Our privacy promise
We take our duties when processing your personal data very seriously. We promise that we will tell you what data we are collecting and why. We will make every reasonable effort to collect, process, store and share your data safely and securely. We will also make sure that our trusted partners do the same. We also promise that we will be open and clear with you about our use of your personal data and that you will be able to control your personal data with ease.
In order to provide services to you, during and after your employment with us, we need to collect and keep personal data about you, like your name, contact details, health details where appropriate, banking details and employment and salary records. We may need to share specific data with our trusted partners, such as specialist service providers and professional advisors. This is to provide you with the support and services you require from us.
We use your data for employee services
We use the data you provide to fulfil any pre-contractural requirements of the recruitment process, and to create your contract of employment if you are offered a role with us. As an employee, we will use your data for our combined legitimate interests we have in providing employer’s support such as pay, pensions, performance review, learning and development, absence management and holidays, security screening, information about the charity and to support your employment.
You are in control
If you would like to make any changes to the way we are processing your data, if you believe it is inaccurate or incomplete, or you have any concerns regarding how it is being processed you can discuss your preferences with your Line Manager or an HR representative (or the Payroll and Pension administration office with regard to the St Dunstan’s Retirement Benefits Plan (1973)). If you have comments, or questions regarding your personal data and how we are processing it, or you wish to make an individual rights request you can contact the Data Protection Officer directly using the contact details in Section 9 of this policy “How to Contact Us”.
Changes to this policy
We may change this document from time to time to reflect the latest views of what we do with your personal data and legal and regulatory changes. Please check back frequently. You will be able to see changes have been made by the date it was last updated.
1. Who we are
Since 1915, the Blind Veterans UK Group has held to the belief that no-one who has served our country should battle blindness alone. That's why we're here to help with lifelong practical and emotional support for blind veterans, regardless of when they served or how they lost their sight. We help veterans recover their independence and discover a life beyond sight loss.
References to "Blind Veterans UK Group", ‘the charity’, “our’, ‘us’ and "we" mean Blind Veterans UK registered charity 216227 in England and Wales and SCO39411 in Scotland.
This also includes: our wholly owned subsidiary charitable trading company, Four Seasons NWMC Housing Limited (registered company No. 01882050); managing our properties and tenants; Bravo Victor Limited (BV) (registered company No.13144807) conducting Biomedical, Social & Welfare and Innovation research and the St Dunstan’s Retirement Benefits Plan (1973). For the purposes of the pension scheme we are Joint Controllers with St Dunstan’s Retirement Benefits Plan (1973).
2. What personal data we collect and why
What we need to collect
For data to be considered ‘personal’ it must relate to you as an identified or identifiable individual. An individual can be identifiable either directly (your name, address, work email address etc.) or indirectly (job title, payroll number, location, business phone number). Where there is insufficient data to identify you as an individual from a group that is not personal data. If your identifiable data is used but the use does not relate to you that would also not be considered personal data. For example, a work email that refers to a work activity, despite the use of staff names within the email (identifiable data) because the email is related to work the use of the identifiable data is not personal as it does not relate to the sender or receiver of the email but relates to the work activity. We need to process personal data about our current and former employees and pensioners to allow us to provide you with employment and pension services and support, to fulfil our contractual obligations and to comply with any legal responsibilities arising from employment and social welfare legislation.
As an applicant, employee and subsequently as a former staff pensioner, we will process personal data about you in order to set up and maintain your contract of employment while also meeting our legal obligations and pursuing our legitimate interests as your employer e.g. your performance management while you are employed by us, this also includes administering the payment of pensions under the St Dunstan’s Retirement Benefits Plan (1973). The minimum personal data necessary will include:
- Postal address, telephone/mobile number, email address.
- An employee's next of Kin contact details in case of emergency.
- Date of Birth.
- (as recorded at birth for UK taxation purposes)
- Your national insurance number.
- Driving licence and or passport details (where necessary valid visa documentation for work entitlement purposes).
