Privacy Notice for Employees (including Board Members & Volunteers)

The Wrekin Housing Group of Colliers Way, Old Park, Telford TF3 4AW (“the employer”)


The Wrekin Housing Group (“the Group”) is committed to protecting your privacy and complying with the General Data Protection Regulations 2016 (“GDPR”.) We will only collect and process personal data which is proportionate and necessary in relation to your employment, and we will not keep it for longer than is necessary. We will ensure that we have appropriate technological and organisational measures in place to keep the personal data we hold secure.

The Group is registered with the Information Commissioner’s Office (“ICO”) as a data controller for the purposes of GDPR, and the Head of ICT is registered as the Data Protection Officer.

In order to comply with our contractual, statutory, and management obligations and responsibilities we are required to process personal data relating to current, past and prospective employees, including sensitive personal data - this includes information relating to health, racial or ethnic origin, trade union membership and criminal convictions. This information is initially provided to us through an application for employment and is added to over the course of employment.

We will keep and use the personal data of employees to run the business, and manage our relationship with employees effectively, lawfully and appropriately, during the recruitment process, whilst employed by the Group, when the employment ends, and after the employee has left.
This policy sets out the lawful basis by which the Group collects, uses, retains and discloses the personal data of employees, as well as your rights in respect of such personal data.

Lawful Basis for processing personal data (including special category data) under Article 6 GDPR

The Performance of the Employment Contract

It will be necessary for us to collect, process and disclose your personal data for the performance of the employment contract, or in order to take steps prior to entering into the employment contract. Examples of the personal data processed in order for us to meet our contractual responsibilities include (but is not limited to)data relating to: payroll; bank account; postal address; sick pay; leave; maternity pay; parental leave; pension; and emergency contacts.

Statutory Responsibilities

The Group’s statutory responsibilities are imposed by legislation, and the personal data we process in order to for us to meet those responsibilities include (but is not limited to)data relating to: the Right to Work; tax; national insurance; statutory sick pay; statutory maternity pay; DBS checks, and Health and Safety.

We are also under additional statutory and regulatory requirements to process the personal information of our Board Members.


In certain circumstances we may ask for an employee’s consent to obtain, use and disclose certain personal data, including sensitive personal data. For example, to provide a reference or information required by a mortgage lender, or to offer a voluntary benefit as part of an employee’s overall remuneration package. A record of such consent will be retained on the employee’s personal file. An employee has the right to withdraw consent to the processing of personal data, and can exercise this right by contacting the HR Team.

Legitimate Interests

The Group will collect, process and disclose personal data where it has a legitimate interest to do so. This means in circumstances where it is both necessary and proportionate to do so for the functioning of the organisation, and where the requirement for processing outweighs the general privacy rights that employees have. Examples of such circumstances include (but are not limited to): to prevent fraud; to protect the Group‘s legal position in the event of legal proceedings; health and safety matters; disciplinary matters; and, training and development.

Lawful Basis for processing special category data under Article 9 GDPR

Where we processes ‘special category’ data, which includes information in relation to an employee’s race, ethnic origin, political beliefs, religion, trade union membership, genetics, biometrics, health and sexuality we must establish an additional lawful basis for processing, as this personal data is more sensitive and needs additional protection.

The Group will collect, process and disclose special category data where:

  • The employee has given explicit consent to the processing of personal data for one or more specified purpose;
  • It is necessary for the purposes of performing or exercising the obligations or rights of the Group or employee in the field of employment law;
  • It is necessary for the purposes of preventative or occupational medicine for assessing the working capacity of the employee;
  • The processing is necessary for establishing, exercising or defending legal claims, or in accordance with a court order.

Lawful Basis for processing special category data under Article 10 GDPR

Article 10 applies to data relating to criminal convictions and offences, which includes alleged offences, court proceedings and sentencing.

We will collect, process, and disclose data relating to criminal convictions where:

  • We have identified a lawful basis for processing under Article 6 as detailed above, and;
  • The employee has given consent to the processing of their personal data for one or more specific purposes – the employee has the right to decline to provide consent and, if consent is provided, to withdraw it at any time by contacting the HR Team, or;
  • The processing is necessary to protect the vital interests of an individual, for example, in emergency situations or where a safeguarding issue has been identified, or;
  • Where the processing relates to personal data which has been made public by the employee, or;
  • The processing is necessary: for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); obtaining legal advice; or otherwise necessary for the establishing, exercising, or defending of legal rights, or;
  • Processing is necessary when a court is acting in its judicial capacity.


What personal data does the Group ask for and why

We will not collect more data than is needed in order to recruit and we will not keep it longer than is necessary. The data asked for will be used to assess your suitability for employment. You don’t have to provide the data you are asked for, but it may affect your application if you don’t.

