Employee, secondee and contractor privacy notice
Published 13 March 2024
1. Purpose
Great British Nuclear (GBN) is committed to protecting the privacy and security of your personal information. This privacy notice sets out the standards you can expect from us when we collect, hold or use your personal information.
2. Scope
This privacy notice only relates to the processing of employee, secondee and contractor personal data carried out by Great British Nuclear.
3. Policy details
3.1. Introduction
In this Data Privacy Notice the terms GBN, we, us and our are references to British Nuclear Fuels Limited (company number 05027024) having a registered address at:
10 Victoria Street
London
SW1H 0ET
trading as Great British Nuclear.
GBN will be the data controller of your personal data. In addition, where processing of personal data is undertaken by other companies and/or government departments or offices associated with GBN – including but not limited to the Department for Energy Security and Net Zero (formerly the Department for Business, Energy and Industrial Strategy) – for their own independent purposes, these associated companies and government departments/offices may be joint controllers of your personal data.
We hold and process data on all current and former employees, workers, individual contractors, contingent workers, secondees, applicants, interview candidates, interns, agency workers, consultants, directors, members (such as partners) (staff or you or your), and third parties whose information you provide to us in connection with the employment or other working relationship (for example next-of-kin, emergency contact information and/or dependents).
We take your data protection rights and our legal obligations seriously. Your personal data will be treated in a secure and confidential manner and only as set out below or otherwise notified to you in writing.
Please read the following carefully to understand our views and practices regarding your personal data and how we treat it. The following Data Privacy Notice describes the categories of personal data we may process, how your personal data may be processed, for what purposes we process your data and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about GBN’s processing of your personal data under privacy laws. It does not form part of your contract of employment or engagement.
If you have any questions about this Data Privacy Notice or would like to access the information it contains in a different format, please contact Scott Walker, scott.walker@gbnuclear.gov.uk (Data Protection Officer).
Purely for the purposes of this Data Privacy Notice, references to employment include engagement where you do work for us and you are not an employee.
3.2. Responsibility for data privacy
The contact details of each of GBN’s data controllers and, where applicable their representatives and relevant data protection contact, are available upon request from the data protection lead.
If you have any questions regarding the processing of your personal data or if you believe your privacy rights have been violated, please contact your local Human Resources contact or the data protection lead.
3.3. Processing of personal data
GBN collects and processes your personal data for the purposes described in this Data Privacy Notice. As set out in our Data Privacy Policy, personal data means any information describing or relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
3.4. What personal data do we process?
We collect various types of personal data about you for the purposes described in this Data Privacy Notice including:
- personal details: your title and name, birth name, preferred name, any additional names, gender, nationality, second nationality, civil/ marital status, date of birth, age, home contact details (such as address, telephone or mobile number, email), national ID number, immigration and eligibility to work information, driving licence, languages spoken; next of kin/ dependent/ emergency contact information, details of any disability and any reasonable adjustments required as a result
- recruitment and selection data: skills and experience, qualifications, references, CV and application, record of interview, interview notes and assessment, vetting and verification information (for example results of credit reference check, financial sanction check and a basic disclosure criminal record check relating to unspent convictions where carried out and permitted by applicable law), right to work verification, information related to the outcome of your application, details of any offer made to you
- data related to your engagement: contract of employment or engagement, work contact details (for example corporate address, telephone number, e-mail), employee or payroll number, photograph, work location default hours, default language, time zone and currency for location, your worker ID and various system IDs, your work biography, your assigned business unit or group, your reporting line, your employee/ contingent worker type, your hire/ contract begin and end dates, terms and conditions of engagement, your cost centre, your job title and job description, your working hours and patterns, whether you are full or part time; your termination/contract end date; the reason for termination; your last day of work; exit interviews, references to be provided to prospective employers, status (active/ inactive/ terminated); position title; the reason for any change in job and date of change
- regulatory data: records of your registration with any applicable regulatory authority, your regulated status and any regulatory certificates and references.
