Data Protection Policy

Data Protection Policy

May 2025

What this policy covers

Rebooted is committed to being transparent about how it collects and uses the personal data of its trustees, employees and volunteers, and to meeting its data protection obligations. This policy sets out the organisation’s commitment to data protection, and individual rights and obligations in relation to personal data.

 

Scope of this policy

This policy applies to the personal data of job applicants, employees, trustees, volunteers, and former employees, referred to as HR-related personal data. This policy does not apply to any other personal data processed for operational purposes.

We reserve the right to alter any of its terms at any time although we will notify you in writing of any changes.

 

Data Protection Officer

Rebooted has appointed Ian Sparks as the person with responsibility for data protection compliance within the organisation known as the Data Protection Officer (DPO)

 

Definitions

Personal Data

  • Personal data is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

 

Special Categories of personal data

  • Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.

 

Records Data

  • Criminal records data means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

 

Data Protection Principles

The organisation processes HR-related personal data in accordance with the following data protection principles:

  • The organisation processes personal data lawfully, fairly and in a transparent manner

  • The organisation collects personal data only for specified, explicit and legitimate purposes

  • The organisation processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing

  • The organisation keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay

  • The organisation keeps personal data only for the period necessary for processing

  • The organisation adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage

We commit to informing individuals of the reasons for processing their personal data, explaining how we will use such data and the legal basis for processing it in our Employee Privacy Notice. We will not process personal data of individuals for other reasons. If the organisation wants to start processing HR-related data for other reasons, individuals will be informed of this before any processing begins.

HR-related data will not be shared with third parties, except as set out in privacy notices. Where the organisation relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.

Where the organisation processes special categories of personal data or criminal records data to perform obligations, to exercise rights in employment law, or for reasons of substantial public interest, this is done in accordance with our policy on processing special categories of data and criminal records data.

Rebooted will update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate.

Personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship is held in the individual's personnel file (in hard copy or electronic format, or both), and on the organisations drives.. The periods for which the organisation holds HR-related personal data are contained in its privacy notices to individuals.

The organisation keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR).

 

Individual Rights

As a data subject, individuals have a number of rights in relation to their personal data.

 

Subject access requests

  • Individuals have the right to make a subject access request. If an individual makes a subject access request, the organisation will tell them:

    • whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual

    • to whom their data is or may be disclosed, including to recipients located outside the UK and the safeguards that apply to such transfers

    • for how long their personal data is stored (or how that period is decided)

    • their rights to rectification or erasure of data, or to restrict or object to processing

    • their right to complain to the Information Commissioner if they think the organisation has failed to comply with their data protection rights

    • whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making

The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.

To make a subject access request, the individual should send the request to ian.sparks@rebooted.me using the form available on the organisations resource drive. In some cases, the organisation may need to ask for proof of identification before the request can be processed. If this is the case we will inform the individual if we need to verify their identity and what documents we require to do so.

The organisation will normally respond to a request within a period of one month from the date it is received. However, in some cases where the request is complex, it may take up to three months from the date the receipt before a response can be made. Under these circumstances we will inform the individual in writing of this delay within one month of the original request being received.

If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, we may agree to respond but will charge a fee based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded if it is made with the intention of harassing the organisation or causing disruption, or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, we will notify them that this is the case and whether or not we intend to respond to it.

 

Other Rights

Individuals have a number of other rights in relation to their personal data. They can require the organisation to:

  • rectify inaccurate data

  • stop processing or erase data that is no longer necessary for the purposes of processing

  • stop processing or erase data if the individual's interests override the organisation's legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data)

  • stop processing or erase data if processing is unlawful

  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the organisation's legitimate grounds for processing data

To ask the organisation to take any of these steps, the individual should send the request to ian.sparks@rebooted.me

 

Data Security

Rebooted takes the security of HR-related personal data seriously. Internal policies and controls are in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where third parties are engaged to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

 

Responsibilities

Overall responsibility for ensuring that the organisation complies with its data protection obligations rests with the DPO. 

