Privacy policy – employees

Our Privacy Policy applies to personal data collected and used by the Blind Veterans UK Group. Under UK data protection law and regulation, we are a ‘data controller’ and are registered as such with the Information Commissioner’s Office (Registration Number: Z6040633).

Since 1915, the Blind Veterans UK Group has held to the belief that no-one who has served our country should battle blindness alone. That's why we're here to help with lifelong practical and emotional support for blind veterans, regardless of when they served or how they lost their sight. We help veterans recover their independence and discover a life beyond sight loss and we can also provide our specialist vision rehabilitation support to individuals affected by war-like activity, including terrorism.

References to "Blind Veterans UK Group", ‘the charity’, “our’, ‘us’ and "we" mean Blind Veterans UK registered charity 216227 in England and Wales and SCO39411 in Scotland.

This also includes: our wholly owned subsidiary charitable trading company, Four Seasons NWMC Housing Limited (registered company No. 01882050); managing our properties and tenants. The St Dunstan’s Retirement Benefits Plan (1973). For the purposes of the pension scheme we are Joint Controllers with St Dunstan’s Retirement Benefits Plan (1973).

What we need to collect

We need to collect and use (process) personal data about our current and former employees and pensioners to allow us to provide employment support, pension services and to fulfil our contractual requirements and to comply with any mandatory legal obligations arising from employment and social welfare legislation.

For data to be considered ‘personal’ it must relate to an identified or identifiable individual. An individual can be identifiable either directly or indirectly. What specific data is used is important, especially as not all data is of equal significance. The more unique a piece of data relates to an individual, the easier it is to identify that individual. An individual is directly identifiable when using common identifiers such as a name, an address, or an assigned email address. Directly identifiable data now includes digital information, such as online identifiers or an IP address which can be related to an individual. An individual can be indirectly identifiable due to association with unique or uncommon personal data, an example is a unique job title within a workplace. If there is only one individual with a specific job title, that individual is indirectly identifiable by that job title. Where we use data that is insufficient to identify an individual this is not considered use of personal data within UK law. If identifiable data is used but the use does not specifically relate to an individual, then this processing is also not considered as making use of personal data. For example, a work email that refers to a work activity, despite the use of an employee’s name within the email’s footer (identifiable data) because the email is related to work the use of the identifiable data is not personal as it does not relate to the sender or receiver of the email but relates to the work activity.

As an applicant, employee and subsequently as a former staff pensioner, we will process personal data in order to set up and maintain a contract of employment while also meeting our legal obligations and pursuing our legitimate interests as your employer e.g. your performance management while you are employed by us. This also includes administering the payment of pensions under the St Dunstan’s Retirement Benefits Plan (1973). The minimum personal data necessary will include:

• Name.
• Contact Details (Postal address, telephone/mobile number, email address).
• An employee’s next of Kin contact details in case of emergency.
• Date of Birth.
• Gender (as recorded at birth for UK taxation purposes).
• Your national insurance number.
• Driving licence and or passport details (where necessary valid visa documentation for work entitlement purposes).
• Bank account details, salary, tax, pension status, pension entitlement and incurred expenses details.
• Learning, development and performance details.
• Your image, when captured on a CCTV system,
• Photographs and biographic details (where necessary) e.g. for an staff ID card.
• Profession and job title.
• Confidential references.

If as an applicant or employee a role will include care duties/functions and or other direct engagement with our beneficiary members it will be necessary for us to complete a Criminal Records Check (Disclosure and Baring Service or Disclosure Scotland) to assist us with the making of safer employee recruitment decisions. The processing of this criminal records data for this purpose is permissible under part 3 of Schedule 1 of DPA 2018. In addition to the above personal data the following may also be processed.

• DBS / DS Reference number, type of disclosure, date of issue (see section 6).
• Place of birth.
• Nationality.

Evidence of an employee’s nationality and identity will need to be validated by inspection of a range of your personal documents, examples include, driving licence, marriage or civil partnership certificate, a passport and official letters (as evidence of address). Copies of these documents for this processing purpose will not be retained.

We will be very clear when we wish to collect such personal data, we will provide our reason for collecting it and we will only do so when we have a lawful basis for processing the personal data we seek to collect.

