Introduction
STitC collects and processes personal information, or personal data, relating to its employees, workers
and contractors to manage the working relationship. This personal information may be held by STitC on
paper or in electronic format.
STitC is committed to being transparent about how it handles your personal information, to protecting the privacy
and security of your personal information and to meeting its data protection obligations under the General Data
Protection Regulation (GDPR) and the Data Protection Act 2018. The purpose of this privacy notice is to make
you aware of how and why STitC will collect and use your personal information both during and after your working
relationship with STitC. STitC are required under the GDPR to notify you of the information contained in this privacy
notice.
This privacy notice applies to all current and former employees, workers, volunteers and contractors. It
is non-contractual and does not form part of any employment contract, casual worker agreement,
consultancy agreement or any other contract for services.


Person with responsibility for data protection
STitC has appointed a person with responsibility for data protection compliance within the business and
to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or
about how STitC handle your personal information, please contact them on the details below:
Name Vicky Martin
Job Title Business Administrator
Telephone Contact 01743 289177 opt 6
Email [email protected]
Postal Address Montgomery Waters Meadow, Oteley Road, Shrewsbury, SY2 6ST


The Data Protection Principles
Under the GDPR, there are six data protection principles that STitC must comply with. These provide
that the personal information STitC hold about you must be:
1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a
way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form which permits your identification for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.
STitC is responsible for, and must be able to demonstrate compliance with, these data protection
principles. This is called the Principle of Accountability.
Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 2 of 7


What types of personal information do STitC collect about you?
Personal information is any information about an individual from which that person can be directly or indirectly
identified. It doesn’t include anonymised data i.e. where all identifying particulars have been removed. There are
also special categories of personal information, and personal information on criminal convictions and offences,
which requires a higher level of protection because it is of a more sensitive nature. The special categories of personal
information comprise information about an individual’s racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
STitC collects, uses and processes a range of personal information about you. This includes (as
applicable):
 Your contact details, including your name, address, telephone number and personal e-mail address
 Your emergency contact details/next of kin
 Your date of birth
 Your gender
 Your marital status and dependants
 The start and end dates of your employment or engagement
 Recruitment records, including personal information included in a CV, any application form, cover letter,
interview notes, references, copies of proof of right to work in the UK documentation, copies of qualification
certificates, copy of driving licence and other background check documentation
 The terms and conditions of your employment or engagement (including your job title and working hours), as
set out in a job offer letter, employment contract, written statement of employment particulars, casual worker
agreement, consultancy agreement, pay review and bonus letters, statements of changes to employment or
engagement terms and related correspondence
 Details of your skills, qualifications, experience and work history, both with previous employers and with STitC
 Your professional memberships
 Your salary, entitlement to benefits and pension information
 Your National Insurance number
 Your bank account details, payroll records, tax code and tax status information
 Any disciplinary, grievance and capability records, including investigation reports, collated evidence, minutes of
hearings and appeal hearings, warning letters, performance improvement plans and related correspondence
 Appraisals, including appraisal forms, performance reviews and ratings, targets and objectives set
 Training records
 Annual leave and other leave records, including details of the types of and reasons for leave being taken and
related correspondence
 Any termination of employment or engagement documentation, including resignation letters, dismissal letters,
redundancy letters, minutes of meetings, settlement agreements and related correspondence
 Information obtained through electronic means, such as swipecard or clocking-in card records
 Information about your use of STitC IT systems, including usage of telephones, e-mail and the Internet
 Photographs.
STitC may also collect, use and process the following special categories of your personal information (as
applicable):
 Information about your health, including any medical condition, whether you have a disability in respect of which
STitC needs to make reasonable adjustments, sickness absence records (including details of the reasons for
sickness absence being taken), medical reports and related correspondence
 Information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
 Trade union membership
 Information about criminal convictions and offences.


How do STitC collect your personal information?
STitC may collect personal information about employees, workers and contractors in a variety of ways. It is collected
during the recruitment process, either directly from you or sometimes from a third party such as an employment
agency. STitC may also collect personal information from other external third parties, such as references from former
employers, information from background check providers, information from credit reference agencies and criminal
record checks from the Disclosure and Barring Service (DBS).

STitC will also collect additional personal information throughout the period of your working relationship with the
organisation. This may be collected in the course of your work-related activities. Whilst some of the personal
information you provide to STitC is mandatory and/or is a statutory or contractual requirement, some of it you may
be asked to provide to STitC on a voluntary basis. STitC will inform you whether you are required to provide certain
personal information to STitC, or if you have a choice in this.
Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 3 of 7
Your personal information may be stored in different places, including in your personnel file, in STitC’s
HR management system and in other IT systems, such as the e-mail system.