Application & shortlisting stage

Applications for employment are submitted either electronically via a recruitment portal, or by completing an application form, or providing a C.V. We also use employment agencies to fill vacancies when necessary. The relevant recruitment team will have access to the information received. Applicants (or the agency) are required to provide personal data including: name; contact details; previous experience; education; referees; answers to questions relevant to the role applied for; past criminal convictions and an appropriate DBS check (which may include DBS Children’s Barred List)where the specific post requires it; and, equal opportunities data (there is no obligation to provide this.)

All the information provided during the recruitment process will only
be used for the purpose of progressing the application, or to fulfil
legal or regulatory requirements if necessary.

We will not share any of the information provided during the recruitment process with any third party for marketing purposes, and we will not store any of the information outside the European Economic Area.

We will use the contact details provided to contact the applicant to progress their application. The other information provided will be used to assess the applicant’s suitability for the role applied for.

Certain roles require that we contact referees immediately once an applicant has been shortlisted for the vacancy, and applicants will be advised of this prior to completing the application.

Equal Opportunities Monitoring.

We ask applicants to complete a selection of tick boxes to confirm their: Gender; Sexuality; Age range; Ethnicity; Nationality, Religion; and whether they have a disability. This data is collated and the statistics are used to ensure that we operate a non-discriminatory recruitment processes. This information also helps us to see who we are attracting to our vacancies, and to see if we have a diverse work force. The statistics collected do not reveal the person’s identity as we do not record that for these purposes.


We may ask an applicant to attend an interview, participate in an assessment day, and/or complete tests. Any information generated by assessments will be held by the Group. Unsuccessful candidates may be asked for their express consent for their details to be retained securely in a ‘talent pool’ for six months so that we are able to contact them should a further suitable vacancy arise.

Conditional Offer

If we make a conditional offer, the applicant will be asked to provide further information so that the required pre-employment checks can be carried out. Depending on the vacancy, the applicant may be asked to complete a medical questionnaire which will help to determine if they are fit to undertake the work offered, or to advise if any reasonable adjustments are needed to the work environment or systems so that the applicant may work more effectively. The completed questionnaire is confidential and only seen by the Occupational Health Provider who will then advise us if any reasonable adjustments are required and what those adjustments are.

We are under a legal obligation to confirm the identity of our employees, their right to work in the UK, and to seek assurance of their integrity and reliability. Applicants are, therefore required to provide the following: proof of identity; proof of qualifications; declaration of any unspent criminal convictions & DBS check (including enhanced DBS checks) if appropriate for the role; and, contact details for referees. Copies of the relevant documents will be taken and retained appropriately.

Final Offer

If we make a final offer, the applicant will be asked to provide: their bank details to process payment; emergency contact details; and, existing pension arrangements (if any).

How we make decisions about recruitment

Final recruitment decisions are taken by the relevant manager, any additional interviewer, and the HR team on the basis of all the information collected during the recruitment process.

Applicants are able to obtain feedback on their application by contacting the HR team or relevant Manager.

How long is the information retained for?

For successful applicants, the information provided during the application process will be retained by the Group as part of the employee’s personal file throughout their period of employment, and usually for a further 6 years following the end of their employment. However, for certain Trades employees their information will be held for 50 years following the end of their employment to enable us to respond to certain liability claims if necessary.

During Employment

What personal data will the Group hold and why?

The information (including personal data and sensitive personal data) held by the Group regarding an employee will be added to over the course of their employment in the performance of the employment contract. This information will include (but is not limited to): the contract of employment and any amendments to it; correspondence with or about the employee; with the employee’s consent, a letter to a mortgage company confirming salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; records relating to career history including, training records, appraisals and other performance measures; trade union membership; and, where necessary, disciplinary and grievance records.

We may where necessary obtain and retain an employee’s health records, including GP records and notes. This data will be used in order to comply with health and safety and occupational health obligations, and to consider how an employee’s health may affect their ability to do their job and whether any adjustments may be appropriate. This data is also necessary to administer and manage statutory and company sick pay.

We may also take and retain photographs of the employee for use in internal communications, for the purposes of identification and security and, with consent marketing and press releases. Employees’ images may also be captured by CCTV systems installed at various locations – please refer to the CCTV Policy & Procedure.

Trade employees who use power tools undergo a Hand Arm Vibration assessment every 12 months. All Trade employees have a three yearly confidential health check with our Occupational Health provider. We only receive a certificate that the employee is fit for work (which is kept on the employee’s personal file) or an advisory note stating they are fit for work, but with restrictions. The full results are not shared with the Group.

We will hold all employee data securely in either individual electronic or paper employee files, and access will be limited to certain members of the HR and Management teams. Employee data will only be disclosed in the circumstances detailed below.

When will the Group share or disclose employee personal data?

In order to fulfil our statutory and contractual requirements, we may need to share an employee’s personal data with an external third party, or one or more colleagues. However, the amount of personal information we share will be no more than is reasonably necessary.

We will display an employee’s name, job title, webmail address and contact number on the Group’s Intranet contact pages.

Relevant employee information will be provided to external providers of payroll services. This will include the employee’s name, bank details, address, date of birth, National Insurance Number, employee benefits received/purchased and salary. Relevant information will also be provided to pension scheme administrators and will include the employees name, date of birth, National Insurance Number and salary.