Special Category data. UK data protection law and regulation recognises certain personal data as ‘special category’ data as being particularly sensitive. This includes; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain such data. For example:

• Health details (e.g. pre-existing health conditions, occupational health or ill health early retirement), where we need to make reasonable adjustments for your safe and productive employment or appropriate pension payments.
• Race or ethnic origin, for the purpose of, for example, equal opportunities monitoring or when confirming eligibility to work in the UK.
• You may reveal some of this personal or special category data if, you share photos, or contribute to our Review magazine, use our website or social media channels.

If you freely provide, either at our request or voluntarily, any ‘special category’ sensitive personal data necessary for the employment (or volunteering relationship), you explicitly agree that we may collect and use it for this specific purpose and in accordance with this Privacy Policy.

Criminal Offence data. If an applicant’s or employee’s role will include face to face engagement with a Blind Veterans UK Group beneficiary, it is a legal requirement for us to complete a higher-level check known as an enhanced DBS Criminal Records Check from the Disclosure and Baring Service or Disclosure Scotland to assist us with the making of safer employee recruitment decisions. This is in addition to the above personal data. The processing of this criminal offence data for this purpose is permissible under DPA 2018, Schedule 1, Part 3 (See: Section 6 for more details).

The accuracy of personal data we hold is really important to us. If it is necessary to make an update or correction to any personal data we hold, some of this can be completed by an individual on a self-service basis using CoreHR. If the personal data needing to be updated or corrected is not held on this platform or is behind behind an access permission restriction please contact your Line Manager, an HR representative or the Payroll and Pension administration office using the contact details in Section 9 of this policy.

Data collected and processed on behalf of a controller

Blind Veterans UK if contracted to do so will provide business support services to other charities within the Blind Veterans UK Group. When providing these services, such as HR, Finance and IT support, Blind Veterans UK will be operating as a data processor. The requesting Group charity will be the controller and will retain full determination of the purposes of any processing activity. Blind Veterans UK will be processing personal data acting only on the instructions of and on behalf of the controller.

Why we need it

We need an individual’s personal data in order to perform functions such as:

• To comply with the law. To comply with the law as a data controller and employer there are data processing purposes which must be completed. These include but are not limited to company, charity, employment, social security, social welfare and data protection law. E.g Confirming an individual's eligibility to work in the UK. Personal data collected specifically for these specific purposes cannot be further processed for a secondary purpose without additional consultation.
• To manage a contract of employment. As part of the recruitment process and to confirm necessary security vetting, references and to administer other pre-contractual requirements. To administer working hours, holidays and absences, pay, pension and tax. To administer benefits under the St Dunstan’s Retirement Benefits Plan (1973) if enrolled.
• Provide performance review, learning and development. To develop employee’s skills and knowledge within a chosen profession and career path. To manage job performance and to promote and improve employee effectiveness.
• Communicate with applicants and employee’s. To maintain two-way communications with applicants and employees about recruitment, employment and pension matters in an appropriate way and to provide specific services, updates, newsletters, feedback and information. To assist with technical problems related to our services.
• To improve our services and administration. To ensure the most efficient and appropriate use of the resources we have.
• To conduct work activities. Blind Veterans UK provides Microsoft Teams and the Microsoft OneDrive platform to allow employees to record and retain temporary copies of online calls/meetings for a period of 120 days when there is a practical and recognised need to do so. This resource is not used as a default process to record all meetings. When a Microsoft Teams meeting is recorded, it is automatically saved to the meeting organiser’s OneDrive after the meeting. All participants to a meeting have access permission to view the recording by default, only the organiser can authorise additional viewing permissions.    

• Blind Veterans UK remains responsible for personal data within a Microsoft Teams meeting recording and will ensure it is kept securely when held within our MS 365 environment. The ability to record a Microsoft Teams meeting is to be limited for the following purposes: 

• To enable the accurate production of meeting minutes, once minutes are prepared and signed off a recording is to be deleted by the recording owner.

• For reasons of reasonable adjustment for users that have a recognised and recorded additional need. (e.g. 1-2-1’s or a team meeting) 

Note: The covert recording of an internal Teams meeting without the knowledge of participants using an alternative method, software or a independent device will be treated as an internal disciplinary matter and in some circumstances could constitute a criminal offence under the Computer Misuse Act 1990. 

We collect personal data in a variety of ways. We collect personal data you provide directly to us as well as data we collect indirectly available from other sources, such as an employment referee or from Government departments such as HMRC.