- remuneration and benefits data: your remuneration information (including salary/ hourly plan/ contract pay/ fees information as applicable, allowances, overtime, bonus and commission plans), payments for leave/absence (for example holiday pay, sick pay, family leave pay), bank account details, grade, national insurance number, tax information, third party benefit recipient information (for example expression of wish and dependents information), details of any benefits you receive or are eligible for, benefit coverage start date, expense claims and payments, loans, deductions, salary sacrifice arrangements, childcare vouchers, share scheme participation, information and agreements
- leave data: attendance records, absence records (including dates and categories of leave/ time-off requests and approvals), holiday dates, requests and approvals and information related to family leave (maternity, paternity, adoption, parental, shared parental, dependents), information related to special leave (for example bereavements, jury service, compassionate)
- absence management data: absence history, fit notes, details of incapacity, details of work impact and adjustments, details of treatment and prognosis, manager and HR communications, return to work interviews, meeting records, medical reports, occupational health reports
- flexible working procedure data: requests, consideration, correspondence, meeting notes and outcome records
- restructuring and redundancy records: change plans, organisation charts, consultation records, selection and redeployment data
- performance management data: colleague and manager feedback; your appraisals and performance review information, outcomes and objectives; talent programme assessments and records; succession plans; formal and informal performance management process records
- training and development data: data relating to training and development needs or training received or assessments completed
- disciplinary and grievance data: allegations, complaints, investigation and proceeding records and outcomes
- health and safety data: health and safety audits, health and safety screening requests and results, risk assessments, incident reports
- monitoring data (to the extent permitted by applicable laws): closed circuit television footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programmes and filters
- employee claims, complaints and disclosures information: subject matter of employment or contract-based litigation and complaints, pre-claim conciliation, communications, settlement discussions, claim proceeding records, employee involvement in incident reporting and disclosures
- equality and diversity data: where permitted by law and provided voluntarily, data regarding gender, age, race, nationality, religious belief and sexuality (stored anonymously for equal opportunities monitoring purposes)
- any other personal data which you choose to disclose to GBN personnel during the course of your engagement whether verbally or in written form (for example in work emails)
- informal opinion data generated in the course of your engagement relating to the administration or management of GBN’s relationship with you
Certain additional information will sometimes be collected where this is necessary and permitted by local applicable laws.
3.5. Special categories of personal data
To the extent permitted by applicable laws GBN collects and processes a limited amount of personal data within the above data listed at in 3.4 falls into special categories, sometimes called sensitive personal data. This term means information relating to.
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- physical or mental health (including details of accommodations or adjustments)
- sex life or sexual orientation
- biometric and genetic data
- criminal records and information regarding criminal offences or proceedings
3.6. How does GBN collect personal data
GBN collects and records your personal data from a variety of sources, but mainly directly from you. You will usually provide this information directly to your managers or local Human Resources contact or enter it into our systems (for example, through your self service access to our HR systems, your participation in HR processes, emails and instant messages you send or through verbal information which may be recorded electronically or manually). In addition, further information about you will come from your managers or Human Resources or occasionally your colleagues.
We also obtain some information from third parties: for example, references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers, or where we employ a third party to carry out a background check, Baseline Personnel Security Standard check or other security clearance check or vetting process (together, referred to as “Background Checks”) (where permitted by applicable law). We also obtain information on secondees from their employing organisation.
In some circumstances, data will sometimes be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, instant message logs and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by GBN or a third party provider of the relevant service. This type of data is generally not accessed on a routine basis but access is possible. Access can occur, for instance, in situations where GBN is investigating possible violations of Company policies such as those relating to travel and expense reimbursement, use of the telephone system and the Internet, or employee conduct generally, or where the data are needed for compliance or billing purposes. More frequent access to such data may occur incidental to an email surveillance program, if and to the extent permitted by applicable laws.
Where we ask you to provide personal data to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. Failure to provide any mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases, it may mean that we are unable to continue with your employment or engagement as GBN will not have the personal data we believe to be necessary for the effective and efficient administration and management of our relationship with you.
Apart from personal data relating to you, you may also provide GBN with personal data of third parties, notably your dependents and other family members, for purposes of HR administration and management, including the administration of benefits and to contact your next of kin in an emergency. Before you provide such third-party personal data to GBN you must first inform these third parties of any such data which you intend to provide to GBN and of the processing to be carried out by GBN, as detailed in this Data Privacy Notice.
