties such as occupational health service providers (e.g. if you agree to referral to assess your health).

Accident Records

Records of accidents, or health and safety incidents, you have been involved in.

Some of this information will be provided by you if you report an accident or will be created in the course of reporting, investigating or documenting an accident or incident.

Information about criminal convictions and offences

Records relating to any criminal convictions you have had, as well as any penalties imposed, such a fines or prison sentences.

Information may be provided by you in the course of you working for us. Information may also be obtained from third parties such as background check providers (e.g. Disclosure and Barring Service) or information created Royal Mail Group employees in the course of their duties.

 

We will only collect information about criminal convictions if it is appropriate and where we are lawfully able to do so.

 

 

3. How we use personal data

Royal Mail Group processes personal data relating to employees for a number of different purposes. Royal Mail Group will only process your personal data where there is a legal basis for doing so under data protection laws.

Purposes for processing personal data

The purposes for which we process personal data are:

  • Recruitment – of permanent employees, contractors and temporary workers.
  • Security Vetting – security and background checks.
  • Staff Administration – line management, maintaining employment records, managing attendance and performance.
  • Payroll – providing pay and benefits, deducting tax and national insurance contributions.
  • Pensions administration
  • Training and development
  • Occupational Health – managing attendance, assessing your fitness to work and supporting you in work.
  • Personnel Matters – e.g. dealing with conduct cases and grievances.
  • Complying with legal obligations – e.g. equal opportunities monitoring and health and safety obligations.
  • Claims and legal proceedings – e.g. responding to claims or taking legal action.
  • Employee communications – providing you with information about Royal Mail Group and employee benefits.
  • Business management and planning – operating our business.
  • Company administration – including maintaining shareholder records and administration of shares.
  • Monitoring use of information and communication systems - to ensure compliance with business standards and policies.
  • Information Security – ensuring network and information security, including preventing unauthorised access to our systems.
  • Prevention and detection of Crime – including the use of CCTV.

Lawful basis for processing personal data

Our lawful bases for processing personal data are:

(a)   Contract: the processing is necessary for a contract or agreement with you.

(b)   Legal Obligation: the processing is necessary to comply with the law. This includes compliance with employment regulations, tax and other applicable regulations.

(c)   Legitimate Interests: the processing is necessary for legitimate interests pursued by Royal Mail Group. This includes a legitimate interest in:

  • Training and developing people.
  • Maintaining standards of conduct and behaviour.
  • Communicating effectively with people
  • Managing a business effectively
  • Providing postal services to customers
  • Protecting information, rights, property and safety

 (d)   Consent: in very limited cases we may obtain your consent to process data for specific purposes.

In a number of situations we need to process ‘special categories’ of personal data, this includes health information, details of ethnicity and union membership. Our legal basis for processing this sensitive personal data is that the processing is necessary for the carrying out our obligations in the field of employment and social security and social protection law.

Please note that more than one of the lawful bases above will apply to most processing activity. Please contact us using the details below if you need details about the specific legal basis that we rely on to process your personal data in a particular situation.

Provision of information which is a statutory or contractual requirement

We need you to provide some personal information for legal purposes. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing employee benefits), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). If there is a specific legal requirement for you to provide information, this will be explained to you.

 

 

4. Security of personal data

Royal Mail Group takes the security of your data extremely seriously. All personal data must be handled and kept secure in accordance with Royal Mail Group policies and standards. This includes controlled access to personal data and appropriate procedures and technological security measures to safeguard personal data.

Our Information Security Policy, which covers the security of personal data, is available on the Royal Mail Group intranet: https://intranet.royalmailgroup.com/CompanySecretarysOffice/Pages/group_policies.aspx

If you do not have intranet access speak to your manager who will be able to access Royal Mail Group policies.

 

 

5. Who do Royal Mail Group share data with?

Relevant employees and agents or contractors may process your data for the purposes set out above. For example, your manager and relevant employees within HR may process your information to ensure you are paid correctly and to manage attendance. Categories of recipients outside of Royal Mail Group are listed below:

Selected third parties and service providers

We may provide personal data to third party service providers who help us run our business. For example, our IT suppliers need to process personal data so that employees can use email and other IT systems. Personal information may also be shared with service providers who perform services on behalf of Royal Mail Group such as printing or sending payslips and communications to you on our behalf.

All our third-party service providers and other entities in the group are required to undertake appropriate security measures to protect your personal information in line with our policies. We only permit third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

Disclosures required by law or for regulatory purposes

Royal Mail Group may share personal data with other organisations or public bodies such the police, law enforcement agencies, fraud prevention agencies and other bodies where disclosure is required by law or otherwise appropriate for the prevention or detection of crime or to protect the rights, property or safety of any person. Royal Mail Group may also be required to disclose certain personal data for the purposes of legal proceedings.

Personal data may be shared with regulators, such as the postal regulator Ofcom and the Information Commissioner, where necessary or appropriate for regulatory purposes or compliance with legal obligations. 

 

 

6. Transfers of personal data outside of the UK

We may send or transfer personal data outside of the UK where a Royal Mail Group company or representative outside of the UK needs to process information for the purposes stated in this notice.

