Kieron Hill Employment Services Limited (KHES Limited) has a responsibility to document how we will protect your personal data. This is a legal requirement of the UK GDPR under the ‘right to be informed’.

This privacy notice will outline our responsibilities to you.

This privacy notice was last updated in July 2022.

1.0 Key Terms

1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this privacy notice.

1.2 We will now provide an easy-to-understand definition of each term:

2.0  Scope

2.1 The scope for KHES Limited is any data subject, whose personal data is processed, in line with the requirements of the DPA 2018, PECR, and UK GDPR. From time to time we may also need to meet the requirements of additional UK privacy legislation and overseas privacy legislation, such as the EU GDPR.

2.2 We also acknowledge any additional responsibilities requested by the industry regulator in the UK, the Information Commissioner’s Office (ICO).

2.3 The DPA 2018 and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as a part of a physical filing system. For example, any personal data that may be uploaded to a computer/electronic device, or stored in a structured paper filing system.

2.4 KHES Limited will adhere to the seven UK GDPR data processing principles when handling personal data:

2.5 All associates and employees of KHES Limited who interact with data subjects are responsible for ensuring that this privacy notice is drawn to the data subject’s attention, at the earliest available opportunity.

3.0 Lawfulness

3.1 KHES Limited is a private limited company, based in England, under company registration number 07333078, complying with the laws of England and Wales.

3.2 KHES Limited is registered with the ICO under registration number Z2415149.

3.3 KHES Limited acts as a data controller and data processor. We adhere to UK GDPR Article 30 which asks us to maintain a record of all personal data processing activities, as a core responsibility.

3.4 KHES Limited has appointed a Data Protection Officer (DPO). Our DPO is CSRB Limited. They can be contacted on 0117 325 0830 or via dpo@csrb.co.uk.

3.5 KHES Limited uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data:

3.6 KHES Limited processes certain special category data:

3.7 KHES Limited ensures that all processing of the above special category data is lawful, fair, transparent, and complies with all the data processing principles of the UK GDPR.

3.8 KHES Limited can only process special category data if we can meet one of the specific conditions in Article 9 of the UK GDPR. We may also have to meet additional conditions set out in the DPA 2018. The Article 9 conditions we use are:

There are additional safeguards in place, as required in Part 4 of Schedule 1 of the DPA 2018, which document that:

3.9 KHES Limited may transfer personal data we collect about you to countries outside the UK and the EEA (European Economic Area). We treat each international data transfer individually and assess the risk associated with the transfer and whether a suitable level of adequacy with UK data protection and privacy legislation is available, within the country to where the personal data is being transferred.

3.10 If the international data transfer would fall within the European Union/EEA, personal data would be able to flow freely under the ‘Adequacy Decision’ agreed between the UK and European Parliament on 27 June 2021. If the international data transfer is outside the EU/EEA/UK then appropriate safeguards or derogations would be put in place, such as Data Protection Impact Assessments (DPIAs). This privacy notice would also be updated.

4.0 Fairness

4.1 KHES Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data. There are eight rights:

4.2 KHES Limited will only handle personal data in ways that data subjects would reasonably expect and not use it in ways that have unjustified adverse effects on them.

4.3 KHES Limited will obtain personal data in the first instance in a fair way. We will seek consent from the data subject, or only bring personal data into the business where explicit consent has been given and recorded.

4.4 KHES Limited always considers the rights and freedoms of data subjects when processing personal data. This could be individually or in a group.

5.0 Transparency

5.1 Transparency is fundamentally linked to fairness. KHES Limited will always be clear, open, and honest with people from the start, about who we are, and how and why we need to use your personal data.

5.2 KHES Limited wants individuals to have a choice about whether they wish to enter a relationship with us. We tell data subjects from the outset the types of personal data we may need to process, usually within our contract and proposal documentation. We issue all individuals with a copy of this privacy notice.

5.3 KHES Limited processes the following personal data types as a minimum:

5.4 We believe if individuals know at the outset what we will use their personal information for, they will be able to make an informed decision about whether to enter a relationship with KHES Limited.

5.5 KHES Limited informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear and plain language. We do this via this privacy notice as an example.

5.6 KHES Limited has appointed a certified Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data and the protection of that data please contact our nominated DPO at CSRB Limited. They can be contacted on 0117 325 0830 or via dpo@csrb.co.uk.

