Privacy Notice for Greater London Authority (GLA) employees
This page was updated on: 15 Dec 2023
The GLA collects and processes personal data relating to its employees to manage the employment relationship. The GLA is committed to being transparent about how it collects and uses that data as well as meeting its data protection obligations.
The information in this privacy notice explains how the GLA will use your personal information when you become an employee. Personal data may be processed by the GLA directly or by a third party engaged to manage employment processes on behalf of the GLA. Such third-party agents will be working to the requirements of the GLA.
This information should be read together with your contract of employment and replaces any contractual data protection provisions issued prior to May 2018. It may be updated from time to time.
The GLA is the data controller of any personal data collected as part of the employment process.
The GLA Data Protection Officer
The GLA Data Protection Officer (DPO) is responsible for advising the Authority about the collection, handling and use of personal data; informing and advising the GLA about compliance with GDPR and other data protection legislation.
The DPO is also responsible for helping promote awareness of data protection issues, training employees and advise on, and monitor, data protection impact assessments.
The GLA's Data Protection Officer works for the GLA, London Assembly Members and the Greater London Returning Officer (GLRO).
You can contact the Data Protection Officer by email at [email protected] or by writing to:
Data Protection Officer
Information Governance
City Hall Kamal Chunchie Way
London
E16 1ZE
What information does the GLA collect?
The GLA collects and processes a range of information about you. This includes:
- Personal details - your name, title, address and contact details, including email address and telephone number, date of birth and name and contact numbers for your named emergency contacts, including details of your next of kin, marital status and dependents.
- Financial and tax information – in order to pay you, including your bank details, National Insurance number, HMRC notifications including P45 & companies house certificates, bank details, remuneration and your entitlement to pension and other benefits
- Terms and conditions of employment – including offer letters, contracts, preemployment checks, details about your nationality and your right to work in the UK and related correspondence. details of your work pattern, days and hours of work and information about variations to your terms including details of secondments within or outside the GLA, details of allowance payments and details of flexible working requests.
- Equal opportunities monitoring information – including information about your age, ethnic origin, sexual orientation, religion, or belief. This information may be used to offer tailored employee-related offers to you.
- Absence and leave records – your leave entitlements and details of period of leave taken by you; including holiday, parental, special leave, dependency, volunteering, leave for public duties, sabbaticals and the reasons for the leave. Records of absence management meetings and discussions and details of any monitoring periods or warnings.
- Medical information - sickness absence records, including self-certificates, GP notes, number of days absence and reasons, notes of meetings under the sickness absence policy, reasonable adjustments, phased return periods and OH referrals, physio referrals. Reports for OH and recommendations. Sick pay entitlement and correspondence and Notifications to payroll. Information including whether or not you have a disability for which the organisation needs to make reasonable adjustments
- Disciplinary, Grievance & Capability – details of any disciplinary, grievance or capability procedures in which you have been involved, including any warnings issued to you and related correspondence.
- Assessments of your performance and development needs - including appraisals, performance reviews, applications for development programmes, feedback on your performance and development needs, training you have participated in, performance improvement plans and related correspondence.
How does the GLA collect information about you?
The GLA collects this information in a variety of ways. For example:
- data is collected during recruitment processes through application forms, CVs or resumes;
- some data is obtained from your passport or other identity documents such as your utility bills or bank statements which you produce or provide when you attend an interview, as part of the GLA recruitment process.
- from forms completed by you at the start of, or during, your employment (such as benefit nomination forms);
- from our correspondence with you relating to your employment; or
- through meetings, interviews or other assessments.
- through self-service entry into GLA HR systems or other information management systems.
Sometimes it will be necessary for the GLA to obtain information from third parties, such as when seeking references for employment, advice from medical practitioners, or eligibility for benefits such as pensions.
Data is stored in a range of different places, including in your personnel file, in the GLA’s HR management systems and in other official GLA IT systems as well as contracted third parties processing data on our behalf.
Why does the GLA process personal data? What is our legal basis for processing your information?
Under the data protection legislation, the GLA is only allowed to use personal information if we have a valid reason or 'legal basis' to do so. In the case of your employment with the GLA, there are a number of these 'legal grounds' we rely on, which are:
- For the 'performance of a contract', for example:
− to comply with the obligations contained in your contract of employment and the GLA’s HR policies, to pay you in accordance with your employment contract and to administer benefits such as pension and access to salary sacrifice schemes.
- Legal obligations (where we are obliged to handle your information in a certain way), for example:
− to provide salary information to HMRC for tax purposes or to provide information to the National Fraud Initiative, run by the Cabinet Office, every two years
− to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
- Where you have given your consent to the GLA, for example:
− You have asked us to give a reference to a financial institution regarding an application you have made for a mortgage, personal loan, etc.