We may send information outside of the UK where we use a service or technology provider based overseas. Where information is sent outside the European Economic Area ("EEA") we ensure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • We’ll use the model contractual clauses provided by the European Commission
  • The European Commission will decide that the country or international organisation has an adequate level of personal data protection
  • The information will be handled by an organisation that is providing a level of protection that’s approved by the European Commission. For example, the Privacy Shield scheme for organisations based in the USA

 

 

7. How long do we keep personal data?

Royal Mail Group policy is to only retain personal information for as long as it is required for the purpose or purposes for which we use it. We will determine how long to retain different data based on the following requirements:

  • How long the information is needed for the purpose or purposes it is used for, and;
  • Legal and regulatory requirements – such as where Royal Mail Group needs to retain employee records or financial data for an additional period of time in order to comply with the law.

Our Information Governance Policy, which covers retention of business information and records, is available on the Royal Mail Group intranet: https://intranet.royalmailgroup.com/CompanySecretarysOffice/Pages/group_policies.aspx

If you do not have intranet access speak to your manager who will be able to access Royal Mail Group policies.

 

 

8. Your legal rights

Data Protection law provides the following rights for individuals.

The right to be informed about how your data is processed

Royal Mail Group will provide you with ‘fair processing information’ through privacy notices such as this one or notices in place where we collect personal data from you.

Right of access

You have the right to access your personal data and details of how we process it.

You can request details of the personal data Royal Mail Group holds about you, by contacting our Information Rights Team – information.rights@royalmail.com.

Proof of identification is required in order to protect your information. We also request that applicants state which information and processing activities their request relates to as well as likely dates of the processing.

Right to rectification

Individuals have the right to have personal data rectified if it is inaccurate or incomplete.

Royal Mail Group will ensure that personal data is kept accurate and up to date as far as is reasonably possible. However, Royal Mail Group relies on employees to ensure that some of the information it holds about them is accurate and up-to-date. We encourage employees to inform Royal Mail Group of any changes to their information (e.g. by updating your personal information in PSP or informing your manager of changes).

Right to object

All individuals have the right to object to some uses of personal data, such as direct marketing. Individuals also have the right to object to the processing of personal data based on legitimate interests or the performance of a task in the public interest. If an individual objects to their personal data being processed, organisations may still continue to process the data provided they have legitimate grounds or other lawful bases for doing so.

Please note that the right to object only applies in limited circumstances. For example, where processing your personal data is necessary for the purposes of your employment contract or; to comply with a legal obligation, then the right to withdraw consent will not be applicable.

Right to erasure

Individuals have the right to request deletion or removal of personal data where there is no legitimate reason for its continued processing. However, where personal data still needs to be retained to meet legal requirements or for legitimate purposes, it will not be possible to delete that data and some requests may therefore be declined.

Right to restrict processing

Individuals have the right to ‘block’ the processing of personal data in limited circumstances, such as where the accuracy of personal data is contested.

Right to data portability

This right only applies to personal data which you have provided to us, which we use on the basis of your consent or to perform a contract with you.

The right to data portability enables individuals to reuse their personal data across different services; allowing them to move or copy data from one organisation to another if they choose.

Your right to withdraw consent

Where we process your personal data based on consent, you have the right to withdraw that consent. Please note that this only applies in circumstances where individuals have provided consent to the collection and processing of their personal data for a specific purpose. It does not apply where the legal basis for processing personal data is not consent. For example, where processing your personal data is necessary for the purposes of an employment contract or; to comply with a legal obligation, then the right to withdraw consent will not be applicable.

If you wish to exercise your individual rights in respect of your personal data please contact our Information Rights Team: information.rights@royalmail.com

 

 

9. Automated processing

Royal Mail Group sometimes uses personal data to analyse the capabilities and behaviours of individuals. For example, online testing is used as part of some recruitment procedures. You have the right to object to processing (including profiling and analysis using personal data) on grounds relating to your own situation – see section 8 for more information on your rights.

You will not be subject to any decisions that will have a significant impact on you based solely on automated processing (i.e. without human input), unless there is a lawful basis and legitimate requirement for this. Where any decisions are based solely on automated processing, individuals will be informed of this.

 

 

10. How to contact us

Employees with enquiries relating to their personal data or this privacy notice should contact Royal Mail Group’s Information Rights & Governance Team:

Information Rights and Governance Team
Royal Mail Group
Pond Street
SHEFFIELD
S98 6HR

Email: information.rights@royalmail.com

Employment Queries

Employees should contact their manager in the first instance with any queries about the employment data or in relation to HR policies.

Managers can obtain advice by:

  • Contacting the dedicated Advice and Support helpline for your Business Unit
  • Calling the HR Advice Centre on 0345 6060603 / 5456 7100
  • Senior manager helpline 01142 414815 / 54564815
  • Managers working for Parcelforce Worldwide can call 0345 6042787 / 5456 4747

Our Data Protection Officer

You can contact Royal Mail Group’s Data Protection Officer at:

Royal Mail Group

100 Victoria Embankment

London

EC4Y 0HQ

Email: information.rights@royalmail.com

 

Right to complain to the supervisory authority

If you believe we have failed to comply with our obligations under the General Data Protection Regulation, you have the right to complain to the Information Commissioner’s Office at the following address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

www.ico.org.uk

 

Changes to our privacy notice

We will keep our privacy notice under regular review and will place any updates on this webpage. This privacy notice was last updated 18 May 2018.