Smart London Working with Business

Privacy Notice for Greater London Authority (GLA) employees

This page was updated on: 25 May 2018

The information in this privacy notice explains how the GLA will use your personal information when you become an employee. This information should be read together with your contract of employment and replaces any contractual data protection provisions issued prior to May 2018. It may be updated from time to time.

What information does the GLA collect?

The GLA collects and processes a range of information about you. This includes:

  • personal details - your name, title, address and contact details, including email address and telephone number, date of birth and name and contact numbers for your named emergency contacts, including details of your next of kin, marital status and dependents
  • financial and tax information - in order to pay you, including your bank details, National Insurance number, HMRC notifications including P45 and companies house certificates, bank details, remuneration and your entitlement to pension and other benefits
  • terms and conditions of employment - including offer letters, contracts, pre-employment checks, details about your nationality and your right to work in the UK and related correspondence, details of your work pattern, days and hours of work and information about variations to your terms including details of secondments within or outside the GLA, details of allowance payments and details of flexible working requests
  • equal opportunities monitoring information - including information about your age, ethnic origin, sexual orientation, religion or belief
  • absence and leave records - your leave entitlements and details of leave taken by you including holiday, parental, special leave, dependency, volunteering, leave for public duties, sabbaticals and the reasons for the leave. Records of absence management meetings and discussions and details of any monitoring periods or warnings
  • medical information - sickness absence records, including self-certificates, GP notes, number of days absence and reasons, notes of meetings under the sickness absence policy, reasonable adjustments, phased return periods and OH referrals, physio referrals, reports for OH and recommendations, sick pay entitlement and correspondence and notifications to payroll,  information including whether or not you have a disability for which the organisation needs to make reasonable adjustments
  • disciplinary, grievance and capability - details of any disciplinary, grievance or capability procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance and development needs -  including appraisals, performance reviews, applications for development programmes, feedback on your performance and development needs, training you have participated in, performance improvement plans and related correspondence

How does the GLA collect information about you?

The GLA collects this information in a variety of ways. For example: 

  • data is collected during recruitment processes through application forms, CVs or resumes;
  • some data is obtained from your passport or other identity documents such as your utility bills or bank statements which you produce or provide when you attend an interview, as part of the GLA recruitment process
  • from forms completed by you at the start of, or during, your employment (such as benefit nomination forms)
  • from our correspondence with you relating to your employment
  • through meetings, interviews or other assessments
  • through self-service entry into the GLA HR systems or other information management systems

Sometimes it will be necessary for the GLA to obtain information from third parties, such as when seeking references for employment, advice from medical practitioners, or eligibility for benefits such as pensions. 

Data is stored in a range of different places, including in your personnel file, in the GLA’s HR management systems and in other official GLA IT systems. 
 

Why does the GLA process personal data?

Under the General Data Protection Regulation (GDPR), the GLA is only allowed to use personal information if we have a proper reason or 'legal basis' to do so. In the case of your employment with the GLA, there are a number of these 'legal grounds' we rely on, which are:

For the 'performance of a contract', for example:

  • to comply with the obligations contained in your contract of employment and the GLA’s HR policies, to pay you in accordance with your employment contract and to administer benefits such as pension and access to salary sacrifice schemes

Legal obligations (where we are obliged to handle your information in a certain way), for example:

  • to provide salary information to HMRC for tax purposes or to provide information to the National Fraud Initiative, run by the Cabinet Office, every two years
  • to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled

Where you have given your consent to the GLA, for example:

  • you have asked us to give a reference to a financial institution regarding an application you have made for a mortgage, personal loan, etc

Where it forms part of the GLA’s public functions, for example:

  • the publication of salary information under GLA’s transparency obligations
  • when passing information to the Information Commissioner's Office, which regulates data protection and freedom of information
  • in your capacity as an official representative of the GLA in the performance of your role

Sometimes we also need to collect or store information that is called 'special category personal data', which is defined as the following:

  • race and ethnic origin
  • politics and religion
  • trade union membership
  • health (physical or mental)
  • sex life or sexual orientation

In addition, the UK Data Protection Act 2018 will add information about criminal allegations, proceedings or convictions to the list of special categories compiled under the GDPR. As before, there are a number of 'legal grounds' we rely on when handling this kind of information, depending on the circumstances, which are:

  • where we have your explicit consent to do so for a specific purpose
  • where it's necessary for carrying out the obligations and exercising specific rights of the GLA or you in the field of employment and social security and social protection law
  • for the establishment, exercise or defence of legal claims
  • where it is necessary for occupational health purposes (including counselling)
  • where it is necessary for the purpose of administering your occupational pension
  • where's it's necessary for equality of opportunity or treatment
  • where it's necessary for the prevention and detection of crime or fraud

The GLA processes information about trade union membership to administer TU subscriptions from payroll.