Why and how do STitC use your personal information?
STitC will only use your personal information when the law allows STitC to do so. These are known as
the legal bases for processing. STitC will use your personal information in one or more of the following
circumstances:
 Where STitC need to do so to perform the employment contract, casual worker agreement, consultancy
agreement or contract for services STitC have entered into with you
 Where STitC need to comply with a legal obligation
 Where it is necessary for STitC’s legitimate interests (or those of a third party), and your interests or your
fundamental rights and freedoms do not override STitC’s interests.
STitC may also occasionally use your personal information where STitC need to protect your vital interests (or
someone else’s vital interests).
STitC need all the types of personal information listed under What types of personal information do STitC
collect about you? primarily to enable the organisation to perform its contract with you and to enable STitC to
comply with its legal obligations. In some cases, STitC may also use your personal information where it is necessary
to pursue its legitimate interests (or those of a third party), provided that your interests or your fundamental rights
and freedoms do not override STitC’s interests.
STitC’s legitimate interests include:
 Performing or exercising STitC’s obligations or rights under the direct relationship that exists between STitC and
you as its employee, worker or contractor
 Pursuing STitC’s business by employing (and rewarding) employees, workers and contractors
 Performing effective internal administration and ensuring the smooth running of the business
 Ensuring the security and effective operation of STitC systems and network
 Protecting STitC’s confidential information
 Conducting due diligence on employees, workers and contractors.
STitC believe that you have a reasonable expectation, as an STitC employee, worker or contractor, that
the organisation will process your personal information.
The purposes for which STitC are processing, or will process, your personal information are to:
 Enable STitC to maintain accurate and up-to-date employee, worker and contractor records and contact details
(including details of whom to contact in the event of an emergency)
 Run recruitment processes and assess your suitability for employment, engagement or promotion
 Comply with statutory and/or regulatory requirements and obligations e.g. checking your right to work in the
UK
 Comply with the duty to make reasonable adjustments for disabled employees and workers and with other
disability discrimination obligations
 Maintain an accurate record of your employment or engagement terms
 Administer the contract that STitC have entered into with you
 Make decisions about pay reviews and bonuses
 Ensure compliance with your statutory and contractual rights
 Ensure you are paid correctly and receive the correct benefits and pension entitlements, including liaising with
any external benefits or pension providers or insurers
 Ensure compliance with income tax requirements e.g. deducting income tax and National Insurance
contributions where applicable
 Operate and maintain a record of disciplinary, grievance and capability procedures and action taken
 Operate and maintain a record of performance management systems
 Record and assess your education, training and development activities and needs
 Plan for career development and succession
 Manage, plan and organise work
 Enable effective workforce management
 Operate and maintain a record of annual leave procedures
 Operate and maintain a record of sickness absence procedures
 Ascertain your fitness to work
 Operate and maintain a record of maternity leave, paternity leave, adoption leave, shared parental leave,
parental leave and any other type of paid or unpaid leave or time off work
Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 4 of 7
 Ensure payment of SSP or contractual sick pay
 Ensure payment of other statutory or contractual pay entitlements e.g. SMP, SPP, SAP and ShPP
 Meet STitC obligations under health and safety laws
 Make decisions about continued employment or engagement
 Operate and maintain a record of dismissal procedures
 Provide references on request for current or former employees, workers or contractors
 Prevent fraud
 Monitor your use of STitC IT systems to ensure compliance with STitC IT-related policies
 Ensure network and information security and prevent unauthorised access and modifications to systems
 Ensure effective HR, personnel management and business administration, including accounting and auditing
 Ensure adherence to STitC rules, policies and procedures
 Monitor equal opportunities
 Enable STitC to establish, exercise or defend possible legal claims.
Please note that STitC may process your personal information without your consent, in compliance with
these rules, where this is required or permitted by law.


What if you fail to provide personal information?
If you fail to provide certain personal information when requested or required, STitC may not be able to perform the
contract it has entered into with you, or STitC may be prevented from complying with its legal obligations. You may
also be unable to exercise your statutory or contractual rights.