Directly from Individuals

Individuals will give us personal data directly during the recruitment process and subsequently when establishing and enabling a contract of employment, should an offer be made. Personal data will also be collected directly to manage mandatory and charity development and training requirements of new and continuing employees. Additionally, if an applicant or employee were to use our websites or our mobile apps, sign up for an event, make a donation, purchase merchandise from our on-line shop or instigate communication with us personal data will be collected directly to manage these purposes.

Indirectly from other sources

We may obtain personal data indirectly when an individual gives consent to other third parties to share it, we can also collect personal data indirectly when it is publicly available:

• Third party organisations or individuals. We may obtain data from third parties if an individual has agreed they can share personal data with us or we can approach them to ask for it. For example a recruitment agency, a referee, a professional body, a qualification organisation or the Disclosure and Barring Service. We will also obtain personal data indirectly from official sources as part of our employee on-boarding requirements, examples include HMRC for tax purposes or for paying appropriate pensions such as the (St Dunstan’s Retirement Benefits Plan) or Aviva
• Digital, Online and Social media. Like many charities, personal data is collected through use of our website and mobile apps, we may also collect details about an individual's browser version, an IP address, what computer operating system is being used. This data will aid us to improve the services we offer. Depending on individual settings or the privacy policies for social media and messaging services like LinkedIn, Facebook or Twitter, individuals may enable organisations to access personal data from those accounts or services.
• Publicly available sources. Public information may include data from places such as Companies House, the electoral register and information that has been published in articles / newspapers / social media, e.g. LinkedIn for recruitment purposes. Another example is our use of the Post Office’s National Change of Address database, that allows us to keep elements of your personal information up to date.
• Recruitment Process. The Blind Veterans’ UK Group’s recruitment process is managed by a third-party provider (Webrecruit) accessed by link via interaction with the Blind Veterans UK website. The process is seamless, an applicant may not realise they have been redirected to a third-party site during the process. 
• The Webrecruit portal requires an applicant to create a user profile and to sign-in to commence an application. The account is necessary for administrative and security purposes and also allows an individual to complete a recruitment application over a period of time, not requiring an application to be completed in a single session. All personal data collected during the application process is necessary and only the minimum required is be collected. This will include special category data for equalities monitoring and a health declaration, these monitoring documents are required to be completed by law but do not form part of the selection process. These documents will not be seen by the recruitment team responsible for the role. However, if an applicant requests a reasonable adjustment to the application process, details of the changes necessary will need to be shared with the recruitment decision makers to facilitate the required changes. When an application is completed the Blind Veterans’ UK recruitment team is able to securely access and download materials from the Webrecruit site. Note that all upload to and downloads from the portal are end to end encrypted.
• An applicant has full control to delete an uncompleted application and can close the recruitment account. A completed or submitted application can be withdrawn on request by contacting the Blind Veterans HR dept. (See contact details in Section 9). Copies of un-successful applications are retained for a period of six months. Any data collected as part of a successful application is transferred to CoreHR the charity’s HR and payroll platform as part of the onboarding process.

UK data protection law requires us to have a lawful basis for processing personal data. We may use different lawful bases for different purposes of use for the personal data we use. For example any data shared between us and HMRC will use the lawful basis of legal obligation. The lawful basis we use include:

• To protect the vital interests of an individual or another person. If we believe that the safety and or security of an individual or a third party is at imminent risk of harm, UK law allows a controller to use known personal data specifically to minimise this harm to protect life. We acknowledge we have a duty to protect individuals and this is a lawful basis permitting us to process personal data in these specific circumstances which will only be used when necessary.
• To comply with a legal obligation. We will process personal data where we are required to comply with UK social security or social protection law, such as taxation, Health and Safety, or Employment law or if a role requires a mandatory criminal record check. We will process an individual’s personal data to comply with HMRC requirements or if needed to comply with a UK court order, or when engaging with a regulatory authority such as the Information Commissioner’s office, (ICO).
• In performance of a contract (or pre-contract). To fulfil the requirements of a preliminary contract, or contract of employment we are processing. The use of personal data during the recruitment process will require multiple purposes of use, e.g. to confirm eligibility and suitability for employment through checks such as references, copies of qualification certificates, a DBS, evidence of eligibility to work in the UK, confirmation of a valid driving licence; the tracking of work hours, leave and absences; administering pay and charity assets such as laptops and mobile phones; compliance with policies and procedures, managing health and safety; occupational health assessment.
• Where we as a charity have a legitimate interest. Where we have a legitimate interest, we must ensure that we are not harming an individual’s interests or interfering with their rights, we will only use personal data in a manner that an individual would reasonably expect us to. For example, we need to administer an employee’s pension scheme; we need to be able to contact employees for work purposes; we need to be able to track our physical assets such as issued equipment and our non-physical assets using mobile information systems and data tracking; to understand any health issues (such as disability) to allow us to make reasonable adjustments under Equality law.
• For example, we use the lawful basis of legitimate interest to conduct and record internal Teams meetings. The use of Microsoft Teams has enabled meetings to be conducted remotely but the purpose of a meeting remains the same as a face-to-face meeting in a physical location, to discuss work and work activity. The conducting and occasional recording of an internal Teams meeting for the specific purposes and has been determined as a reasonable expectation of the modern workplace. Blind Veterans UK has provided an option for employees that wish not to have their image recorded on a Teams meeting to turn their camera off as the processing of their imagine is not essential for participation and the purpose of a meeting. 