3.7. What are the purposed for which personal data are processed?
Your personal data are collected and processed for business purposes, in accordance with applicable laws and any applicable collective bargaining agreements. Data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (for example in investigations or disciplinary proceedings).
We collect and process your personal data for purposes including.
- recruitment and selection including:
- to assess your suitability to work for us including short listing, agreements and interviews
- to conduct pre-employment checks including verification of your identity, checking your legal right to work and checking references
- to conduct a pre-employment credit reference check, financial sanction check and a check in relation to suspect criminal activities in order to prevent crime and other unlawful acts and to protect the business and clients/ customers from the risk of dishonesty, malpractice or improper conduct
- to compare you with other applicants and make a decision whether to offer you employment
- to consider any reasonable adjustments either for the recruitment process or if you were to commence employment with us in the event you have a disability
- to make a job offer and provide a contract of employment
- to prepare to bring you on board as an employee where you accept an offer of employment from us. In this case we will customise to make sense of the information gathered during recruitment for the purpose of your employment and will transfer some of this to our employment systems and files
- to contact you if you are not successful should another potentially suitable vacancy arises during the 6 months following the completion of the recruitment process for the role you applied for
- to deal with any query, challenge or request for feedback received in relation to our recruitment decision
- training, development, promotion, career and succession planning and business contingency planning
- providing and administering remuneration, benefits and incentive schemes and reimbursement of business costs and expenses and making appropriate tax and social security deductions and contributions
- allocating and managing duties and responsibilities and the business activities to which they relate, including business travel
- identifying and communicating effectively with staff
- managing and operating appraisal, conduct, performance, capability, absence and grievance related reviews, allegations, complaints, investigations and processes and other informal and formal HR processes and making related management decisions
- consultations or negotiations with representatives of staff
- conducting surveys for benchmarking and identifying improved ways of working and employee relations and engagement at work (these will often be anonymous but may include profiling data such as age to support analysis of results)
- processing information about absence or medical information regarding physical or mental health or condition in order to assess eligibility for incapacity or permanent disability related remuneration or benefits; determine fitness for work; facilitate a return to work; make adjustments or accommodations to duties or the workplace; make management decisions regarding employment or engagement or continued employment or engagement or redeployment; and conduct related management processes
- for planning, managing, and carrying out restructuring or redundancies or other change programmes including appropriate consultation, selection, alternative employment searches and related management decisions
- operating email, IT, internet, social media, HR related and other GBN policies and procedures. To the extent permitted by applicable laws, GBN carries out monitoring of its IT systems to protect and maintain the integrity of GBN’s IT systems and infrastructure; to ensure compliance with GBN’s IT policies and to locate information through searches where needed for a legitimate business purpose
- satisfying our regulatory obligations to supervise the persons employed or appointed by GBN to conduct business on its behalf, including preventing, detecting and investigating a wide range of activities and behaviours, whether relating to specific business dealings or to the workplace generally and liaising with regulatory authorities
- protecting the private, confidential, and proprietary information of GBN, its employees, its clients and third parties
- complying with applicable laws and regulation (for example maternity or parental leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws and regulation to which GBN is subject in the conduct of its business)
- monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics protected under applicable anti-discrimination laws
- planning, due diligence and implementation in relation to a commercial transaction or service transfer involving GBN that impacts on your relationship with GBN for example mergers and acquisitions or a transfer of your employment under applicable automatic transfer rules
- for business operational and reporting documentation such as the preparation of annual reports or tenders for work or client team records including the use of photographic images
- to operate the relationship with third party customer and suppliers including the disclosure of relevant vetting information in line with the appropriate requirements of regulated customers to those customers, contact or professional CV details or photographic images for identification to clients or disclosure of information to data processors for the provision of services to GBN
- where relevant for publishing appropriate internal or external communications or publicity material including via social media in appropriate circumstances
- to support HR administration and management and maintaining and processing general records necessary to manage the employment, worker or other relationship and operate the contract of employment or engagement
- to comply with reference requests where GBN is named by the individual as a referee
- to set and change access permissions
- to provide technical support and maintenance for HR information systems
- to enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you
- to comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country
- for other purposes permitted by applicable laws, including legitimate interests pursued by GBN where these are not overridden by the interests or fundamental rights and freedoms of staff and where these have been explained to you before the relevant data is collected or the processing is carried out
Special categories of data may be collected and processed by GBN for the following purposes.