The GLA processes other special categories of personal data, including, ethnic origin, sexual orientation, religion or belief, whether you have a disability or not, for purposes of equal opportunities monitoring. 

The GLA may use aggregated or depersonalised employee data for analysis purposes - for example to ensure that we have an efficient and diverse workforce - or for occupational health purposes. Individuals will not be identified using this information.

All employees have access to their personal sensitive data via the Employee Self Service (ESS) and can update, amend or delete their information at any time. Employees are free to decide whether or not to provide such data.
 

Who has access to your data?

Your personal information will only be accessed and processed by authorised personnel (eg line managers, HR professionals, occupational health professionals and payroll and pensions administrators) who are involved in the management and administration of your employment and have a legitimate need to access your information for certain specific purposes, such as: 

  • GLA Financial Services – eg payroll and expense claims
  • Facilities Management – eg building access systems and staff passes
  • Technology Group – eg creating a GLA IT account, updating the Outlook Global Address List 

When strictly necessary, the GLA shares some personal data with third parties in order to obtain pre-employment references from other employers or obtain employment background checks from third-party providers (for relevant roles). The GLA may also share your data with third parties in the context of a TUPE Transfer. In those circumstances the data will be subject to specific confidentiality arrangements.
 

Third parties who process data on the GLA’s behalf

The GLA also has agreements with a number of third-party service providers who provide specialist services on our behalf:

  • London Fire Brigade Payroll team - process employee payroll on behalf of the GLA
  • Transport for London's Occupational Health team - provide the GLA’s OH contract
  • Transport for London's Legal team - provide employment law advice to the GLA
  • Reward Gateway - provide and administer benefits to GLA employees via MyGLA+
  • Blossoms Healthcare - provide the GLA’s employee health screening programme
  • Training providers - we work with a range of training providers to deliver corporate, local and individual support and training sessions

These third parties will process personal information in accordance with the GLA’s instructions and make decisions regarding the information as part of the delivery of their services; they are also required to put in place appropriate security measures that ensure an adequate level of protection for personal information.

The GLA will not transfer your data to countries outside the European Economic Area.

How does the GLA protect data?

The GLA takes the security of your data seriously. We have internal policies and technical measures in place to safeguard your personal information.

Access to systems that hold employment-related information is restricted to authorised personnel through the use of unique identifiers and passwords. Your information is stored on systems that are protected by secure network architectures and are backed-up on a regular basis for disaster recovery and business continuity purposes and to avoid the risk of inadvertent erasure or destruction.
 

How long will the GLA keep my data?

The GLA will hold your personal data for the duration of your employment and for six years after the end of your employment. 

The GLA keeps your personal data after you have left employment to enable us to:

  • respond to correspondence, concerns or complaints
  • maintain records according to rules that apply to us (for example employment law or financial regulations)
  • establish and defend any legal rights
     

My rights

Under the General Data Protection Regulation (GDPR), you are entitled to ask to see any personal information that we hold about you. You also have a number of other information rights which include:

  • the right to question any information we have about you that you think is wrong or incomplete
  • the right to object to how we use your information or to ask us to delete or restrict how we use it
  • in some cases, the right to receive a copy of your information in a format that you can easily re-use for your own purpose(s)
  • the right to complain to our Data Protection Officer

If you would like to exercise any of these rights, please contact the GLA’s Data Protection Officer. If you believe that the organisation has not complied with your data protection rights, you can also complain to the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights.

What if I do not provide personal data?

You have some obligations under your employment contract to provide the organisation with data. For example, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. 

You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. 

Failing to provide the data may mean that you are unable to exercise your contractual or statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the GLA to enter a contract of employment with you. 

If you do not provide other information, this will hinder the GLA's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

At the GLA we do not use automated decision-making as part of our recruitment process.