Leightons Group Staff Privacy Notice

Updated December 2021

As an employer Leightons Holdings and all Leightons Companies must meet its contractual, statutory, and administrative obligations. We are committed to ensuring that the personal data of our applicants, employees and ex-employees is handled in accordance with the principles set out in the Leightons Group Data Management Policy.

This privacy notice tells you what to expect when a Leightons’ Company collects personal information about you. It applies to all employees, ex-employees, and those in a recruitment process with us. However, the information we will process about you will vary depending on your specific role and personal circumstances.

The Leightons’ Group Company is the data controller for this information unless this notice specifically states otherwise. Our Data Protection Officer is Clinical DPO, their contact details are [email protected], or by telephone on 0203 411 2848.

This notice should be read in conjunction with our Public Privacy notice on our website (https://www.leightons.co.uk/privacy-cookies) and our other corporate policies and procedures. When appropriate we will provide an update to cover any additional processing activities not mentioned in this document.

How do we get your information?

We get information about you from the following sources:

  • Directly from you.
  • From an employment agency.
  • From referees, either external or internal.
  • From Occupational Health, your GP and other health providers.
  • From Pension administrators and other government departments, for example tax details from HMRC.
  • CCTV images taken using our own CCTV systems
  • Relevant Professional Bodies
  • Processing of DBS Checks

What personal data we process and why?

We process the following categories of personal data:

Information related to your application and employment

We use the following information for recruitment purposes, to carry out the contract we have with you, provide you access to business services required for your role, reach out to emergency contact if required and manage our human resources, expenses and payroll processes.

  • Personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses.
  • Your date of birth, gender and National Insurance number.
  • A copy of your passport or similar photographic identification, work permit and / or proof of address documents.
  • A copy of your driving licence if you have a company car
  • Marital status.
  • Next of kin, emergency contacts and their contact information.
  • Employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare.
  • Location of employment (e.g. Branch or Clarendon House).
  • Details of any secondary employment, political declarations, conflict of interest declarations or gift declarations.
  • Your responses to staff surveys if this data is not anonymised.

Information related to your salary, pension and other benefits

We process this information for the payment of your salary, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.

  • Information about your job role and your employment contract including your start and leave dates, salary (including grade and salary band), any changes to your employment contract, working pattern (including any requests for flexible working).
  • Details of your time spent working and any overtime, expenses or other payments claimed,
  • Details of any leave including sick leave, holidays, parental leave, special leave etc.
  • Pension details including membership of occupational pension schemes
  • Your bank account details, payroll records and tax status information.
  • Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking.

Information relating to your performance and training

We use this information to assess your performance, to conduct pay and grading reviews and ensure acceptable performance and conduct to deal with any employer / employee related disputes. We also use it to meet the training and development needs required for your role.

  • Information relating to your performance at work e.g. probation reviews, Performance Development Reviews, promotions.
  • Grievance and dignity at work matters and investigations to which you may be a party or witness.
  • Disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued.
  • Whistleblowing concerns raised by you, or to which you may be a party or witness.
  • Information related to your training history and development needs.

Information relating to monitoring

We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems and employees.

  • Information derived from monitoring IT acceptable use standards.
  • Photos and CCTV images.

Information relating to your health and wellbeing and other special category data

We use the following information to comply with our legal obligations and for equal opportunities monitoring. We also use it to ensure the health, safety and wellbeing of our applicants and employees.

  • Health and wellbeing information either declared by you or obtained from health checks, eye examinations, occupational health referrals and reports, sick leave forms, health management questionnaires or fit notes i.e., Statement of Fitness for Work from your GP or hospital.
  • Accident records if you have an accident at work.
  • Details of any risk assessments, workplace and area audits, access needs or reasonable adjustments.
  • Information you have provided regarding Protected Characteristics as defined by the Equality Act and s.75 of the Northern Ireland Act for the purpose of equal opportunities monitoring. This includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics.

Lawful basis for processing your personal data

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:

  • Article 6(1)(b) which relates to processing necessary data for moving an application forward and the performance of a contract.
  • Article 6(1)(c) so we can comply with our legal obligations as your employer.
  • Article 6(1)(d) in order to protect your vital interests or those of another person.
  • Article 6(1)(e) for the performance of our public task.
  • Article 6(1)(f) for the purposes of our legitimate interest before during and after employment

Special category data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

  • Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
  • Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
  • Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
  • Article 9(2)(f) for the establishment, exercise or defence of legal claims.
  • Article 9(2)(j) for archiving purposes in the public interest.

In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the DPA 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee. Our Data Management Policy provides further information about this processing.

Criminal convictions and offences

We process information about staff criminal convictions and offences. The lawful basis we rely on to process this data are:

  • Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a).
  • Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1.

Our Data Management Policy provides further information about this processing.

How long we keep your personal data?

For information about how long we hold your person data, please see our retention schedule.

In the case of applicants, if your application is not successful, we will keep your personal information for 12 months from the date of application. This is to ensure that, where possible, we can re-engage with you should alternative suitable roles or opportunities arise and to assist us to resolve any issues or queries about the recruitment process which may arise. Unless you are successful, or consent to the extension of our retention of your information, all personal information which is held about you will be deleted or destroyed, at the end of the 12 months and no record of your application will be held by us after then. See our retention schedule for further information.

Your rights in relation to this data processing

As an individual you have certain rights regarding our processing of your personal data, you can:

  • access and obtain a copy of your data on request;
  • require the organisation to change incorrect or incomplete data;
  • require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing; and
  • ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.