We may share an employee’s personal data (including sensitive personal data) with external third parties without the employee’s consent where: the disclosure is in the legitimate interests of the Group; there is a statutory duty to share the data; disclosure is required for the performance of a contract; disclosure is necessary to protect the vital interests of the employee; disclosure is made to assist the prevention or detection of crime, or the apprehension or prosecution of offenders; disclosure is required by a Court Order; disclosure is necessary for the Group to obtain legal or other professional advice.

In certain circumstances we will share sensitive employee data with work colleagues within the Group without consent where it is necessary to: protect the employee’s vital interests and the employee cannot give consent or consent cannot be reasonably obtained; to protect another person’s vital interest and the employee has unreasonably withheld their consent; for the discharge of any function designed for the provision of confidential counselling, advice support or any other service; the employee’s consent cannot be given; we cannot reasonably obtain the employee’s explicit consent, or requiring the employee’s explicit consent would prejudice the provision of that counselling, advice, support or other service; to meet a statutory obligation; for the purpose of prevention or detection of crime or the apprehension and prosecution of offenders; pursuant to a court order requiring disclosure.

We may transfer information about employees to other Group companies for purposes connected with their employment or the management of the Group’s business, and to external training providers.

Where we disclose employee personal data to external third parties who provide services to the Group, we will ensure that a confidentiality agreement is entered into and that it is satisfied that the third party will comply with its requirements under the GDPR.

We use software devices to monitor both inbound and outbound emails for suspicious or inappropriate content, for example viruses or phishing, and obscene or illegal content, which may result in some emails being quarantined to ensure they do not pose a risk to our systems.

A Manager may ask for delegated access to an employee’s email, and/or ask if an employee has received an email from a particular person. The ICT Team can access the employee’s email to confirm.

Similarly, the Group’s servers monitor the internet and will ban certain content which is deemed to pose a security risk. Managers can also request confirmation from the ICT team of staff’s usage of the internet.


The Group maintains a register of those employees who wish to undertake a secondment. Access to the secondment register is restricted to the HR department and to managers wishing to employ on a secondment basis. The register is updated regularly.

Work Experience

We regularly receive requests for work experience from schools and colleges, and we will accommodate these requests where possible. When we have a work experience student we record: the school or college they attend; their name, address and telephone number; location of placement within the organisation; and, the emergency contact details. This information is held in a paper file for 6 months until shredded. The file is stored securely, with access limited to the Training Team. An annual summary of who came and from where is kept electronically with access limited to the Training Team.

Where we provide work experience on a voluntary basis to those
not in full time education we record: their name; address; telephone number; and emergency contact details. This information is held securely electronically for 12 months and is then deleted.

Employees’ Rights

The rights of future, current and former employees as data subjects, are extended under the GDPR, and are detailed below.

The right to access (known as subject access requests)

Employees have the right to obtain a copy or to view the personal information held about them by the Group. The request must be made in writing to the HR department, who will have one calendar month to provide a copy of the information free of charge. Please refer to the Subject Access Request Policy and Procedure.

The right of portability

Employees have the right to request the automated personal information provided by them to the Group be provided to them (or a third party) in a machine readable portable format free of charge so that it can be reused by the employee.

The right of erasure (the right to be forgotten)

Employees have the right to request for the removal or erasure of personal data, for example, if it is no longer necessary, the employee objects to the processing and/or the individual has withdrawn consent. This will not apply to all personal data held by the Group, but where it does apply and where the personal data has been disclosed to a third party, we will ensure that the third party is asked to delete the data. All such requests must be made in writing to the HR team.

The right to request rectification

The employee has the right to obtain the rectification of personal data where it is inaccurate, or to have incomplete personal data completed. Where the personal data has been disclosed to a third party, we will ensure that the third party is asked to rectify the personal data. All such requests must be made in writing to the HR team.

The right to restrict processing

An employee has the right to restrict processing of their personal data
and where this right is exercised, we will only be allowed to store it. However, this right only arises in certain circumstances, for example: where the employee disputes the accuracy of the personal data, the processing of it will be restricted until it is rectified; where the employee has objected to the processing, the processing will be restricted until it’s determined whether the Group’s legitimate grounds override those of the employee’s; where we no longer need the personal information, but the employee requires it in connection with legal proceedings; and, where the processing is unlawful, but the employee has refused erasure.

The right to object

Employees have the right to object to the Group processing their personal information where the processing is based on a legitimate interest, or for the purposes of direct marketing. We will stop processing the employee’s personal data unless we can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the employee, or where the processing is for the establishment, defence or exercise of legal claims.

The right to complain

Employees have the right to complain to the ICO if they aren’t satisfied with the way the Group has processed their personal information. The Information Commissioner can be contacted on 0303 123 1113 or has a useful website at

Changes to our Employee Privacy Notice

This Privacy Notice may change from time to time, and we will display any updated notice in the Employee Handbook.

Click here to download the Subject Access Request Form