• Note: Internal Teams meeting recordings are not to be shared with additional 3rd parties. Blind Veterans UK will not share Microsoft Teams meeting recordings with an external 3rd party without your knowledge and consent (subject to a lawful exemption) as this would represent an additional purpose of use of the meeting recording.  

• Where consent has been given for specific purpose(s). Where we need consent, it will be clearly identifiable as a request for consent for a specific purpose. This may include marketing material sent via e-mail or SMS or to provide individuals with a product, service or information that may have been requested or opted into.
  Individuals are able to withdraw their consent at any time by contacting us. It is to be noted if an individual chooses this action it may affect our continuing relationship as some services may no longer be able to be supplied if consent to process personal data is withdrawn.
• Special category. Where we process ‘special category’ personal information (such as physical or mental health conditions) we will ensure we do so in accordance with a lawful basis under Art. 6 and the additional “exception” condition for processing special category data under Art. 9 of the UK-GDPR. An example is Art. 9(2)(b) where the law allows special category personal data to be processed for the purposes of “employment, social security and social protection law”.

How we protect personal data

We ensure that there are reasonable and appropriate technical and organisational controls in place to protect personal data. This applies to unauthorised or unlawful processing, against accidental loss, corruption, destruction or damage. If we believe if it is likely processing will pose a risk of harm to individuals we will complete a risk assessment process known as a DPIA to identify and minimise these risks. For example, our IT architecture is actively protected and routinely monitored. We have policies and procedures in place which staff and volunteers are expected to comply with and for which they receive training. A data back-up and recovery process to prevent permanent loss of personal data in the event of corruption, damage or accidental loss, is in place across our IT network.

• Online security. The Blind Veterans UK Group will ensure that when collecting personal data over the internet that this is done securely. Our online forms are always encrypted in transit, and our network is protected and routinely monitored. Our Microsoft 365 network enables us to send point to point encrypted emails. If making use of a credit or debit card to donate to us, buy something or make a booking online, we pass the card details securely to our payment processing partners. We are Payment Card Industry (PCI) Data Security Standard (DSS) compliant (for more information go to: https://www.pcisecuritystandards.org/pci_security/ and use external compliant providers to collect this data on our behalf. We and our partners use TLS (Transport Level Security) to encrypt data sent between you and us or our partners. We do not use cookies to store this type of data nor do we store credit or debit card details following completion of a transaction. To protect any sensitive data sent to us, please ensure that you use devices running supported operating systems that are regularly updated / patched and has anti-virus and anti-malware protection. Only connect business (or personal) devices to networks that are trustworthy. For example, do not connect to free public open (unsecured) Wi-Fi hotspots unless the device is protected with VPN software). We cannot guarantee the security of data disclosed or transmitted over public / open networks
• Password security. Where we have given Where we have provided an individual (or where an individual has chosen) a password which enables you to access certain parts of our IT systems, sites and applications individuals are responsible for keeping the password confidential. . The password is not to be shared with anyone else. You will never be asked to provide or share a password by any of our IT or support staff, a device user may be asked to enter their password. If you are asked, politely decline and report the request.
• Third party website links. Our website and apps may include links to other third-party websites, not owned or managed by Blind Veterans UK. Whilst we try our best to only link to reputable websites we cannot be held responsible for the privacy of personal data collected by sites not managed by the Blind Veterans UK Group, nor can we accept responsibility or liability for the implications of an individual visiting a site we provide a link to. For this reason, we suggest any site visitor should consult the privacy policy of any external website linked to before submitting any personal data.