- Bank account details, salary, tax, pension status, pension entitlement and incurred expenses details.
- Learning, development and performance details.
- Your image, when captured on a CCTV system,
- Photographs and biographic details. (where necessary) e.g. for an staff ID card
- Profession and Job title.
- Confidential references
If as an applicant or employee your role will include care duties/functions and or other direct engagement with our members it is necessary for us to complete a Criminal Records Check (Disclosure and Baring Service or Disclosure Scotland) to assist us with the making of safer employee recruitment decisions. The processing of this criminal records data for this purpose is permissible under part 3 of Schedule 1 of the DPA 2018. In addition to the above personal data the following may also be processed.
- DBS / DS Reference number, type of disclosure, date of issue. (see section 6)
- Place of birth.
Evidence of your nationality and identity will need to be validated by inspection of a range of your personal documents, examples include, driving licence, marriage or civil Partnership certificate, a passport and official letters (as evidence of address). Copies of these documents' for this purpose will not be retained.
We will be very clear with you when we wish to collect such personal data, we will provide our reason for collecting it and we will only do so when we have a lawful basis for processing the personal data we seek to collect.
Special Category data. UK data protection law and regulation recognises certain personal data as ‘special category’ data as being particularly sensitive. This includes; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain such data. For example:
- Health details (e.g. pre-existing health conditions, occupational health or ill health early retirement), where we need to make reasonable adjustments for your safe and productive employment or appropriate pension payments.
- Race or ethnic origin, for the purpose of, for example, equal opportunities monitoring or when confirming eligibility to work in the UK.
- You may reveal some of this personal or special category data if, you share photos, or contribute to our Review magazine, use our website or social media channels.
Criminal Offence data. If as an applicant, employee and subsequently as a former staff pensioner your role will include face to face engagement with a Blind Veterans UK Group beneficiary, it is a legal requirement for us to complete a higher-level check known as an enhanced DBS Criminal Records Check from the Disclosure and Baring Service or Disclosure Scotland to assist us with the making of safer employee recruitment decisions. This is in In addition to the above personal data. The processing of this criminal offence data for this purpose is permissible under DPA 2018, Schedule 1, Part 3 (See: Section 6 for more details).
The accuracy of your personal data we hold is really important to us. If you need or wish to make an update or correction to any data we hold, you can do this yourself via CoreHR. If the data you wish to update or correct is not held on this platform or is not accessible please contact your Line Manager, an HR representative or the Payroll and Pension administration office using the contact details in Section 9 of this policy.
Why we need it
We need your personal data in order to perform functions such as:
- To comply with the law. To comply with the law as a data controller and employer there are data processing purposes which must be completed. These include but are not limited to company, charity, employment, social security, social welfare and data protection law. Personal data collected specifically for these specific purposes cannot be further processed for a secondary purpose without additional consultation.
- Manage your contract of employment. As part of the recruitment process and to confirm your security vetting, references and to administer other pre-contractual requirements. To administer your working hours, holidays and absences, pay, pension and tax. To administer benefits under the St Dunstan’s Retirement Benefits Plan (1973).
- Provide performance review, learning and development. To develop your skills and knowledge within your chosen profession and career path. To manage your job performance and to promote and improve employee effectiveness.
- Communicate with you. To communicate with you about employment and pension matters in an appropriate way and to provide you with specific services, updates, newsletters, feedback and information. To assist with technical problems related to our services.
- To improve our services and administration. To ensure the most efficient and appropriate use of the resources we have.
3. How we collect your personal data
We collect data about you in a variety of ways. We collect data you provide directly to us as well as data we collect indirectly available from other sources, such as an employment referee or from HMRC.
Direct from you
You will give us personal data directly yourself: during the recruitment process and subsequently when establishing and enabling your contract of employment; for personal development and training; for routine personal management purposes; if you use our websites or apps; sign up for an event; make a donation or communicate with us.