Why and how do STitC use your sensitive personal information?
STitC will only collect and use your sensitive personal information, which includes special categories of personal
information and information about criminal convictions and offences, when the law allows STitC to do so.
Some special categories of personal information i.e. information about your health or medical conditions and trade
union membership, and information about criminal convictions and offences, is processed so that STitC can perform
or exercise its obligations or rights under employment law or social security law and in line with STitC Data
Protection Policy. Information about health or medical conditions may also be processed for the purposes of
assessing the working capacity of an employee or medical diagnosis, provided this is done under the responsibility
of a medical professional subject to the obligation of professional secrecy e.g. a doctor, and again in line with STitC
Data Protection Policy.
STitC may also process these special categories of personal information, and information about any criminal
convictions and offences, where STitC have your explicit written consent. In this case, STitC will first provide you
with full details of the personal information STitC would like and the reason it is needed, so that you can properly
consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be
withdrawn at any time.
The purposes for which STitC are processing, or will process, these special categories of your personal
information, and information about any criminal convictions and offences, are to:
 Assess your suitability for employment, engagement or promotion
 Comply with statutory and/or regulatory requirements and obligations e.g. carrying out criminal record checks
 Comply with the duty to make reasonable adjustments for disabled employees and workers and with other
disability discrimination obligations
 Administer the contract STitC have entered into with you
 Ensure compliance with your statutory and contractual rights
 Operate and maintain a record of sickness absence procedures
 Ascertain your fitness to work
 Manage, plan and organise work
 Enable effective workforce management
 Ensure payment of SSP or contractual sick pay
 Meet STitC obligations under health and safety laws
 Make decisions about continued employment or engagement
 Operate and maintain a record of dismissal procedures
 Ensure effective HR, personnel management and business administration
 Ensure adherence to STitC rules, policies and procedures
 Monitor equal opportunities
 Pay trade union premiums.
Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 5 of 7
Where STitC processes other special categories of personal information i.e. information about your racial or ethnic
origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities
monitoring and in line with STitC Data Protection Policy. Personal information that STitC uses for these purposes
is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is
entirely your choice whether to provide such personal information.
STitC may also occasionally use your special categories of personal information, and information about
any criminal convictions and offences, where it is needed for the establishment, exercise or defence of
legal claims.


Change of purpose
STitC will only use your personal information for the purposes for which it was collected. If STitC need to use your
personal information for a purpose other than that for which it was collected, STitC will provide you, prior to that
further processing, with information about the new purpose. STitC will explain the legal basis which allows the
organisation to process your personal information for the new purpose and STitC will provide you with any relevant
further information. STitC may also issue a new privacy notice to you.


Who has access to your personal information?
Your personal information may be shared internally within STitC, including with members of the HR department,
payroll staff, your line manager, other managers in the department in which you work and IT staff if access to your
personal information is necessary for the performance of their roles.
STitC may also share your personal information with third-party service providers (and their designated
agents), including:
 External organisations for the purposes of conducting pre-employment reference and employment background
checks
 Payroll providers
 Benefits providers and benefits administration, including insurers
 Pension scheme provider and pension administration
 Occupational health providers
 External IT services
 External auditors
 Professional advisers, such as HR consultants, lawyers and accountants.
STitC may also share your personal information with other third parties in the context of a potential sale
or restructuring of some or all of its business. In those circumstances, your personal information will be
subject to confidentiality undertakings.
STitC may also need to share your personal information with a regulator or to otherwise comply with
the law.
STitC may share your personal information with third parties where it is necessary to administer the contract it has
entered into with you, where STitC need to comply with a legal obligation, or where it is necessary for the
organisation’s legitimate interests (or those of a third party).


How does STitC protect your personal information?
STitC has put in place measures to protect the security of your personal information. It has internal policies,
procedures and controls in place to try and prevent your personal information from being accidentally lost or
destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, STitC limit access to your
personal information to those employees, workers, agents, contractors and other third parties who have a business
need to know in order to perform their job duties and responsibilities. You can obtain further information about these
measures from STitC’s person responsible for data protection.
Where your personal information is shared with third-party service providers, STitC require all third parties to take
appropriate technical and organisational security measures to protect your personal information and to treat it
subject to a duty of confidentiality and in accordance with data protection law. STitC only allow them to process
your personal information for specified purposes and in accordance with our written instructions and STitC do not
allow them to use your personal information for their own purposes.

Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 6 of 7
STitC also has in place procedures to deal with a suspected data security breach and STitC will notify the
Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a
suspected breach where STitC are legally required to do so.