- Where it forms part of the GLA’s public functions, for example:
− The publication of salary information under GLA’s transparency obligations
− When passing information to the Information Commissioner's Office, which regulates Data Protection and Freedom of Information Acts
− In your capacity as an official representative of the GLA in the performance of your role
Sometimes we also need to collect or store information that is called 'special category personal data', which is defined as the following:
- race and ethnic origin
- politics and religion
- trade union membership
- health (physical or mental)
- sex life or sexual orientation
In addition, the UK Data Protection Act 2018 will add information about criminal allegations, proceedings or convictions to the list of special categories compiled under the GDPR. As before, there are a number of 'lawful bases' we rely on when handling this kind of information, depending on the circumstances, which are:
- Where we have your explicit consent to do so for a specific purpose
- Where it's necessary for carrying out the obligations and exercising specific rights of the GLA or you, in the field of employment and social security and social protection law
- For the establishment, exercise or defence of legal claims • Where it is necessary for occupational health purposes (including counselling)
- Where it is necessary for the purpose of administering your occupational pension
- Where's it's necessary for equality of opportunity or treatment
- Where it's necessary for the prevention and detection of crime or fraud
The GLA processes information about trade union membership to administer TU subscriptions.
The GLA processes other special categories of personal data, including, ethnic origin, sexual life or orientation.
Equal opportunities data collected during recruitment will be used both for monitoring purposes and to inform decision making.
The GLA processes other special categories of personal data, including, ethnic origin, sexual orientation, religion or belief, whether you have a disability or not, for purposes of equal opportunities monitoring or to tailor benefits to you.
The GLA may use aggregated or de-personalised employee data for analysis purposes - for example to ensure that we have an efficient and diverse workforce - or for occupational health purposes. Individuals will not be identified using this information.
All employees have access to their personal sensitive data via the MyHR Portal and can update, amend or delete their information at any time. Employees are free to decide whether or not to provide such data.
Who has access to your data?
Your personal information will only be accessed and processed by authorised personnel (such as line managers, HR professionals, occupational health professionals, payroll and pensions administrators) who are involved in the management and administration of your employment and have a legitimate need to access your information for certain specific purposes, such as:
- GLA Financial Services – e.g. payroll and expense claims,
- Facilities Management – e.g. building access systems and staff passes,
- Technology Group – e.g. creating a GLA IT account, updating the Outlook Global Address List
- HR teams - for example administering the onboarding process
- Line managers - for example to approve annual leave requests
When strictly necessary, the GLA shares some personal data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers (for relevant roles). The GLA may also share your data with third parties in the context of a TUPE Transfer. In those circumstances the data will be subject to specific confidentiality arrangements.
Third parties who process data on the GLA’s behalf
The GLA also has agreements with a number of third-party service providers who provide specialist services on our behalf.
- Transport for London's Occupational Health Team - provide the GLA’s OH contract
- Transport for London – provide employment law advice to the GLA
- Transport for London – who provide a human resources shared service for the GLA including the running of recruitment campaigns, carrying out of pre-employment checks and employee record keeping on its HR database/system
- the Disclosure and Barring Service to obtain necessary criminal records checks
- Reed Screening – for employment background and to obtain necessary background checks
- The GLA has a contract with Havas People Limited to support a number of recruitment campaigns for the GLA. Havas People may conduct employment reference checks for successful candidates during the recruitment process.
- Reward Gateway – provide and administer benefits to GLA employees via MyGLA+
- Nuffield Health – provide the GLA’s employee health screening programme.
- Training providers – we work with a range of training providers to deliver corporate, local and individual support and training sessions. These third parties will process personal information in accordance with the GLA’s instructions and make decisions regarding the information as part of the delivery of their services; they are also required to put in place appropriate security measures that ensure an adequate level of protection for personal information. The GLA will not transfer your data to countries outside the European Economic Area.
How does the GLA protect data?
The GLA takes the security of your data seriously. We have internal policies and technical measures in place to safeguard your personal information.
Access to systems that hold employment related information is restricted to authorised personnel through the use of unique identifiers and passwords. Your information is stored on systems that are protected by secure network architectures and are backed-up on a regular basis for disaster recovery and business continuity purposes; and to avoid the risk of inadvertent erasure or destruction.
How long does the GLA keep data?
The GLA will hold your personal data for the duration of your employment and for six years after the end of your employment.
The GLA keeps your personal data after you have left employment to enable us to;
- Respond to correspondence, concerns or complaints
- Maintain records according to rules that apply to us (for example employment law or financial regulations)
- Establish and defend any legal rights.
Your rights
Under the General Data Protection Regulation (GDPR), you are entitled to ask to see any personal information that we hold about you. You also have a number of other information rights which include:
- The right to question any information we have about you that you think is wrong or incomplete
- The right to object to how we use your information or to ask us to delete or restrict how we use it
- In some cases, the right to receive a copy of your information in a format that you can easily re-use for your own purpose(s)
- The right to complain to our Data Protection Officer
If you would like to exercise any of these rights, please contact the GLA’s Data Protection Officer, contact details are provided at the top of this page. If you believe that the organisation has not complied with your data protection rights, you can also complain to the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights.
What if you do not provide personal data?
You have some obligations under your employment contract to provide the organisation with data. For example, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.
You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements.
Failing to provide the data may mean that you are unable to exercise your contractual or statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the GLA to enter a contract of employment with you.
If you do not provide other information, this will hinder the GLA's ability to administer the rights and obligations arising because of the employment relationship efficiently.
Need a document on this page in an accessible format?
If you use assistive technology (such as a screen reader) and need a version of a PDF or other document on this page in a more accessible format, please get in touch via our online form and tell us which format you need.
It will also help us if you tell us which assistive technology you use. We’ll consider your request and get back to you in 5 working days.