Indirectly from other sources
We may obtain your personal data indirectly when you give permission to others to share it or where it is publicly available:
- Third party organisations or individuals. We may obtain data from third parties if you have agreed they can share personal data with us or we can approach them. For example a recruitment agency, a referee, a professional body or qualifying organisation or the Disclosure and Barring Service. We will also obtain personal data about you from official sources as part of enabling your employment services, examples include HMRC for tax purposes or for paying appropriate pensions (St Dunstan’s Retirement Benefits Plan).
- Digital, Online and Social media. Like all companies, data is collected through use of our website and mobile apps, we may also collect details about what browser you are using, your IP address, what computer operating system you are using, this data will aid us to improve the services we offer. Depending on your settings or the privacy policies for social media and messaging services like LinkedIn, Facebook or Twitter, you may permit organisations to access personal data from those accounts or services.
- Publicly available sources. Public information may include data from places such as Companies House, the electoral register and information that has been published in articles / newspapers / social media, e.g. LinkedIn for recruitment purposes. Another example is our use of the Post Office’s National Change of Address database, that allows us to keep elements of your personal information up to date.
4. The lawful basis for processing
UK data protection law requires us to have a lawful basis for processing your personal information. We may use different lawful bases for different purposes of use of your personal data. For example any data shared between us and HMRC will use the lawful basis of legal obligation. The lawful bases we use include:
- Where you have given consent to do so for notified purpose(s). This may include sending you opted into marketing e-mails / texts / material or to provide you with a service or information that you have requested or require. Where we need your consent, it will be clearly identifiable as a request for your consent for a specific purpose.
- To comply with a legal obligation. We will process your personal data where UK legislation requires us to do so, or where we are required to do so by a court, regulatory authority, the police or the security services. Examples include: to comply with employment, social security or social protection law, such as Health and Safety, a criminal records check, pension regulations.
- In performance of a contract (or pre-contract). To fulfil the requirements of the contract of employment we are in the process of agreeing with you or have agreed with you. This will include during the recruitment process confirming your eligibility and suitability for employment through checks such as references, copies of qualification certificates, a DBS, evidence of your eligibility to work in the UK, confirmation of a valid driving licence; the tracking of work hours, leave and absences; administering pay and charity assets such as cars; compliance with policies and procedures and health and safety; occupational health assessment.
- Where we as a charity have a legitimate interest. We will make use of your personal information when there is a legitimate interest to do so. When we do so, we must ensure that we are not harming any of your interests or rights and we will only use your personal information in a manner that you would reasonably expect us to. For example, we need to administer your pension scheme; we need to be able to contact you for employment purposes; track our physical assets such as issued equipment and our non-physical assets using mobile information systems and data tracking; to understand any health issues (such as disability) to allow us to make reasonable adjustments for your employment under Equality law.
- Special category. Where we process ‘special category’ personal information (such as physical or mental health conditions) we will ensure we do so in accordance with a lawful basis under Art. 6 and the additional “exception” condition for processing special category data under Art. 9 of the UK-GDPR. An example is Art. 9(2)(b) where the law allows special category personal data to be processed for the purposes of “employment, social security and social protection law”.
- To protect the vital interests of yourself or another person. If we believe that the vital interests of you or a third party is at risk, we have a duty to protect an individual and this is a lawful basis permitting us to process personal data.
5. Protecting and sharing your personal data
How we protect your personal data.
We ensure that there are reasonable and appropriate technical and organisational controls in place to protect your personal data. This applies to unauthorised or unlawful processing, against accidental loss, corruption, destruction or damage. If we believe if it is likely processing will pose a risk of harm to individuals we will complete a risk assessment process known as a DPIA to identify and minimise these risks. For example, our IT architecture is actively protected and routinely monitored. We have policies and procedures in place which staff and volunteers are expected to comply with and for which they receive training. A data back-up and recovery process to prevent permanent loss of personal data in the event of corruption, damage or accidental loss, is in place across our IT network.