5.7 KHES Limited hope we can resolve any query or concern you raise about our use of your personal data. You can contact KHES Limited in the first instance at any time on 0161 850 1122 or via email admin@khes.co.uk.

5.8 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.

6.0 Purpose Limitation

6.1 KHES Limited will always be clear about what your purposes for processing are from the start. For example, recording identity and location data to facilitate a contract.

6.2 KHES Limited will record our purposes for data processing as part of our contact and proposal documentation obligations. We will also specify them in any additional privacy documentation provided.

6.3 KHES Limited will only use personal data for a new purpose if either this is compatible with your original purpose, or we obtain consent, or we have a clear obligation, or function set out in law.

6.4 Where relevant, KHES Limited, may also share your personal data with the following categories of third parties:

6.5 KHES Limited will share personal information with law enforcement or other authorities, if required by law.

7.0 Data Minimisation

7.1 KHES Limited always ensures the personal data we are processing is:

The UK GDPR does not define these terms. As this is the case, KHES Limited accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.

7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before engaging with the data subject.

7.3 For special category data or criminal offence data, we understand the importance of collecting and retaining only the minimum amount of information.

7.4 KHES Limited undertakes an annual data protection audit with an external certified data protection service provider, to review our processing to check that the personal data we hold is still relevant and adequate for the stated purposes, and we delete anything we no longer need.

8.0 Accuracy

8.1 KHES Limited will take all reasonable steps to ensure the personal data we hold is accurate and up to date.

8.2 KHES Limited will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.

8.3 KHES Limited will always record the source of where personal data came from, and ensure that source is compliant with UK privacy laws, including the UK GDPR.

8.4 If we need to keep a record of a mistake, we clearly identify it as a mistake, and add this to our records of processing for audit purposes, and continuous improvement.

8.5 All KHES Limited records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.

8.6 KHES Limited will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data.

8.7 As a matter of good practice, we keep a note of any challenges to the accuracy of the personal data.

9.0 Storage Limitation

9.1 KHES Limited will not keep personal data for longer than we need it.

9.2 KHES Limited will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified. We always document our purposes for holding personal data.

9.3 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

9.4 Furthermore any retention of personal data will be carried out in compliance with legal, professional body and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.

9.5 KHES Limited acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to us as a data controller or processor to determine and document accordingly at the earliest possible opportunity. For example, in contracts or proposal documentation.

9.6 KHES Limited has a personal data retention policy and procedure in place, which documents the types of record or information we hold, what we use it for, and how long we intend to keep it.

9.7 KHES Limited periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it.

9.8 KHES Limited also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need the personal data.

9.9 KHES Limited acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.

9.10 Any personal data held as physical documents is securely stored pre-destruction, securely destroyed, with a Certificate of Destruction issued in line with our UK GDPR and our data retention policy.

10.0 Integrity and Confidentiality (security)

10.1 KHES Limited undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) annually.

10.2 We have an information security policy and take steps to make sure the policy is implemented. For example, we undertake an annual information security review with an accredited external provider. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

10.3 KHES Limited believes in building an information governance framework by design. Where necessary, we have additional policies and ensure that controls are in place to enforce them.

10.4 KHES Limited has put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.

10.5 We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process. For example, we use encryption for personal data transfer where it is appropriate to do so.

10.6 KHES Limited understand the requirements of confidentiality, integrity, and availability for the personal data we process.

10.7 KHES Limited make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

10.8 KHES Limited conduct regular testing and reviews of our measures to ensure they remain effective, and act upon the results of those tests where they highlight areas for improvement.

10.9 Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.

10.10 We ensure that any data processor we use also implements appropriate technical and organisational measures.

10.11 KHES Limited does not use tracking cookies on our website to track user behaviour and/or improve site experience. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number, or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous. KHES Limited does not use these tracking cookies, giving the user complete control over their personal data.

11.0 Accountability

11.1 Accountability is one of the data protection principles. KHES Limited takes our responsibility for complying with the UK GDPR very seriously, as documented by this privacy notice.

11.2 KHES Limited has put in place several measures that we can, and in some cases must take, including:

11.3 KHES Limited understand that accountability obligations are ongoing. We review and, where necessary, update the measures we put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation.

11.4 KHES Limited understand that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action.

11.5 If you have any questions or concerns about how KHES Limited process and protect your personal data not covered in this privacy notice please contact KHES Limited on 0161 850 1122 or via email admin@khes.co.uk.