If you would like to exercise any of these rights, or have any questions, in the first instance please contact our Data Protection Officer Clinical DPO, their contact details are [email protected], or by telephone on 0203 411 2848.

If your questions are not answered, or you believe the Leightons Group has not complied with your data protection right you can contact The Information Commissioner, The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Web: https://ico.org.uk. Tel Number 0303 123 1113.

Personnel files

Physical and electronic records are held for each member of staff. Data is held securely on Leightons’ digital systems and at Clarendon House. Any data held securely with our off-site storage contractor is subject to the principles of data protection.

You can request your personnel file by emailing the HR team or by submitting an access request to Our Data Protection Officer is Clinical DPO, their contact details are [email protected], or by telephone on 0203 411 2848. You will not be able to take away your physical file. Your request will be handled outside the case management area with restricted access. We will consult internally with members of staff who might hold personal data about you.

Who has access to data?

Your information will be shared internally, including with members of the HR, Payroll and recruitment teams, your line manager, managers in the business area in which you work, IT and system staff if access to the data is necessary for performance of their roles.

Your data may also be shared with employee representatives in the context of collective consultation on a redundancy or business sale. This would be limited to the information needed for the purposes of consultation, such as your name, contact details, role and length of service.

How does the organisation protect data?

As the Data Controller the Leightons Group takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Where the organisation engages third party sub processors to process data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data via a data processing agreement

Data Sharing

In some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including government agencies and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions.

Do we use any data processors?

Yes - a list of our current data processors can be found at Annex A.

Transfers of personal data

We do transfer staff personal data overseas, only when this is necessary, and we ensure that we have appropriate safeguards in place to ensure this is covered by the same safeguards as in the UK.

Further information

Staff surveys

Most survey questions require quantitative responses; however sometimes free text boxes are included. We will advise you not to share identifiable information about yourself in these boxes if you wish to remain anonymous.


The Leightons Group has a policy and procedure in place to enable its current staff and ex-employees to have an avenue for raising concerns about malpractice. If you wish to raise a concern, please refer to The Leightons whistleblowing policy and procedure.

Although every effort will be taken to restrict the processing of your personal data and maintain confidentiality whether this is possible will be dependent on the nature of the concern and any resulting investigation.

Equal opportunities monitoring

Some special categories of personal data, such as information about health or medical conditions, or nationality, is processed to carry out employment law obligations (such as those in relation to applicants and employees with disabilities, for health and safety purposes and to ensure a right to work in the UK).

Other processing of special categories of personal data, such as information about ethnic origin, sexual orientation, religion or belief, is done for the purposes of equal opportunities monitoring.

Equal opportunities monitoring information provided at application stage is not attached to your personal application on our HR system when you apply for a role with the Leightons group of companies. Such information provided following an offer of employment will be held on your HR record. A link to the privacy notices of our sub processors can be found in Annex A.

Occupational health

During the offer and recruitment process a health questionnaire is completed and also during employment you may be referred for occupational health support following a request to HR by you or your line manager. This may result in a telephone or video appointment, a face-to-face consultation with an occupational healthcare professional and/or a medical report from a GP or specialist medical practitioner.

We use ELAS Occupational Health and UNUM to provide our occupational health service. The information you provide will be held by ELAS or UNUM, who will provide Leightons with a report containing their recommendations. A link to their privacy notices can be found in Annex A.

Monitoring of staff

All of our ICT systems, are auditable and can be monitored, though we don’t do so routinely.

We are committed to respecting individual users’ reasonable expectations of privacy concerning the use of our ICT systems and equipment. However, we reserve the right to log and monitor such use in line with our Acceptable Use Standard and our Social Networking Policy.


We operate CCTV inside our practices premises to monitor access to certain areas of our branches and Clarendon House office. At Clarendon House we also use the Sign In App for safety purposes to monitor those present in the office Further information is available in our CCTV policy.

Requests for references

If you leave, or are thinking of leaving, we may be asked by your new or prospective employers to provide a reference. For example, we may be asked to confirm the dates of your employment or your job role. If you are still employed by us at the time the request for a reference is received, we will contact you before providing this unless you have already given your consent.

If we receive reference requests or confirmation of employment for tenancy agreements or visa applications, we will require your consent before providing these.


Annex A – Data Processors

Data processors are third parties who provide certain parts of our staff services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors are listed below.

Iris Open Payslips - Payroll Employee Portal
Iris Earnie Payroll - Payroll software
Kallidus Recruit - System for Processing Recruitment Applications
Kallidus Sapling - HR IT Software Service
Kallidus Learn - Digital Learning and Development Suite
CIPHR - Online HR IT service
BUPA - Private Health Insurance
ELAS - Occupational Health Services
UNUM - Permanent Health Insurance
Pleo - Employee Expense Claim processing and payments
ReAssure - Group Company Personal Pension Provider
CBS - Umbrella Company to process DBS checks
Aviva - Legacy Final Salary Pension Scheme Provider
Daelriada - Manage legacy final salary pension scheme
App - Safety Monitoring for employees at Clarendon House
Great Plains - Accounting Software, also used for Expense payments
Alphabet Connect - App from Alphabet Company Car Fleet provider to support company car drivers in car maintenance service and repairs
Recruitment Agencies - Support the Recruitment of new Staff – Contact us for specific information
Deliciously Ella - Welfare and benefits App Subscription for employees
Optix PMS - PMS – information to reset password

Data Retention Policy

See Separate Documents