{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Data Protection (GDPR) Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} processes personal data lawfully, fairly, securely and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and, where applicable, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This policy explains how personal data is collected, used, shared, retained, secured and deleted, and how {{org_field_name}} meets its accountability obligations as a temporary staffing agency operating in England.

2. Scope

This policy applies to all personal data processed by {{org_field_name}} in connection with its recruitment and temporary staffing activities, including personal data relating to candidates, temporary workers, employees, contractors, referees, emergency contacts, client and hirer contacts, suppliers, website users and any other individuals whose personal data we process. It applies to all staff, workers and third parties who process personal data on behalf of {{org_field_name}}.

3. Key Data Protection Principles

{{org_field_name}} adheres to the following data protection principles:

• Lawfulness, Fairness, and Transparency: Data is processed legally, fairly, and transparently.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not processed further in a manner incompatible with those purposes.
• Data Minimisation: Only relevant and necessary data is collected.
• Accuracy: Data is kept accurate and up to date.
• Storage Limitation: Data is retained only for as long as necessary.
• Integrity and Confidentiality: Data is processed securely.
• Accountability: {{org_field_name}} is responsible for, and must be able to demonstrate, compliance with data protection law. This includes maintaining appropriate policies, privacy information, contracts, records of processing activities, retention schedules, security measures, staff training and, where required, data protection impact assessments.

4. Personal Data We Process

We collect and process personal data relevant to recruitment, onboarding, placement, payroll, compliance and business administration. This may include:

• identification and contact details, such as name, address, date of birth, telephone number and email address;
• recruitment and work-related information, such as CVs, employment history, qualifications, registrations, training records, references, availability, assignments, timesheets and performance-related information;
• right to work and identity-check information, including copies of identification documents and immigration status documents where required by law;
• payroll and financial information, including bank details, tax information and payment records;
• health information and other special category data where necessary and lawful, for example information relevant to fitness to work, workplace adjustments, sickness records, occupational health or equality monitoring;
• criminal offence data where lawful and necessary, including DBS status, criminal record certificate information, barred list checks where legally permitted, and safeguarding declarations;
• client and hirer contact details and assignment information;
• supplier and contractor information; and
• website and systems usage information, including cookies, IP addresses and other online identifiers.

We do not provide regulated care services and do not process service user care records as a care provider. Where client organisations share limited information necessary for safe placement, induction, site access, safeguarding or health and safety purposes, {{org_field_name}} will process only the minimum personal data necessary for those specific purposes.

5. Legal Basis for Processing Data

{{org_field_name}} will identify and document an appropriate lawful basis under Article 6 UK GDPR for each category of personal data it processes. Depending on the circumstances, this may include:

• taking steps at the request of the data subject prior to entering into a contract;
• performance of a contract;
• compliance with a legal obligation;
• protection of vital interests;
• legitimate interests pursued by {{org_field_name}} or a third party, where those interests are not overridden by the individual’s rights and freedoms; and
• consent, where consent is genuinely appropriate and can be freely given.

Where {{org_field_name}} processes special category data, it will also identify and document a separate condition under Article 9 UK GDPR and, where required, any relevant condition in Schedule 1 to the Data Protection Act 2018.

Where {{org_field_name}} processes criminal offence data, including DBS and safeguarding-related information, it will do so only where lawful and necessary, in accordance with Article 10 UK GDPR, the Data Protection Act 2018, and any applicable safeguarding or employment law requirements.

{{org_field_name}} will not rely on consent where another more appropriate lawful basis applies, particularly in the context of employment or recruitment relationships where consent may not be freely given.

6. Individual Rights

Under GDPR, individuals have the following rights:

• Right to be Informed – About how data is processed
• Right of Access – To request a copy of personal data
• Right to Rectification – To correct inaccurate or incomplete data
• Right to Erasure – To request deletion of personal data
• Right to Restrict Processing – To limit how data is processed
• Right to Data Portability – To transfer data to another service provider
• Right to Object – To object to processing
• Rights related to Automated Decision-Making and Profiling

{{org_field_name}} will have procedures in place to recognise and respond to data subject rights requests without undue delay and, in most cases, within one month of receipt. Rights are not absolute and may be subject to legal exemptions or restrictions. Where {{org_field_name}} lawfully refuses a request, restricts a response, or requires additional information to confirm identity or clarify scope, it will explain its reasons to the requester.

7. Data Security Measures

{{org_field_name}} will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures may include, as appropriate:

• role-based access controls and least-privilege access;
• password controls, multi-factor authentication and secure user account management;
• encryption and secure transmission of personal data where appropriate;
• secure storage of paper and electronic records;
• confidential handling of health, DBS and other sensitive information;
• secure disposal and deletion procedures;
• device, email and remote-working security controls;
• staff training, confidentiality obligations and incident reporting procedures; and
• periodic review and testing of security measures.

8. Data Breach Management

Any actual, suspected or attempted personal data breach must be reported immediately in accordance with {{org_field_name}}’s incident reporting procedure to the person or function responsible for data protection compliance.

All personal data breaches must be assessed promptly to determine:

• the nature of the breach;
• the categories and volume of personal data affected;
• the likely consequences for individuals; and
• the remedial action required.

{{org_field_name}} will maintain a record of all personal data breaches, whether or not they are reported to the ICO.

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, {{org_field_name}} will report it to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to individuals, affected individuals will also be informed without undue delay, unless a lawful exception applies.

