Privacy Hero

Privacy Policy

This notice was last updated on 24th January 2024.

The notice will be reviewed on an annual basis or when a change in legislation and/or practices dictates and any changes will be notified to you by posting an updated version on our websites and/or by contacting you via email.

We recommend that you regularly check for changes and review this policy when visiting our websites.

1.  Who are we?

Commercial Services Group (CSG) is one of the largest, local authority owned, trading organisations of its kind in the UK.
Since its inception over 90 years ago as the supplies division of Kent County Council, it has grown organically to become one of the leading suppliers of products and services to the education and public sector, serving over 15,000 customers in 85+ countries.
CSG is the umbrella for all its trading brands, it provides the support, dependability, and security to allow all brands to thrive independently. CSG are committed to providing an excellent customer and user experience underpinned by social value and a committed and empowered workforce.

HR Connect, EmploymentCheck, Staff Care Services and Kent-Teach are trading styles of Commercial Services Kent Ltd (Reg No. 5858177), part of Commercial Services Group, companies wholly owned by Kent County Council and registered in England and Wales.

CSG collects, uses and processes personal information about you. When we do, we are regulated under the UK Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulation (GDPR) which applies across the European Union. Depending on the service provided we are responsible as either a ‘controller’ or ‘processor’ of that personal information for the purposes of those laws.

If you have any questions, suggestions or complaints about the processing of your personal information please contact our Data Protection Officer (DPO) via email at DPO@csltd.org.uk

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our customers and their employees and other people with whom we interact in the course of undertaking our services.  This Privacy Notice offers both our customers and their employees with meaningful and accessible guidance on our approach to handling personal data.

2.  Our Services

We offer a number of HR Connect services including:

•    HR Delivery – including administration and issuing of employment contracts.
•    HR Helpline – an online and telephone advice service offering support and guidance on staffing matters relating to terms and conditions.
•    HR Advisory Services – providing specialist advice regarding HR and employment matters such as sickness absence and disciplinary issues alongside bespoke work such as investigations and mediation services.
•    Payroll Services – a comprehensive payroll service including processing staff payroll and addressing individual queries.
•    Occupational Health Services – including fitness for work assessments, work place assessments, ill health retirement assessments, vaccinations.
•    Support Line Services – Counselling, Workplace Mediation, Return to Work Coaching.
•    An online and telephone advice service offering support and guidance on staffing matters relating to health and work to support compliance with The Equality Act.
•    Workplace Wellbeing Services - a range of consultancy and training services designed to support workplace wellbeing. This service includes: The Pulse - a staff and organisational survey, data analysis and insight reporting and Mental Health First Aid Training - a fully accredited mental health education and awareness course.
•    Training – providing learning and development opportunities to individuals, groups and communities through our open course calendar, bespoke initiatives and personal development tools.
•    EmploymentCheck – an online system for Disclosure and Barring Services (DBS), Disclosure Scotland and reference checks.

In providing a service to our customers, it will be necessary for HR Connect to gather, obtain, record and hold your personal information.

3.  About the information we collect, use and retain

The section below summarises the information we collect, use and retain for our services, how and why we do so, how we use it and with whom it may be shared.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

4.  The personal information we collect and use

The table below summarises the information we collect, use and retain for our services, how and why we do so, how we use it and with whom it may be shared.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

For information collected for the purposes of our sub-brand: Kent-Teach, please see their Privacy Notice which is accessible via their website:

The information we collect How we collect the information Lawful basis
Personal information: such as name, address, telephone number, email address, date of birth, national insurance number, identification documents. From the customer organisation. For the performance of a contract (Please note this may be in relation to your own contract of employment with your employer or in relation to our contract of service with your employer). Legitimate interests in offering employment practice advice and other services.
Special Categories of Data (also known as sensitive personal data): including protected characteristics (such as sex, age, ethnic group, health and disability information), and data relating to your opinions or trade union membership. From the customer organisation. For carrying out legal obligations or exercising specific rights in employment or social law. For occupational health assessment. Where it is necessary for the establishment, exercise or defence of legal claims or where the courts are acting in their judicial capacity. We use consent where it is appropriate for us to do so.
Employment information: such as, information relating to Disclosure and Barring Service checks, work history, start dates, hours worked, post holdings, grade and salary information, attendance records, qualification details, training records and details of your professional registration and any restrictions which may apply. From the customer organisation. For the performance of a contract (Please note this may be in relation to your own contract of employment with your employer or in relation to our contract of service with your employer). Legitimate interests in offering employment practice advice and other services.
Financial details: such as bank account details, payroll records, tax status information, pension and benefits information, details relating to statutory third-party payments i.e., court orders / attachment of earnings or voluntary payments. From the customer organisation. For the performance of a contract (Please note this may be in relation to your own contract of employment with your employer or in relation to our contract of service with your employer). Legitimate interests in offering employment practice advice and other services.
Other Personal data: such as information related to recruitment, management, performance and employment of staff (for example disciplinary / absence / ill health / capability / performance management / grievance / investigation records) . From the customer organisation. For the performance of a contract (Please note this may be in relation to your own contract of employment with your employer or in relation to our contract of service with your employer). Legitimate interests in offering employment practice advice and other services.
Management information: such as information related to recruitment, management, performance and employment of staff (for example disciplinary / absence / ill health / capability / performance management / grievance / management investigation records). From the customer organisation. For the performance of a contract (Please note this may be in relation to your own contract of employment with your employer or in relation to our contract of service with your employer). Legitimate interests in offering employment practice advice and other services.