- Password security. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our IT systems and sites, you are responsible for keeping the password confidential. You agree not to share that password with anyone else. You will never be asked to provide it by any of our IT or support staff. If you are asked, decline and report the request.
You should be aware that the use of the Internet is not entirely secure and although we will do our best to protect your personal data we cannot guarantee the security or integrity of any personal data which is transferred from you or to you via the Internet. Any transmission is at your own risk.
Managing access and sharing of your personal data
We undertake reviews of who has access to the personal data we hold to ensure that your data is accessible only by necessary and appropriately trained staff and trusted third parties. We require all third parties that process personal data on our behalf to have appropriate and technical and organisational measures in place to protect your data to the same standard that we apply ourselves. If we share your data with a third party or require you to directly share your personal data with a third party your data will be secure to the best of our knowledge.
We treat all employment references, either received by us or provided to others by us, as confidential references. Confidentiality is applied to references because knowing the content will not be shared with the individual to which it refers or with a third party allows a referee to provide a candid reference. This is important to us as a charity, as we have a particular focus on safeguarding potentially vulnerable beneficiaries. Confidential references allow us to make good recruitment decisions and prevent applicants who may have a detrimental effect on our charitable activities and beneficiaries from joining us.
We may on occasions be compelled by law or agree to disclose your personal data to third-parties. Examples include, law enforcement agencies, solicitors acting in our interest, the UK courts, government bodies or national regulators. Where we are required to share personal data with non-governmental organisations or sector regulators such as, The Charity Commission, the Information Commissioner’s Office, the Health and Safety Executive, the Care Quality Commission. We have limited control over how it is processed by these parties, we therefore recommend that you consult their own privacy policies.
Examples of when we will consider sharing your personal data voluntarily, without your consent but within the law include, where we believe a crime has been committed, to assist with the apprehension of an offender, to respond to an individual Right of Access Request (known as DSAR) or when required by company, charity and social welfare law.
We may in certain circumstances share your personal data without your consent for the purpose of fulfilling our safeguarding responsibilities. This doesn’t happen often, but we may share your personal data:
- If we believe there is a serious risk to the public, beneficiaries, our staff or to other professionals;
- To protect a vulnerable person, (child or adult) who we believe may be at risk, for example if they are frail, confused or cannot understand what is happening to them.
Occasions, other than by law, when we may share your data include:
- If you have agreed that we may do so.
- When we use external service providers to collect or process personal data on our behalf, (a list of processors is included at the end of this policy).
- With our subsidiaries within the Blind Veterans UK Group.
- Where Blind Veterans UK is a party to a data sharing agreement between controllers for the benefit of the charity beneficiaries or where a wider social benefit exists.
- If we receive a complaint about any inappropriate content you have posted or transmitted to or from one of our sites, forums, social media pages or apps we may share your personal data with your internet provider or law enforcement agencies.
- To enforce or apply the terms of your contract or other agreements or if we believe that we need to protect the rights, property or personal safety of the Blind Veterans UK Group, our supporters, members, visitors or websites and for other lawful purposes.
- We may disclose aggregate statistics about our employees and pensioners to describe our charity to prospective supporters, partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying personal data without explicit consent.
- If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register.
- If we merge with, or diversify, forming a separate/new organisation with its own legal identity, information including your personal data may be transferred to the new entity. (NB. If employees are transferred to the new entity, TUPE regulations apply)
We will never rent or sell your personal data. We will not share or swap it with other organisations for their own purposes or to make money out of your data without your consent.
Where we store your personal data
The personal data you provide to us whether in paper or electronic format will be stored securely and meet the requirements of this policy. Where we store your personal data may differ depending on the purpose for which we are processing it for, as indicated above. Your personal data may be held within in our Microsoft 365 Cloud Environment or within a number of bespoke databases or specialist applications. Your data may also be stored within a number of systems of trusted third party processors who process your personal data on our behalf, (Details of these can be found in the third party processors list at the end of this document).