Everyone should be aware that the use of the Internet is not entirely secure and although we will do our best to protect personal data we cannot guarantee the security or integrity of any personal data which is transferred to us across the Internet. Any transmission is to be considered at an individual’s own risk.

Managing access and sharing of personal data

We undertake reviews of who has access to the personal data we hold to ensure that personal data is accessible only by necessary and appropriately trained employees and trusted third parties that possess a business need to do so. We require all third parties that process personal data on our behalf to have appropriate and technical and organisational measures in place to protect personal data to the same standard that we apply ourselves. If we share personal data with a third party or require an individual to directly provide personal data with a third party working on our behalf, the data will be secure to the best of our knowledge.

At the Blind Veterans UK Group, we treat all employment references, either received by us or provided to others by us, as confidential references. Confidentiality is applied to references because knowing the content will not be shared with the individual to which it refers or with a third party allows a referee to provide a candid reference. This is important to us as a charity, as we have a particular focus on safeguarding potentially vulnerable beneficiaries. Confidential references allow us to make good recruitment decisions and prevent applicants who may have a detrimental effect on our charitable activities and beneficiaries from joining us. The UK’s Data Protection Act 2018 includes an exemption for confidential references, the content of a confidential reference whether provided or received is exempted from the right of access and will not be shared.

There are circumstances when we may be compelled by law to disclose personal data to third-parties as outlined above in section 4. We have limited or no control over how personal data it is processed by these parties, we therefore recommend that individuals consult the privacy policies of these third-parties. There are also circumstances when we will consider sharing personal data voluntarily, without consent but doing so for only specific reasons to remain within the law. These include but are not limited to the following:

• Where we believe a crime has been committed or,
• Where necessary to assist with the apprehension of an offender.
• Additionally, where we need to respond to an individual Right of Access Request (known as SAR). We may choose in some circumstances to share personal data without consent. If we choose to do this it is managed on a case-by-case basis and is limited to personal data being shared only if necessary and is reasonable to do so to ensure the information provided is accessible, concise and provided in an intelligible format.
• Solicitors acting within our interest, the UK courts.

We may in certain circumstances share personal data without an individual’s consent for the purpose of fulfilling our safeguarding responsibilities. This doesn’t happen often, but we may share an individual’s personal data:

• If we believe there is a serious risk to the public, to beneficiaries, our staff or to other professionals.
• To protect a vulnerable person, (child or adult) who we believe may be at risk, for example if they are frail, confused or cannot understand what is happening to them.

Occasions, other than by law, when we may share your data include:

• Where an individual has agreed that we may do so.
• When we use external service providers to collect or process personal data on our behalf, (a list of processors is included at the end of this policy).
• With our subsidiaries within the Blind Veterans UK Group.
• Where Blind Veterans UK is a party to a data sharing agreement between controllers for the benefit of the charity beneficiaries or where a wider social benefit exists.

If we receive a complaint about any inappropriate content which has been posted or transmitted to or from one of our sites, forums, social media pages or apps we may share personal data with an internet provider or law enforcement agencies, if a criminal act is suspected or is being investigated.

• To enforce or apply the terms of a contract or other agreements or if we believe that we need to protect the rights, property or personal safety of the Blind Veterans UK Group, employees, beneficiary members, supporters, visitors of our websites for lawful purposes.
• We may disclose aggregate statistics about our employees and pensioners to describe our charity to prospective supporters, partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying personal data without seeking consent.
• If we run an event in partnership with other named organisation(s) personal data may need to be shared to facilitate the administration of the event. If this is necessary, we will be very clear and provide details on the reasons and purposes of the need to share this personal data at registration. For example, we would need to share dietary requirements with a caterer.
• If we merge with, or diversify, forming a separate/new organisation with its own legal identity, information including personal data may be transferred to the new entity. (NB. If employees are transferred to the new entity, TUPE regulations apply)

We will never rent or sell personal data which is within our control. We will not share or swap it with other organisations for our or their own purposes or to make money out of personal data without additional specific consent.

Where we store personal data

Personal data provided to us whether in paper or electronic format will be stored securely and meet the requirements of this policy. Where we store personal data may differ depending on the purpose for which we are processing it for, as indicated above. The majority of personal data will be held within in our Microsoft 365 Cloud Environment or within a number of bespoke databases or specialist applications. Personal data may also be stored within a number of systems of trusted third party processors who process personal data on our behalf, (Details of these can be found in the third party processors list at the end of this document).