It is the responsibility of all employees to ensure that personal information provided to the organisation, for example, current address is accurate and up to date. To this end, employees are required to inform the organisation immediately when changes occur. 

Employees whose role involves the collection, maintenance and processing of personal information about other employees, customers, or any other individuals with whom the organisation has dealings are responsible for following the organisation's rules on good data protection practice as notified from time to time by management.

 

Information about employees

Rebooted holds the personal information about its employees, trustees and volunteers (such as name, address, salary etc.) for payroll and administrative purposes. Sensitive personal information (such as racial or ethnic origins, physical or mental health or condition) may also be collected for the purposes of equal opportunities or health and safety monitoring.

 

Individual responsibilities

In the course of your duties you may have access to the personal data of other employees (and of our customers and clients) in the course of their employment or association with the organisation. Where this is the case, we rely on you to help meet our data protection obligations to staff (and to customers and clients as appropriate).

If you have access to personal data you are required: 

  • to access only data that you have authority to access and only for authorised purposes 

  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation 

  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction) 

  • not to remove personal data, or devices containing or that can be used to access personal data, from the organisation premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device 

  • not to store personal data on local drives or on personal devices that are used for work purposes 

  • to immediately report data breaches to the data protection officer

 

Special Category Personal Data and Criminal Records Data Policy

Purpose

Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, additional protections for job applicants, employees and other data subjects apply if an employer is processing "special categories" of personal data and criminal records data. 

One of these protections is a requirement to have an appropriate policy document in place. This policy sets out Rebooted's approach to processing special category personal data and criminal records data. 

 

Definitions

Special Categories of personal data

  • Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.

 

Criminal Records Data

  • Criminal records data means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Why Rebooted processes special category personal data and criminal records data

The organisation processes special category personal data and criminal records data for the following purposes.

 

Equal opportunities monitoring

Data related to racial and ethnic origin, religious and philosophical beliefs, health (including information on whether or not an individual has a disability) and sexual orientation are processed for equal opportunities monitoring purposes.

 

Health

Data related to health (including information on whether or not an individual has a disability) is processed to:

  • ensure that the organisation is complying with its health and safety obligations

  • assess whether or not an employee is fit for work

  • carry out appropriate capability procedures if an employee is not fit for work

  • ensure that an employee receives sick pay or other benefits to which they may be entitled

  • allow the organisation to comply with its duties under the Equality Act 2010 for individuals with a disability

 

Racial or ethnic origin

Data related to data subjects' nationality is processed to ensure that the organisation is complying with its obligations to check that they are entitled to work in the UK.

 

Criminal records data

Criminal records data is processed as part of recruitment processes and, where necessary, in the course of employment to verify that candidates are suitable for employment or continued employment and to comply with legal and regulatory obligations to which the organisation is subject.

 

Compliance with data protection principles

Rebooted processes HR-related special category personal data and criminal records data in accordance with the following data protection principles. 

(1) The organisation processes personal data lawfully, fairly and in a transparent manner and for specified, explicit and legitimate purposes. 

Employers can process special category personal data only if they have a legal basis for processing it. One of the specific processing conditions relating to special category personal data or criminal records data must also apply. 

The organisation processes special category personal data and criminal records data for the purposes outlined above and in compliance with the following legal conditions for processing.

 

Legal basis for processing

 

 

Special category personal data/ criminal records data processing condition under sch.1 of the Data Protection Act 2018

Equal opportunities data

Processing is in Rebooted's legitimate interests. These interests are not outweighed by the interests of data subjects.

Processing is necessary for monitoring equality of opportunity or treatment, as permitted by the Data Protection Act 2018 (under para.8 of sch.1).

Health data

Processing is necessary for compliance with legal obligations (e.g. assessing an employee's fitness for work, complying with health and safety obligations, carrying out capability procedures and complying with Equality Act 2010 duties). 

Processing is necessary for the performance of a contract and/or complying with legal obligations (e.g. administering sick pay and other benefits).

Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1). 

Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).

