Employee privacy statement - 6point6

Employee privacy statement

1. Your Employer

1.1 Introduction

We are 6point6 Limited and are registered in England and Wales under registration number 07946687, nature of business being Information technology consultancy activities.

Should you wish to make contact to further find out how we process personal data and information, to exercise your rights, make a complaint or discuss reacted matters please contact us using the following details:

  • Post: Data Protection Officer, 6point6 Limited, 3 Orchard Place, London, SW1H 0BF
  • Telephone: +44 (0) 20 3038 8999
  • Email: mailto:[email protected]

1.2 Scope

Unless otherwise stated, this privacy statement applies to the Company’s employee’s or any other “associated persons” within the UK or overseas. Worker refers to 6point6 workers and “associated persons” as defined but not limited to:

  • officers and/or partners of the Company
  • consultants
  • contractors or subcontractors
  • volunteers
  • secondees
  • student placements
  • perspective employees
  • applicants
  • any other persons that act on behalf of the company

This document is not part of your employment contract, and it is not legally binding except where it is a statement of the law. You must be aware of this document and apply it accordingly; failure to do so may result in disciplinary action being taken against you. You should consult your manager if there is anything that is not clear to you or if you are unsure about any aspect of this policy.

1.3 Our responsibilities

As an employer 6point6 must meet its contractual, statutory and administrative obligations. To that end 6point6 is committed to ensuring that the personal data of our employees and prospective employees is handled in accordance with the principles set out in the Information Commissioner’s Office Guide to Data Protection[1]

1.4 In this statement

This privacy statement tells you what to expect when 6point6 collects personal information about you. This statement applies to all individuals stated in section 1.2 Scope. However, the information we will process about you will vary depending on your specific role and personal circumstances.

This privacy statement explains how we will handle any personal data that you provide, or we otherwise obtain in connection with your employment with us or when making an application for a job with us.

For the purposes of data protection law, we are the ‘controller’ of this personal data.

1.5 Data and information protection at 6point6

This statement should be read in conjunction with our UK General Data Protection Regulation (GDPR) Policy and our other company policies and procedures. Designed to protect all data and information that comes into the 6point6 systems.

2. Your data and information

2.1 How we get the personal data and information?

Most of the personal information we process is provided to us directly by you, however other sources maybe used in certain circumstances. Therefore, we may obtain information and data about you from the following:

  • directly from you
  • from an employment agency
  • from your employer/company if you are a secondee
  • from your education establishment, if you are in a placement scheme
  • from referees, either external or internal
  • from security clearance providers
  • from occupational health and other health providers
  • from pension administrators and other government departments, for example tax details from HMRC
  • from providers of staff benefits
  • CCTV images from our landlords or taken using our own CCTV systems

2.2 The type of personal data and information we collect

We currently collect and process the following personal information and data:

Table 1 – Personal data types

Employee privacy statement table

3. The legal basis for processing your personal information or data

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we mainly rely on for processing your information are:

  • Article 6(1)(b) which relates to processing necessary for the performance of a contract.
  • Article 6(1)(c) so we can comply with our legal obligations as your employer.
  • Article 6(1)(f) for the purposes of our legitimate interest

In the instances we process special category data such as health data,

there are additional bases we rely upon for processing such as:

  • Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights
  • Article 9(2)(f) for the establishment, exercise or defence of legal claims

If we process information about staff criminal convictions and offences, the lawful bases we mainly rely on for processing your information are:

  • Article 6(1)(e) for the performance of our public task.
  • Article 6(1)(b) for the performance of a contract

4. How we store your information

Your information is always stored securely.

6point6 is committed to ensuring your personal information and data is secure. To this end we have ensured there are technical and organisational measures in place to safeguard and secure your personal information and data. We have deployed controls and relevant policies, procedures and guidance to maintain the security of your data.

By adopting the following market leading measures (not an exhaustive listing), we maintain our security baseline based on confidentiality, integrity, and availability to ensure that your data continues to be protected, as well as being accurate and available for its intended purposes:

  • certification to ISO 27001:2013 and ISO 9001:2015
  • certification to Cyber Essentials Plus
  • member of the Council for Registered Ethical Security Testers (CREST)
  • combination of procedural and cyber security controls, such as an Information security Management System (ISMS) and encryption
  • we have regular penetration testing performed by a third-party provider

All of this put together continues to demonstrate the strength of our multi-layered approach to the protection of data.

5. Transfers of personal data and use of data processors

We may share your information with our service providers and professional advisors, public and governmental authorities, or third parties in connection with our business activities. We have contractual agreements in place, and we ensure third party assurance activities are undertaken on them to make sure of their usage over your data and that safeguarding controls are in place.

In the main, the systems and services we use are located in the UK and the EEA.

However, there may be occasions where your personal data may be processed outside of the above two specifically named regions. This processing may occur in countries that are ‘deemed’ not in line with the current UK and EEA levels of data handling and safeguarding, such as the US. In these situations, 6point6 has implemented measures to ensure before we do so, we shall take the necessary steps to ensure that your personal data will be given adequate protection as required by relevant data privacy laws and 6point6’s own policies and procedures. Steps such as conducting Data Protection Impact Assessments (DPIA’s) as well as ensuring we or our processors there is contractual protection via the use of the Standard Contractual Clauses.

We don’t routinely transfer staff personal data overseas but when this is necessary, we ensure that we have appropriate safeguards in place.

6. How long do we keep your personal data

6point6 will only process/retain your personal data for as long as is necessary.

We maintain specific records management and retention guidelines that can be found in the GDPR Policy. These guidelines ensure data is deleted after a reasonable time in-line with the following retention criteria:

  • your data will be retained for as long as we have a relationship with you
  • your data will be retained for as long as your 6point6 user account is active or for as long as we need to provide services to you
  • your data will be retained for as long we have a legitimate business reason to keep it
  • your data will be retained for as long as is required for us to comply with legal and contractual obligations

7. Your data protection rights

Under data protection law, you have rights listed as follows:

Your right of access – you have the right to ask us for copies of your personal information.

Your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at (contact details in Section 1.1 Introduction) if you wish to make a request.

8. Changes to our policy

We will keep this statement under review and endeavour to reflect any changes to the way we work with your data or any changes in applicable laws in this statement.

This privacy statement is effective as of June 2023.

9. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at (contact details in Section 1.1 Introduction)

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: ico.org.uk

[1] https://ico.org.uk/for-organisations/

[2] Information you have provided regarding protected characteristics as defined by the Equality Act and s.75 of the Northern Ireland Act for the purpose of equal opportunities monitoring. This includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics

[3] We may collect certain types of sensitive information where permitted by law with your consent such as health/medical information (including disability status), trade union membership information, religion, race or ethnicity, minority flag

[4] Consent for this is normally obtained through notification at the beginning of the meeting declaring recording will take place, stating employees can mute microphones and cameras if desired.