Cross-Border Transfers of Personal Data

As a data controller, we may on occasions require the services of a third-party processor. Not all of these processors will be based or will conduct processing within the UK, if a processor is based outside of the UK these cross-border (transfer) requirements will be applied. If this is required, we will conduct an appropriate mandatory international transfer risk assessment and put in to place appropriate “additional measures” to safeguard personal data and individual data rights. Controllers in the UK now have a choice of whether to use the UK’s IDTA (International Data Transfer Agreement) or use the EU’s updated Standard Contractual Clauses (SCC). If the later choice is selected this will also require the use of the international data transfer addendum to the EU’s SCCs. Note, if the required transfer is a one off or an infrequent occurrence we may ask for explicit consent to conduct the transfer.

The EU have recently agreed a data transfer agreement with the USA. The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, similar to the privacy shield. From 12 October 2023, organisations in the UK can start to transfer personal data to US organisations certified with the “UK Extension to the EU-US Data Privacy Framework”. However, this new framework is not an adequacy decision, it does not allow for the free transfer of personal data to the US. The operation of the framework has restrictions, e.g. it cannot be used by banking, insurance, and telecommunication organisations. Where the new framework cannot be used to transfer personal data to the US, Blind Veterans UK will continue to use either the SCCs or the UK’s IDTA. 

The UK has recognised some countries and all of the EEA states as possessing data protection “adequacy” for the purposes of data transfers to these countries. The UK Government has decided no additional safeguards are needed to conduct data transfers to the EEA as these states have equivalent standards of data protection as the UK-GDPR 2020.

The EU has recognised the UK as possessing data protection “adequacy” for the purposes of personal data transfers of EU subject’s personal data into the UK. No additional safeguards are needed as the UK has an equivalent level of protection to that guaranteed under EU law. (EU-GDPR 2016).

In cases when we use or link to external websites provided by other organisations such as Twitter or Facebook, we recommend an individual consults the privacy policies, of these 3rd party organisations to determine how personal data shared with these organisations will be processed.

The law requires we hold personal data for only as long as is necessary. This is to fulfil the purposes for which the data was collected and or our legitimate interests in order to comply with legal or regulatory rules and requirements.

At the Blind Veterans UK Group we manage the retention of personal data with the use of a Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.

• Live data only…………..…………….………. 1 year
• Record(s) of Activity and or a Process………….. 3 years
• Evidence or Compliance………………………….. 6 years
• Governance Purposes……………………………. 7 year
• Legal (Pensions, Property, Safeguarding)…..… 12 years
• Permanent retention (subject to review)…….… (Life of charity)

The UK’s Data Protection Act 2018 prohibits a data controller from processing and retaining (an individual’s) criminal offence data. However, an exception within part 3 of Schedule 1 of the DPA 2018 allows a controller to process criminal offence data for the specific purposes of volunteer and employee recruitment. At Blind Veterans UK we will only process criminal offence data within a requested DBS/DS report as “live data” during the recruitment process. Once the recruitment process has been completed, will not retain a copy of the DBS/DS report or any of the criminal offence data from within the report. However, we will retain the following information as evidence of the completion of the DBS: (Note: this retained data is personal not criminal offence data)

• The date of issue of a disclosure
• The name of the subject
• The type of disclosure requested
• The position for which the disclosure was requested
• The unique reference number of the disclosure
• The details of the recruitment decision taken

While processing “Live” criminal offence data for this purpose, we will store this personal data separately and securely. It will not be kept with or on an applicant's application docunments. Access is strictly controlled and limited to only employess entitled to see it as part of their recruitment duties. DBS/DS content data will be securely destroyed after a period of six months (This allows for the resolution of any related disputes or complaints during the employment probationary period) ensuring this Live data is retained for only as long as is necessary.

When an individual’s employment with the Blind Veterans UK Group ends or is terminated, we will retain some basic personal data regarding the employment duration. This is to meet any legal or regulatory requirements or to protect our legitimate or legal interests. Examples include, for evidence purposes in the event of an employment dispute, confirmation of employment for referees, or to process any ongoing requirements such as a pension entitlement.

Where we have contracted with a 3rd party provider to process personal data on our behalf these organisations will also retain some basic personal data in order to meet their own legal requirements. For example, records of financial transactions. This data will only be retained for as long as is necessary but we recommend individuals to consult their privacy policies too.