9. Third-Party Data Processors and Data Sharing

Where {{org_field_name}} engages third parties to process personal data on its behalf, it will carry out appropriate due diligence and ensure that a written contract is in place containing the mandatory terms required by data protection law. {{org_field_name}} will ensure that processors:

• process personal data only on documented instructions;
• keep personal data confidential and secure;
• implement appropriate technical and organisational measures;
• assist {{org_field_name}} with data subject rights, breach management and compliance obligations where required;
• do not appoint sub-processors without appropriate authorisation and controls; and
• return or securely delete personal data at the end of the service, unless retention is required by law.

Where personal data is shared with clients, hirers, payroll providers, IT providers, umbrella companies, legal advisers or other third parties, {{org_field_name}} will ensure the sharing is lawful, necessary, proportionate and appropriately documented.

10. Data Retention and Disposal

{{org_field_name}} will not keep personal data for longer than is necessary for the purposes for which it is processed. Retention periods will be determined by reference to legal, regulatory, contractual and business requirements, and will be documented in a retention schedule covering the main categories of personal data processed by the organisation.

At the end of the relevant retention period, personal data will be securely deleted, destroyed, anonymised or archived in accordance with applicable legal requirements and internal procedures. Secure disposal methods will be used for both paper and electronic records.

11. Roles and Responsibilities

The Board / Directors / Senior Management are responsible for ensuring that {{org_field_name}} has appropriate governance, resources and oversight arrangements in place for data protection compliance.

The Responsible Person / Privacy Lead is responsible for overseeing day-to-day data protection compliance, maintaining this policy, coordinating responses to rights requests and breaches, supporting staff training, and monitoring changes in the law.

All employees, workers and contractors must:

• process personal data only for authorised purposes;
• follow this policy and related procedures;
• protect the confidentiality and security of personal data; and
• report data protection concerns, incidents and breaches immediately.

Where {{org_field_name}} is legally required to appoint a Data Protection Officer, it will do so and will ensure that the DPO performs the statutory functions required by UK GDPR.

12. Special Category Data and Criminal Offence Data

{{org_field_name}} recognises that certain personal data requires additional protection. This includes special category data, such as health information, racial or ethnic origin, religious beliefs, trade union membership, biometric data used for identification, and information about sex life or sexual orientation, as well as criminal offence data, including criminal record certificate information and safeguarding checks.

Such data will be processed only where strictly necessary, proportionate, and legally permitted. Before processing these categories of data, {{org_field_name}} will identify and document:

• an appropriate lawful basis under Article 6 UK GDPR;
• an appropriate condition under Article 9 UK GDPR for special category data, where applicable; and
• an appropriate basis under Article 10 UK GDPR and Schedule 1 to the Data Protection Act 2018 for criminal offence data, where applicable.

Access to this information will be restricted to authorised personnel with a genuine need to know. Such data will be handled confidentially, retained only for as long as necessary, and secured using enhanced safeguards.

13. Privacy Notices and Transparency

{{org_field_name}} will provide clear and accessible privacy information to individuals whose personal data it processes, including candidates, workers, employees, client contacts, suppliers and website users, as appropriate. Privacy notices will explain, among other things, what personal data is collected, the purposes of processing, the lawful bases relied upon, who data is shared with, retention periods, international transfers where relevant, individual rights, and how to contact {{org_field_name}} about data protection matters.

14. Records of Processing Activities

{{org_field_name}} will maintain appropriate records of its processing activities in accordance with Article 30 UK GDPR and its accountability obligations. These records will include, where applicable, the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention information, security measures, and whether {{org_field_name}} is acting as controller, joint controller or processor in relation to the processing.

15. Data Protection Impact Assessments (DPIAs)

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, {{org_field_name}} will carry out a Data Protection Impact Assessment before the processing begins. DPIAs will be used to identify, assess and minimise privacy risks and will be reviewed where the nature, scope, context or purposes of the processing materially change.

16. International Transfers

{{org_field_name}} will identify whether any personal data it processes is transferred outside the UK to a separate legal entity. Where a restricted transfer takes place, {{org_field_name}} will ensure that the transfer is made in compliance with UK GDPR, including by relying on adequacy regulations or other valid transfer mechanisms and safeguards where required. International transfers will be documented and reflected in relevant privacy notices and contracts.

17. Cookies, Website Technologies and PECR

Where {{org_field_name}} uses cookies or similar technologies on its website or electronic services, it will do so in compliance with PECR and data protection law. {{org_field_name}} will provide clear and comprehensive information about such technologies and, where required, obtain valid consent before placing non-essential cookies or similar technologies on a user’s device.

18. Data Protection Complaints

{{org_field_name}} will maintain a process for receiving, investigating and responding to data protection complaints. Individuals will be able to raise concerns directly with {{org_field_name}} and those concerns will be handled fairly and within a reasonable timeframe. {{org_field_name}} will keep this process under review to ensure compliance with the relevant requirements coming into force under the Data (Use and Access) Act 2025, including the complaints-handling requirements due to commence on 19 June 2026.

19. Related Policies

• Confidentiality Policy
• IT Security Policy
• Employee Handbook
• Privacy Notices

20. Policy Review

This policy will be reviewed at least annually and sooner if there is a change in legislation, regulatory guidance, ICO expectations, business operations, technology, or the nature of personal data processed by {{org_field_name}}.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.