Racial or ethnic origin data

Processing is necessary for compliance with legal obligations (e.g. checking job applicants' and employees' right to work in the UK).

Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).

Criminal records data

Processing is necessary for compliance with legal obligations (i.e. Rebooted's legal requirement to carry out criminal records checks)

Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).

 

Rebooted explains to data subjects how special category personal data and criminal records data is used when we collect the data. This information is set out in Rebooted’s privacy notices. 

The organisation does not use the data for any other purpose. The organisation will not do anything unlawful with personal data.

 2) Rebooted processes personal data only where the data is adequate, relevant and limited to what is necessary for the purposes of processing. 

The organisation collects and retains the minimum amount of information necessary to allow it to achieve the purposes outlined above. 

The relevant information as to how special category personal data and criminal records data is used is included in privacy notices. Data is not used for any other purpose. 

As far as possible, information required for equal opportunities monitoring purposes is kept in an anonymised form. Monitoring forms are kept under review to ensure that the information collected is accurate and not excessive. 

As far as possible, the organisation relies on health questionnaires, rather than medical testing, to obtain necessary information. Any medical testing that is carried out is relevant to the purpose for which it is undertaken. 

Criminal records checks are carried out only for individuals undertaking roles where the organisation is under a legal obligation or regulatory requirement to perform such checks. 

All data is reviewed periodically and unnecessary data is deleted. 

(3) Rebooted keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay. 

The organisation takes reasonable steps to ensure that the personal data that it holds is accurate. Special category personal data and criminal records data is obtained:

  • directly from job applicants, employees and other data subjects 

  • from external sources that the organisation is entitled to assume will provide accurate information, such as the Disclosure and Barring Service in the case of criminal records data, or medical professionals in the case of health data 

The organisation keeps a record of the source of all data it collects and data is reviewed periodically and checked for accuracy. Appropriate records are kept of amendments to data. 

The organisation will erase or rectify inaccurate data that it holds without delay in accordance with our data protection policy if an individual notifies it that their personal data has changed or is otherwise inaccurate, or if it is otherwise found to be inaccurate. Individuals are reminded to review their data on a regular basis to ensure that it remains up to date. 

(4) Rebooted keeps personal data only for the period necessary for processing. 

Rebooted retains and processes special category personal data for the duration of an individual's employment. The periods for which special category personal data is retained after the end of employment are as follows: 

  • Equal opportunities data is kept for a period of six months, after which data is anonymised so that individuals can no longer be identified. 

  • Racial or ethnic origin data is kept for a period of three years. 

  • Health data is normally kept for a period of seven years unless statutory requirements mean that the organisation must keep records for longer than that. 

  • Criminal Records details are not retained after the commencement of employment, although a note is retained on the individual HR files indicating that a satisfactory criminal records check was completed prior to the commencement of employment and at necessary intervals. The note will be deleted at the end of the employment. 

At the end of the relevant retention period, the organisation erases or securely destroys special category personal data and criminal records data. 

(5) Rebooted adopts appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage. 

Rebooted takes the security of special category personal data and criminal records data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. The organisation has analysed the risk presented by processing special category personal data and criminal records data and taken this into account in assessing appropriate security requirements.

Accountability

Rebooted has put appropriate technical and organisation measures in place to meet accountability requirements. These include:

  • appointing a data protection officer who reports directly 

  • maintaining appropriate documentation of processing activities, in particular a register of HR-related personal data, including special category personal data and criminal records data 

  • adopting and implementing a data protection policy covering HR-related data, which is regularly reviewed

 

Review and retention of policy and provision to Information Commissioner

This policy on processing special category personal data and criminal records data is reviewed annually and, if necessary, amended to ensure that it remains up to date and accurately reflects Rebooted's approach to processing such data. 

This policy will be retained by the organisation while special category personal data and criminal records data is being processed and for a period of at least six months after the organisation stops carrying out such processing. 

A copy of this policy will be provided on request and free of charge to the Information Commissioner.

 

Questions

If you have any queries regarding this policy please reach out to management or the trustees.