Cross Boarder Transfers of Personal Data
We may need to use the services or provide access and processing to 3rd party providers and other organisations located outside of the UK. If this is required we will conduct an appropriate risk assessment and put in to place appropriate “additional measures” to safeguard your personal data and your data rights. Examples of such measures include the use of Standard Contractual Clauses (SCC). Note, if the transfer is a one off or is infrequent we may ask for your explicit consent to conduct the transfer.
The UK has recognised some countries and all of the EEA states as possessing data protection “adequacy” for the purposes of data transfers to these countries. The UK Government has decided no additional safeguards are needed to conduct data transfers to the EEA as these states have equivalent standards of data protection as the UK-GDPR 2020.
The EU has recognised the UK as possessing data protection “adequacy” for the purposes of personal data transfers of EU subject’s personal data into the UK. No additional safeguards are needed as the UK has an equivalent level of protection to that guaranteed under EU law. (EU-GDPR 2016).
In cases when we use external websites provided by other organisations such as Twitter or Facebook, then we would ask you to consult their organisational privacy policies too.
6. Retaining and sharing your personal data
The law requires we hold your personal data for only as long as is necessary. This is to fulfil the purposes for which the data was collected and our legitimate interests or in order to comply with legal or regulatory rules and requirements.
At the Blind Veterans UK Group we manage the retention of personal data with the use of a Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.
- Retained as Live data only……………….………. No retention
- Record(s) of Activity and or a Process………….. 3 years
- Evidence or Compliance………………………….. 6 years
- Governance Purposes……………………………. 7 years
- Legal (Pensions, Property, Safeguarding)…..… 12 years
- Permanent retention (subject to review)…….… (Life of charity)
The Data Protection Act 2018 prohibits a data controller from processing and retaining (an individual’s) criminal offence data. However, an exception within part 3 of Schedule 1 of the DPA 2018 allows a controller to process criminal offence data for the specific purposes of volunteer and employee recruitment. At Blind Veterans UK we will only process criminal offence data within a requested DBS/DS report as “live data” during the recruitment process. Once the recruitment process has been completed, will not retain a copy of the DBS/DS report or any of the criminal offence data from within the report. However, we will retain the following information as evidence of the completion of the DBS: (Note: this retained data is personal not criminal offence data)
- The date of issue of a disclosure
- The name of the subject
- The type of disclosure requested
- The position for which the disclosure was requested
- The unique reference number of the disclosure
- The details of the recruitment decision taken
While processing “Live” criminal offence data for this purpose, we will store this personal data separately and securely. It will not be kept with or on an applicant's personnel file. Access is strictly controlled and limited to only staff entitled to see it as part of their recruitment duties. DBS/DS content data will be securely destroyed after a period of six months (This allows for the resolution of any related disputes or complaints during the employment probationary period) ensuring the Live data is retained for only as long as is necessary.
When your employment with the Blind Veterans UK Group ends or is terminated, we will retain some basic personal data regarding your employment. This is to meet any legal or regulatory requirements or to protect our legitimate or legal interests. Examples include, for evidence purposes in the event of an employment dispute, confirmation of employment for referees, or to process any ongoing requirements such as your pension entitlement.
Where we have contracted with a 3rd party provider to process your personal data on our behalf these organisations will also retain some basic personal data in order to meet their own legal requirements. For example, records of financial transactions. This data will only be retained for as long as is necessary but you may want to consult their privacy policies too.
The Blind Veterans UK Group’s recruitment, provider (CoreHR) makes use of a recruitment “account” to manage the application process on our behalf. Personal data collected in this account is set to automatically anonymise after a period of 12 months. Recruitment accounts linked to successful applicants will be used for our new employee on-boarding purposes and deleted when the employment probation period is completed. An account holder (applicant or potential applicant) can make a request to the Blind Veterans UK Group or to CoreHR directly to deactivate a recruitment account and have any held personal data deleted. Dormant recruitment accounts, not in use will be deleted on a twelve month cycle.
