Privacy Notice for Greater London Authority (GLA) employees

Under the data protection legislation, the GLA is only allowed to use personal information if we have a valid reason or 'legal basis' to do so. In the case of your employment with the GLA, there are a number of these 'legal grounds' we rely on, which are:

• For the 'performance of a contract', for example:

− to comply with the obligations contained in your contract of employment and the GLA’s HR policies, to pay you in accordance with your employment contract and to administer benefits such as pension and access to salary sacrifice schemes.

• Legal obligations (where we are obliged to handle your information in a certain way), for example:

− to provide salary information to HMRC for tax purposes or to provide information to the National Fraud Initiative, run by the Cabinet Office, every two years

− to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

• Where you have given your consent to the GLA, for example:

− You have asked us to give a reference to a financial institution regarding an application you have made for a mortgage, personal loan, etc.

• Where it forms part of the GLA’s public functions, for example:

− The publication of salary information under GLA’s transparency obligations

− When passing information to the Information Commissioner's Office, which regulates Data Protection and Freedom of Information Acts

− In your capacity as an official representative of the GLA in the performance of your role

Sometimes we also need to collect or store information that is called 'special category personal data', which is defined as the following:

• race and ethnic origin
• politics and religion
• trade union membership
• health (physical or mental)
• sex life or sexual orientation

In addition, the UK Data Protection Act 2018 will add information about criminal allegations, proceedings or convictions to the list of special categories compiled under the GDPR. As before, there are a number of 'lawful bases' we rely on when handling this kind of information, depending on the circumstances, which are:

• Where we have your explicit consent to do so for a specific purpose
• Where it's necessary for carrying out the obligations and exercising specific rights of the GLA or you, in the field of employment and social security and social protection law
• For the establishment, exercise or defence of legal claims • Where it is necessary for occupational health purposes (including counselling)
• Where it is necessary for the purpose of administering your occupational pension
• Where's it's necessary for equality of opportunity or treatment
• Where it's necessary for the prevention and detection of crime or fraud

The GLA processes information about trade union membership to administer TU subscriptions.

The GLA processes other special categories of personal data, including, ethnic origin, sexual life or orientation.

Equal opportunities data collected during recruitment will be used both for monitoring purposes and to inform decision making.

The GLA processes other special categories of personal data, including, ethnic origin, sexual orientation, religion or belief, whether you have a disability or not, for purposes of equal opportunities monitoring or to tailor benefits to you.

The GLA may use aggregated or de-personalised employee data for analysis purposes - for example to ensure that we have an efficient and diverse workforce - or for occupational health purposes. Individuals will not be identified using this information.

All employees have access to their personal sensitive data via the MyHR Portal and can update, amend or delete their information at any time. Employees are free to decide whether or not to provide such data.

Your personal information will only be accessed and processed by authorised personnel (such as line managers, HR professionals, occupational health professionals, payroll and pensions administrators) who are involved in the management and administration of your employment and have a legitimate need to access your information for certain specific purposes, such as:

• GLA Financial Services – e.g. payroll and expense claims,
• Facilities Management – e.g. building access systems and staff passes,
• Technology Group – e.g. creating a GLA IT account, updating the Outlook Global Address List
• HR teams - for example administering the onboarding process
• Line managers - for example to approve annual leave requests

When strictly necessary, the GLA shares some personal data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers (for relevant roles). The GLA may also share your data with third parties in the context of a TUPE Transfer. In those circumstances the data will be subject to specific confidentiality arrangements.

The GLA also has agreements with a number of third-party service providers who provide specialist services on our behalf.

• Transport for London's Occupational Health Team - provide the GLA’s OH contract
• Transport for London – provide employment law advice to the GLA
• Transport for London – who provide a human resources shared service for the GLA including the running of recruitment campaigns, carrying out of pre-employment checks and employee record keeping on its HR database/system
• the Disclosure and Barring Service to obtain necessary criminal records checks
• Reed Screening – for employment background and to obtain necessary background checks
• The GLA has a contract with Havas People Limited to support a number of recruitment campaigns for the GLA. Havas People may conduct employment reference checks for successful candidates during the recruitment process.
• Reward Gateway – provide and administer benefits to GLA employees via MyGLA+
• Nuffield Health – provide the GLA’s employee health screening programme.
• Training providers – we work with a range of training providers to deliver corporate, local and individual support and training sessions. These third parties will process personal information in accordance with the GLA’s instructions and make decisions regarding the information as part of the delivery of their services; they are also required to put in place appropriate security measures that ensure an adequate level of protection for personal information. The GLA will not transfer your data to countries outside the European Economic Area.

The GLA takes the security of your data seriously. We have internal policies and technical measures in place to safeguard your personal information.

Access to systems that hold employment related information is restricted to authorised personnel through the use of unique identifiers and passwords. Your information is stored on systems that are protected by secure network architectures and are backed-up on a regular basis for disaster recovery and business continuity purposes; and to avoid the risk of inadvertent erasure or destruction.

The GLA will hold your personal data for the duration of your employment and for six years after the end of your employment.

The GLA keeps your personal data after you have left employment to enable us to;

• Respond to correspondence, concerns or complaints
• Maintain records according to rules that apply to us (for example employment law or financial regulations)
• Establish and defend any legal rights.

Under the General Data Protection Regulation (GDPR), you are entitled to ask to see any personal information that we hold about you. You also have a number of other information rights which include:

• The right to question any information we have about you that you think is wrong or incomplete
• The right to object to how we use your information or to ask us to delete or restrict how we use it
• In some cases, the right to receive a copy of your information in a format that you can easily re-use for your own purpose(s)
• The right to complain to our Data Protection Officer

If you would like to exercise any of these rights, please contact the GLA’s Data Protection Officer, contact details are provided at the top of this page. If you believe that the organisation has not complied with your data protection rights, you can also complain to the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights.

You have some obligations under your employment contract to provide the organisation with data. For example, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.

You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements.

Failing to provide the data may mean that you are unable to exercise your contractual or statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the GLA to enter a contract of employment with you.

If you do not provide other information, this will hinder the GLA's ability to administer the rights and obligations arising because of the employment relationship efficiently.