For how long does STitC keep your personal information?
STitC will only retain your personal information for as long as is necessary to fulfil the purposes for
which it was collected and processed, including for the purposes of satisfying any legal, tax, health and
safety, reporting or accounting requirements.
STitC will generally hold your personal information for the duration of your employment or engagement.
The exceptions are:
 Any personal information supplied as part of the recruitment process will not be retained if it has no bearing on
the ongoing working relationship
 Personal information about criminal convictions and offences collected in the course of the recruitment process
will be deleted once it has been verified through a DBS criminal record check, unless, in exceptional
circumstances, the information has been assessed by STitC as relevant to the ongoing working relationship
 It will only be recorded whether a DBS criminal record check has yielded a satisfactory or unsatisfactory result,
unless, in exceptional circumstances, the information in the criminal record check has been assessed by STitC
as relevant to the ongoing working relationship
 If it has been assessed as relevant to the ongoing working relationship, a DBS criminal record check will
nevertheless be deleted after six months, or once the conviction is spent if earlier (unless information about
spent convictions may be retained because the role is an excluded occupation or profession)
 Disciplinary, grievance and capability records will only be retained until the expiry of any warning given (but a
summary disciplinary, grievance or performance management record will still be maintained for the duration of
your employment).
Once you have left employment or your engagement has been terminated, STitC will generally hold your
personal information for one year after the termination of your employment or engagement, but this is
subject to:
 Any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular
data or records
 The retention of some types of personal information for up to six years to protect against legal risk e.g. if they
could be relevant to a possible legal claim in a Tribunal, County Court or High Court. STitC will hold payroll,
wage and tax records (including salary, bonuses, overtime, expenses, benefits and pension information, National
Insurance number, PAYE records, tax code and tax status information) for six years after the termination of
your employment or engagement. Overall, this means that STitC will thin the file of personal information that
STitC hold on you 12 months after the termination of your employment or engagement, so that STitC only
continue to retain for a longer period what is strictly necessary.
Personal information which is no longer to be retained will be securely and effectively destroyed or
permanently erased from STitC IT systems and STitC will also require third parties to destroy or erase
such personal information where applicable.
In some circumstances, STitC may anonymise your personal information so that it no longer permits your
identification. In this case, STitC may retain such information for a longer period.


Your rights in connection with your personal information
It is important that the personal information STitC hold about you is accurate and up to date. Please keep STitC
informed if your personal information changes e.g. you change your home address, during your working relationship
with STitC so that records can be updated. STitC cannot be held responsible for any errors in your personal
information in this regard unless you have notified the organisation of the relevant change.
As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain
circumstances, you have the right to:
 Request access to your personal information: This is usually known as making a data subject access request
and it enables you to receive a copy of the personal information STitC hold about you and to check that STitC
are lawfully processing it.
 Request rectification of your personal information: This enables you to have any inaccurate or incomplete
personal information STitC hold about you corrected.
Shrewsbury Town in the Community GDPR Privacy Notice for Staff © STitC
Last Reviewed & Updated in May 2021
GDPR Privacy Notice for Staff | Page 7 of 7
 Request the erasure of your personal information: This enables you to ask STitC to delete or remove your
personal information where there’s no compelling reason for its continued processing e.g. it’s no longer
necessary in relation to the purpose for which it was originally collected.
 Restrict the processing of your personal information: This enables you to ask STitC to suspend the
processing of your personal information e.g. if you contest its accuracy and so want STitC to verify its accuracy.

 Object to the processing of your personal information: This enables you to ask STitC to stop processing
your personal information where STitC are relying on the legitimate interests of the business as the legal basis
for processing and there is something relating to your particular situation which makes you decide to object to
processing on this ground.
 Data portability: This gives you the right to request the transfer of your personal information to another party
so that you can reuse it across different services for your own purposes.
If you wish to exercise any of these rights, please contact STitC’s person responsible for data protection. STitC may
need to request specific information from you in order to verify your identity and check your right to access the
personal information, or to exercise any of your other rights. This is a security measure to ensure that your personal
information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you have provided your consent to the processing of your personal information
for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will
not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to
withdraw your consent, please contact STitC’s person responsible for data protection. Once STitC have received
notification that you have withdrawn your consent, STitC will no longer process your personal information for the
purpose you originally agreed to, unless STitC have another legal basis for processing.
If you believe that STitC has not complied with your data protection rights, you have the right to make a complaint
to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data
protection issues.


Transferring personal information outside the European Economic Area
STitC will not transfer your personal information to countries outside the European Economic Area.

Automated decision making
Automated decision making occurs when an electronic system uses your personal information to make a decision
without human intervention. STitC do not envisage that any employment decisions will be taken about you based
solely on automated decision making, including profiling. However, STitC will notify you in writing if this position
changes.


Changes to this privacy notice
STitC reserves the right to update or amend this privacy notice at any time, including where STitC intends to further
process your personal information for a purpose other than that for which the personal information was collected,
or where STitC intend to process new types of personal information. STitC will issue you with a new privacy notice
when STitC make significant updates or amendments. STitC may also notify you about the processing of your
personal information in other ways.


Contact
If you have any questions about this Privacy Notice or how STitC handle your personal information,
please contact STitC’s person responsible for data protection using the details provided at the beginning
of this Privacy Notice.