CoreHR is the Blind Veterans UK Group’s HR, payroll (and recruitment) platform. CoreHR maintains a transactional backup archive of the HR and payroll system. This is for the purposes of data recovery in the event of data corruption or catastrophic data loss. The archive will include employee's personal data which is refreshed on a daily cycle to keep it up to date. The back-up data is retained for a rolling period of sixty nine days. If your employment ends or is terminated, your personal data will remain within this archive up to a maximum of 69 days until the next scheduled refresh date after which it will be deleted. This is a CoreHR managed archive, Blind Veterans UK Group’s employees do not have access to this back-up data. Access restrictions are in place to allow only CoreHR technical staff to process this personal data for the specific purpose of managing a data recovery requirement if it became necessary to do so.

Like most organisations, our website and apps use “cookies” and other tracking software to help us make our site and the way it is used more relevant to our stakeholders. We will not be able to personally identify an individual from the data gathered online and from our website visitors but it may help us improve our online services.

• Cookies allow a website to remember a visitor. Cookies are small text files that are transferred to a computer (or phone or tablet). They make interacting with a website faster and easier, for example by automatically filling in parts of an online form with a name and address in text fields or allowing the website to remember what is in a shopping basket. Please read our cookies policy for more information. Individuals can change their cookie preferences whenever they wish.
• When visiting our website or apps we may collect data about the type of device an individual is using. This might also include the user’s IP address and details of the operating system and certain device settings as well as diagnostic data.

The UK’s data protection legislation includes the UK-General Data Protection Regulations 2020 (UK-GDPR) and the Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This UK legislation gives everyone a number of very important rights. In abbreviated form these are:

• The right to be informed. Transparency over how we use personal data. The details provided within this Privacy Policy is as a consequence of this right.
• The right of access. Request confirmation of processing and to be provided with copies of personal data we hold about an individual
• The right of rectification. An individual can require a controller to update or amend personal data held if it is incomplete or inaccurate.
• The right to erase or ‘right to be forgotten'. This provides a qualified right to ask a controller to erase personal data from held records where there is no longer a compelling reason for its continued processing, subject to a number of conditions.
• The right to object. An individual may object to the processing of personal data for certain purposes (such as marketing, research, statistics or if an individual does not believe processing we are performing has a legitimate interest).
• The right to restrict processing. An individual can request a controller to temporarily stop/ supress the processing of personal data, subject to a number of conditions.
• The right to data portability. An individual can request a controller collects and enables the reuse of personal data for similar purposes with a different controller, subject to a number of conditions.
• Rights in relation to automated decision making and profiling.

To find out more about individual rights under data protection law see the Information Commissioner’s Office (ICO) website which also explains how to contact them.

Remember, an individual can exercise their rights in relation to their own personal data and are free to make changes to the way a controller can process personal data, an example of this is, communication preference. An individual has the right to withdraw their consent for us to process personal data, where processing is based on consent, but this action will on most occasions prevent us from being able to deliver services we offer.

If any stakeholder is not satisfied with our response or believes after engaging with us we are not processing personal data in accordance with the law and their individual rights, there is an option to complain directly to the Information Commissioner’s Office.

To raise any comments or ask any questions regarding this Privacy Policy or to discuss how we process personal data an individual is welcome to do so. As an employee, in the first instance, refer to an immediate Line Manager, Head of Department, or a director. Alternatively, the following individuals can be contacted:

Employees

Post: C/O HR department,
The Blind Veterans UK Group, 126 Fairlie Road, Slough, SL1 4PY
Phone: via on-line directory
Email: via on-line directory

St Dunstan’s Retirement Benefits Plan (1973) (deferred or current pensions)

Post: C/O Payroll & Pension Administration Office,
The Blind Veterans UK Group (St Dunstan’s Retirement Benefits Plan (1973),
The Blind Veterans UK Group, Greenways, Ovingdean, Brighton, BN2 7BS
Phone: 01273 391442
Email: payroll@blindveterans.org.uk

To enquire further about how personal data is processed, or to make an individual rights request, ask for information to be provided, or to raise a data protection related complaint, please contact our Data Protection Officer.

Post: Data Protection Officer
Blind Veterans UK, 126 Fairlie Road, Slough, SL1 4PY
Phone: 020 4534 1127 (direct dial)
Email: dpo@blindveterans.org.uk

Appendix 1: List of data Processors