- documentation such as work permits, details of residency, proof of citizenship will be processed to assess and review eligibility to work for GBN in the jurisdiction in which you work
- your racial or ethnic origin, religion, philosophical or political belief, sexual orientation or disability status may be used for the collection of statistical data subject to local laws, or where required to record such characteristics to comply with equality and diversity requirements of applicable local legislation or to keep GBN’s commitment to equal opportunity under review
- health and medical information may be used to comply with employment, health and safety or social security laws. For example, to provide statutory incapacity or maternity benefits, avoid breaching legal duties to you, to ensure fair and lawful management of your employment, avoid unlawful termination of your employment, to administer GBN’s private medical and long-term disability schemes, to make reasonable accommodations or adjustments and avoid unlawful discrimination or dealing with complaints arising in this regard
- information regarding your racial or ethnic origin, religion, philosophical or political belief, sexual orientation, sexual life and sexual orientation may be used in the event of a complaint under GBN’s grievance, whistleblowing, anti-bullying and harassment or similar policies where such characteristics or information are relevant to the particular complaint, in order to comply with employment law obligations
Additional information regarding specific processing of personal data may be notified to you locally or as set out in applicable policies.
3.8. Legal basis for processing of personal data
Whenever GBN processes your personal data, we do so on the basis of a lawful condition for processing. Processing of special categories of data is always justified on the basis of an additional lawful condition.
In the majority of cases, the processing of your personal data will be justified on one of the following bases.
- the processing is necessary for compliance with a legal obligation to which GBN is subject (for example, disclosing the information to HMRC, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations)
- where there is no legal obligation, we will process your data where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract (for example collecting bank details to pay your salary or processing information to provide you with the contractual benefits you are entitled to)
- where the above 2 grounds at paragraphs do not apply, we may process your personal data where the processing is necessary for the legitimate interests pursued by GBN (being those purposes described in the section above), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (for example reviewing your performance at work)
- we will on occasion process your personal data for the purpose of legitimate interests pursued by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data
- in exceptional circumstances where we have no legitimate interest in processing, but you ask us to process data for a particular purpose we will occasionally carry out the processing on the basis of your consent (for example if you ask us to provide pay information to a bank for a mortgage application made by you). Where we rely on your consent, we will make this clear at the time
The special categories of personal data that may be processed by GBN are set out in this Data Privacy Notice. Where we process special categories of data it will be justified by a condition set out at above and also by one of the following additional conditions:
- the processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or GBN in the field of employment law, social security and social protection law, to the extent permissible under applicable laws
- the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws
- the processing is necessary to protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency)
- the processing is necessary for purposes authorised by applicable law. This includes, for example, monitoring of diversity statistics
- the processing is necessary for the establishment, exercise or defence of legal claims
- in exceptional circumstances the processing is carried out subject to your explicit consent (as explained below)
We will occasionally seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from GBN.
Personal data relating to criminal convictions and offences will only be processed where authorised by applicable laws. For example:
- a criminal record check or other relevant Background Check may be carried out on recruitment or transfer or intermittently where ongoing screening is required where authorised by applicable laws
- an allegation of a criminal offence or conviction arising during your relationship with GBN may be processed where required or authorised by applicable law
3.9. Retention of personal data
GBN endeavours to ensure that personal data are kept as current as possible, and that irrelevant or excessive data are deleted or made anonymous as soon as reasonably practicable.
GBN’s general approach is to only retain personal data for as long as is required to satisfy the purpose for which it was collected by us or provided by you. This will usually be the period of your employment/contract with us plus the length of any applicable statutory limitation period following your departure, although some data, such as pension information, may need to be kept for longer. We may keep some specific types of data, for example, tax records, for different periods of time, as required by applicable law. However, some personal data may be retained for varying time periods in order to comply with legal and regulatory obligations and for other legitimate business reasons.
3.10. Disclosures of personal data
Within GBN, your personal data can be accessed by or will be disclosed internally on a need-to-know basis to.