 

 

 



We may obtain other personal data from third parties with whom we liaise in providing a service to our Customers (e.g. HMRC / LGPS / Teachers’ Pension Scheme / Disclosure and Barring Service / Legal Advisers / Parents/Guardians /Service Users), or by a representative acting on your behalf (trade union representative / solicitor).

We may also obtain sensitive personal data from third parties, with your consent and in compliance with legislation and professional guidelines, with whom we liaise in providing a service to your Employer e.g. your GP, Medical specialist, or by a representative acting on your behalf e.g. appointed advocate / solicitor.

Further details on how we handle personal information are set out in our Data Protection Policy and Policy statement on the secure storage, handling, use, retention and disposal of disclosure information.

Other than stated above, we will share personal information with law enforcement, our regulators or other authorities if required by applicable law.

As there is a statutory and contractual basis for collecting your personal data if you do not provide some or all of the details specified in the ‘The personal information we collect and use’ section, we may be unable to enter into a contract with your organisation.

5.  How we use your information to make automated decisions

An automated decision is where an electronic system makes a decision using personal information without human intervention (e.g.monitoring your online activities and emails or events which trigger actions such as your sickness absence triggering our capability policy).  This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know.  These automated decisions can affect the services we may offer you now or in the future.

Automated decision making is allowed in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to fulfil our contractual obligations and requirements  and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.

If an automated decision is made, based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must put in place appropriate measures to safeguard your rights.


6.  How long your personal data will be retained

We will not keep your information for longer than is necessary, for either:

•    the purpose of administering your individual staff record;
•    or as is necessary in providing a service to our customer;
•    or as required bylaw.

Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

7.  Who we share your personal information with

Other than our customer we may share your personal or sensitive personal data with the following:

•    Representatives of recognised trade unions and professional associations or workplace colleagues identified by you to support in employment matters.
•    HM Revenue and Customs, Department for Work and Pensions, Local Government Pension Scheme and Teachers Pension Scheme.
•    Cabinet Office –National Fraud Initiative, for the purposes of assisting the prevention and detection of fraud under a legal obligation.
•    Third parties engaged by the customer for the provision of identified services – i.e.Occupational Health Providers / Legal Advisors.
•    Third Party organisations - where you have instructed us to make payments / contributions from your salary or where we are advised directly to make deductions from your salary.
•    Local Authority Safeguarding Team/Local Authority Designated Officer (LADO) for the purposes of safeguarding children and young people.
•    Professional regulatory authorities such as the Teaching Regulation Agency.
•    Law enforcement, our regulators or other authorities if required by applicable law.

We will also share your personal information with third parties where it is necessary to administer our working relationship with you or where we have another legitimate interest in doing so (providing this is not overridden by your interests).

Customer information may be shared within Kent Hold Co. Ltd. Group (ultimate holding company for CSG) under a Data Sharing Agreement. The Agreement reflects the requirements of the UK GDPR and DPA 2018. Where a customer organisation purchases multiple services from within the Group the following information may be shared where this is required to deliver the services: title, name, email address / contact details, employee number, job title, products/services consumed.

We may also need to share some of the categories of personal information with other parties where a transfer of the business takes place. Usually, information will be anonymised or pseudonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations and legally binding data sharing agreements.

Access to data is only granted where authorised by our ICT supplier and specifically required in line with our contract with them. System data is hosted within the UK by an ISO 27001 accredited supplier and supplier information security standards meet DBS requirements.

8.  Where information may be retained

Information may be retained at our offices and those of our service providers, representatives and agents as described above.
Some of the personal information you provide to us may be transferred to countries outside of the UK, or the EU/EEA. Where this occurs, CSG will make restricted transfer under UK “adequacy regulations” to protect individuals rights and freedoms for their personal data.

Where the UK has no “adequacy regulations” then the restricted transfer will be subject to appropriate safeguards whereby standard contractual clauses have been entered into with the organisation receiving the data.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK or the European Economic Area (EEA). 

9.  Reliance on UK exemptions from the GDPR

We may use information in reliance on the exemptions under the DPA 2018 where allowed e.g. where a claim to legal professional privilege would apply, in relation to the provision of confidential references or for the purposes of management forecasting (to the extent that such forecasting would be prejudiced by advance notification). 

10.  Your Rights

Under the DPA 2018 you have a number of rights which you can access free of charge which allow you to:

•    Know what we are doing with your information and why we are doing it.
•    Ask to see what information we hold about you.
•    Ask us to correct any mistakes in the information we hold about you.
•    Object to direct marketing.
•    Make a complaint to the Information Commissioners Office.

Depending on our reason for using your information you may also be entitled to:

•    Ask us to delete information we hold about you.
•    Have your information transferred electronically to yourself or to another organisation.
•    Object to decisions being made that significantly affect you.
•    Object to how we are using your information.
•    Stop us using your information in certain ways.

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties.
Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the UK General Data Protection Regulation https://ico.org.uk/

If you would like to exercise a right, please contact our DPO via email at dpo@csltd.org.uk or write to Data Protection Officer, Commercial Services Group, 1 Abbey Wood Road,King Hill, West Malling, ME19 4YT.

11.  Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and the ICO as regulator of any suspected data security breach where we are legally required to do so.

12.  Who to Contact

If you have any questions, suggestions or complaints about the processing of your personal information, or you wish to exercise any of your rights please contact our Data Protection Officer (DPO) via email at DPO@csltd.org.uk or in writing by using the address below;

Data Protection Officer
Commercial Services Group
1 Abbey Wood Road
Kings Hill
West Malling
ME19 4YT.

The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk or telephone 0303 123 1113.

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

 

Sign up for our newsletter