This statement explains how ISS handles and uses personal data we collect about staff. Where in this statement we refer to 'we' or 'ours' or 'us' we are referring to ISS and where we refer to 'you' or 'your' we are referring to our staff. We are registered with the Information CommISSioner's Office (ICO) with registration.

We are committed to protecting your personal information and to being transparent about what information we hold. ISS understands its obligations to you to help you understand how and why we process your personal data. This notice tells you about the uses and should be read in conjunction with the ISS data protection policy.

Our data protection policy and procedures are governed by the Data Protection Act 1998 and, from 25th May 2018, the EU General Data Protection Regulation. The law in this area is changing and we anticipate this statement will change in line with guidance provided by the ICO.

Why we hold your personal data

We are required to hold your personal data for various legal and practical purposes, without which we would be unable to employ you.

Holding your personal data enables us to meet various administrative and legal obligations (e.g. reporting and collecting information for HMRC).

Lawful basis for processing personal data

The lawful basis for processing the personal data of our staff is to fulfil a contract with an individual (employment).

There is a contractual obligation for you to provide much of the information detailed. Without this we would be unable to fulfil our obligations which could result in the contract terminating.

Personal data held by ISS

The information we hold about you is primarily information you provided when you registered as an employee. This may have been provided to us directly or through your temporary work agency.

The following is a list of the information we hold:

• Your name
• Your contact details
• Unique personal identifiers (e.g. date of birth)
• Photographs
• Financial information (bank account, salary, tax and NI information, attachment of earnings, etc)
• Your right to work documents; copies of visa, passports etc.
• Your registration;
• Details of your work history;
• References;
• Your contract of employment;
• Performance reviews and timesheets;
• Disciplinary and grievance procedures;
• Accidents at work; and
• Training and background checks.

How your personal data is used by ISS

Your data is used by us for a number of purposes including:

• Internal reporting and recordkeeping
• Administrative purposes
• Responding to data access request made by you
• ISSuing references at your request
• Contacting you
• Processing our legal obligations (e.g. reporting and collecting information for HMRC).

Your rights

You have the right to access any personal information that ISS processes about you and to request information about:

• What personal data we hold about you
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long we intend to store your personal data for
• If we did not collect the data directly from you, information about the source

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the relevant request; this is to ensure that your data is protected and kept secure.

Sharing and disclosing your personal information

We do not share or disclosure any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement. ISS uses third-parties to provide the below services and business functions, however all processors acting on our behalf only process your data in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.

• Relevant data, including your bank details, will be shared with our administration service providers for the purposes of processing your pay;
• Relevant data will be shared with temporary work agencies for the purposes of sourcing work assignments;
• Relevant data may be shared with our auditors;
• Relevant data may be shared with Home Office, UK Visas and Immigration, HMRC and other governmental agencies;
• Data may be shared with reputable "data processors" for the purposes of sending communications (eg mailchimp).

Safeguarding measures

ISS takes your privacy seriously and we take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including:

• Personal data is stored on a secure website using certificates provided by LetsEncrypt;
• Access to the servers is controlled via secure keys;
• Access to the site is limited to a small set of users with a strict password and IP range policy;
• Access to the data is logged and monitored to identify any unauthorised access.

Consequences of not providing your data

You are not obligated to provide your personal information to ISS. However, as this information is required for us to fulfil our obligations as your employer we will not be able to offer you employment without providing the information identified in this notice.

How long data will be kept

ISS only ever retains personal information for as long as is necessary and we have strict re-view and retention policies in place to meet these obligations. We are required under UK tax law to keep your basic personal data for a minimum of 6 years after which time it will be destroyed.

Lodging a complaint

ISS only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.