- Human Resources, including managers and team members
- local, regional and executive management responsible for managing or making decisions in connection with your relationship with GBN or when involved in an HR process concerning your relationship with GBN (including, without limitation, staff from Compliance, Legal, Employee Relations and Information Security)
- system administrators, and where necessary for the performance of specific tasks or system maintenance by staff in GBN teams such as the Finance and IT Department and the Global HR information systems support team
Certain basic personal data, such as your name, location, job title, contact information, employee number and any published skills and experience profile may also be accessible to other employees. The security measures in place within GBN to protect your data are set out below.
Your personal data will be accessed by third parties whom we work together with (including their associated companies and sub-contractors) for providing us with services, such as hosting, supporting and maintaining the framework of our HR information systems.
Personal data will also be shared with certain interconnecting systems such as local payroll and benefits systems. Data contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors.
Examples of third parties with whom your data will be shared include tax authorities, regulatory authorities, GBN’s insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors, payroll providers, and administrators of GBN’s benefits programs. GBN expects such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security.
Where these third parties act as a “data processor” (for example a payroll provider) they carry out their tasks on our behalf and upon our instructions for the above-mentioned purposes. In this case your personal data will only be disclosed to these parties to the extent necessary to provide the required services.
In addition, we may share personal data with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
3.11. Security of personal data
GBN is committed to protecting the security of the personal data you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk. GBN uses a variety of technical and organisational methods to secure your personal data in accordance with applicable laws.
If you are in possession of personal data of any kind (for example data collected in emails, address books, Excel spreadsheets or contained in curricula vitae or elsewhere) you must ensure that the data are kept in a safe place where unauthorised access cannot occur. Where data is retained in hard copy, storage in a locked drawer or cabinet, accessible only to authorised individuals, is generally the most effective means of securing the data. Where data is kept in electronic form, appropriate password protection and appropriately secured areas should be used. You must comply with the security obligations contained in GBN’s policies relating to IT and internet usage that may be in place from time to time, as well as in any other policies or procedures communicated to you.
You should not create, copy or export personal data relating to any other person outside of official storage locations and systems except where necessary for a specific authorised and lawful purpose under this Data Privacy Notice. In this event appropriate measures must be taken to protect the confidentiality and integrity of the data during the processing. Once the relevant processing is complete, steps should be taken to store or return the relevant data within the official storage locations/systems with all less formally held records (e.g. local folders, hard copies, emails saved outside of formal manged folders) securely erased.
3.12. Your rights as a data subject
Right to access, correct and delete your personal data
GBN aims to ensure that all personal data are correct. You also have a responsibility to ensure that changes in personal circumstances (for example, change of address and bank accounts) are notified to GBN so that we can ensure that your data is up-to-date.
You have the right to request access to any of your personal data that GBN may hold, and to request correction of any inaccurate data relating to you. You furthermore have the right to request deletion of any irrelevant data we hold about you.
To correct/ update certain information, you will need to contact local Human Resources team or the data protection lead.
Data portability
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to GBN in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to restriction of processing
You have the right to restrict our processing of your personal data where:
- you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy
- where the processing is unlawful, but you do not want us to erase the data
- where we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defence of legal claims
- where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether GBN has compelling legitimate grounds to continue processing
Where personal data is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise, or defence of legal claims.
Right to withdraw consent
Where we have relied on your consent to process particular information and you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by:
- in some cases, deleting the relevant data from the relevant HR system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our data retention policy)
- contacting your local Human Resources contact. It will only however be rarely that we rely on your consent to process personal data for your employment or engagement
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Right to complain
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes applicable law. For further information regarding your rights, or to exercise any of your rights, please contact Scott Walker scott.walker@gbnuclear.gov.uk (Data Protection Officer).
3.13. Additional data privacy notices
We may undertake certain processing of personal data which are subject to additional Data Privacy Notices and we shall bring these to your attention where they engage.
3.14. Notice of changes
GBN may change or update this Data Privacy Notice at any time. Should we change our approach to data protection, you will be informed of these changes or made aware that we have updated the Data Privacy Notice so that you know which information we process and how we use this information.
Signed by:
Peter Welch
Corporate Services Director