CoreHR is the Blind Veterans UK Group’s HR, payroll (and recruitment) platform. CoreHR maintains a transactional backup archive of the HR and payroll system. This is for the purposes of data recovery in the event of data corruption or data loss. The archive will include staff personal data which is refreshed on a daily cycle to keep it up to date. The back-up data is retained for a period of sixty nine days. If your employment ends or is terminated, your personal data will remain within this archive until the next scheduled refresh date after which it wil be deleted. This is a CoreHR managed archive, Blind Veterans UK Group’s staff do not have access to this back-up data. Access restrictions are in place to allow only CoreHR technical staff to process this personal data for the specific purpose of managing a data recovery requirement if it became necessary to do so.
7. Your details on the internet and website
Like most organisations, our website and apps use “cookies” and other tracking software to help us make our site and the way you use it better and more relevant to you. We will not be able to personally identify you from the data gathered but it may help us improve our online services.
- Cookies mean that a website will remember you. They’re small text files that are transferred to your computer (or phone or tablet). They make interacting with a website faster and easier, for example by automatically filling your name and address in text fields. Please read our cookies policy for more information. You can change your cookie preferences whenever you wish.
- When visiting our website or apps we may collect data about the type of device you’re using to access them and the settings on that device. This might also include the IP address and your operating system and certain device settings as well as diagnostic
8. What are your rights?
The UK’s data protection legislation includes the UK-General Data Protection Regulations 2020 (UK-GDPR) and the Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This UK legislation gives everyone a number of very important rights. In abbreviated form these are:
- The right of access. Request confirmation of processing and to be provided with copies of personal data we hold about you.
- The right of rectification. Update or amend the information we hold about you if it is incomplete or inaccurate.
- The right to erase or ‘right to be forgotten'. Ask us to remove your personal data from our records where there is no compelling reason for its continued processing, subject to a number of conditions.
- The right to restrict processing. Ask us to supress the processing of your data, subject to a number of conditions.
- The right to data portability. Obtain and reuse your personal data for your own purposes, subject to a number of conditions.
- The right to object. Object to the processing of your data for certain purposes (such as marketing, research, statistics or our legitimate interests).
- Rights in relation to automated decision making and profiling.
If you would like to know more about your rights under the data protection law see the Information Commissioner’s Office (ICO) website which also explains how to contact them.
Remember, you can exercise your rights in relation to your personal data at any time by contacting your Line Manager, an HR representative or through the contact details set out in the ‘How to contact us’ section of this policy.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law and your rights, you can complain directly to the Information Commissioner’s Office.
9. How to contact us
Write to us
C/O HR department
Blind Veterans UK
3 Queen Square
via on-line directory
via on-line directory
St Dunstan’s Retirement Benefits Plan (1973) (deferred or current pensions)
Write to us
C/O Payroll & Pension Administration Office, The Blind Veterans UK Group (St Dunstan’s Retirement Benefits Plan (1973), The Blind Veterans UK Group, Greenways, Ovingdean, Brighton, BN2 7BS
If you wish to enquire further about how your personal data is processed, wish to make an individual rights request, ask for information to be provided, or to raise a data protection related complaint, please contact our Data Protection Officer.
Write to us
Data Protection Officer
Blind Veterans UK
3 Queen Square
020 4534 1127 (direct dial)
Appendix 1: List of data Processors
Supertemps recruitment | Provide recruitment services | Privacy Notice: supertemps
Assa Abloy | Security door system | Privacy Notice: ASSA ABLOY
Office 365/Azure | Online Business software | Privacy Statement: Microsoft
St Dunstan’s Retirement Benefits Plan (1973) | Closed Final Salary pension plan | Refer to Blind Veterans UKs’ DPO
Blue Lemon (Health & Safety Ltd) | Risk Assessment Provision | Details of processing added in to their DP policy)
MSi Security | CCTV | Plexus Security Group
Consortio Security | CCTV | Data Protection Policy: Consortio Security