Privacy notice
1. About this notice
1.1 This privacy notice explains how and why we collect and process personal data, the types of data we process, our lawful bases, the rights of data subjects and how they can exercise those rights.
1.2 We are the data controller when we process personal data.
1.3 We are based in the United Kingdom therefore must comply with the UK GDPR, the Data Protection Act 2018 and any legislation or regulation which replaces or amends these. As many of the individuals we support reside in EEA countries, which must also comply with the EU GDPR.
1.4 We work to increase disability inclusion during the recruitment process, in the workplace, at university and before professional bodies. We do this by ensuring that students, applicants, employees, professional bodies, universities and employers understand the correct application of the Equality Act 2010, and organisations’ duties to provide disability-related adjustments in accordance with statutory requirements. We also help organisations to put in place best practice disability.
1.5 Individuals must have a disability according to the Equality Act definition in order to register with us. As part of the registration process, individuals provide us with information about their disability. This is special category data. When processing special category data we must have additional safeguards in place.
2. Our purposes for processing data
2.1 The personal data we hold is collected, retained and generated in order to fulfil one or more of our purposes.
2.2 The following are our purposes for processing the personal data of EmployAbility staff.
|
EmployAbility Staff Type of Personal Data |
Purpose |
|---|---|
|
Bank details |
To ensure the effective administration of staff |
|
Criminal record checks Includes criminal offence data. |
To ensure staffing needs are met appropriately |
|
CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility |
To ensure staffing needs are met appropriately |
|
Disability-related reasonable adjustments relevant to applicants for roles with EmployAbility. Includes special category data. |
To comply with our legal duties under the Equality Act |
|
Health and disability-related information of employees Includes special category data. |
To ensure the effective administration of staff, to comply with employment law in respect of employee absences, and to comply with our legal duties under the Equality Act |
|
Responding to a rights request under the UK GDPR Includes special category data. |
To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
|
Litigation and regulatory investigations |
To defend or issue claims or to co-operate with investigations by authorised bodies |
|
Personnel records |
To ensure the effective administration of staff |
2.3 The following are our purposes for processing the personal data of disabled individuals we support.
|
Supported Individuals Type of Personal Data |
Purpose |
|---|---|
|
Complaints |
To comply with our legal duties under the UK GDPR to investigate complaints by data subjects |
|
Contact details for marketing purposes (individuals) |
To provide disabled individuals with information about career opportunities and related events |
|
Disability information about individuals for whom we are advocating to a university of professional body |
To assist disabled individuals to obtain the adjustments they are entitled to under the Equality Act. |
|
Disability information about individuals requiring assistance in obtaining adjustments from higher education institutions, examining and regulatory bodies. |
To assist disabled individuals to obtain the adjustments they are entitled to under the Equality Act. |
|
Disability information about individuals applying directly to a client organisation. |
To assist disabled applicants to obtain the recruitment adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies. |
|
Disability information about individuals applying to a client organisation for internships, graduate programmes, and experienced hire roles. |
To assist disabled applicants to obtain the recruitment adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies. |
|
Disability information about individuals employed by a client organisation in respect of workplace adjustments. |
To assist disabled applicants to obtain the workplace adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies. |
|
Information indicating how individuals became aware of our services |
To understand how individuals and organisations became aware of our services |
|
Litigation and regulatory investigations |
To defend or issue claims or to co-operate with investigations by authorised bodies |
|
Monitoring individuals’ satisfaction with our services |
To ensure the standards of our services and improve upon them where appropriate |
|
Participation in a scholarship programme |
To run scholarship programmes in with employers for disabled students |
|
Participation in EmployAbility’s Alumni Programme |
To provide networking, mentoring and community for disabled individuals we have previously supported |
|
Research |
To carry out research in respect of disability-related issues |
|
Responding to a rights request under the UK GDPR |
To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
|
Statistical analysis |
To analyse take-up rates and success of our services, disability prevalence, and trends |
2.4 The following are our purposes for processing personal data belonging to staff working for our client organisations.
|
Client Organisation Type of Personal Data |
Purpose |
|---|---|
|
Client organisation’s contacts and staff (non-disability data) |
To provide contracted services |
|
Client organisation’s contacts and staff (disability data) Includes special category data. |
To provide certain contracted services. To assist disabled employees to obtain the workplace adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies. |
|
Complaints Includes special category data. |
To comply with our legal duties under the UK GDPR to investigate complaints by data subjects |
|
Responding to a rights request under the UK GDPR Includes special category data. |
To comply with our legal duties under the UK GDPR in respect of data subjects’ rights |
|
Contact details for marketing purposes (organisations) |
To provide organisations with promotional material about our services |
|
Information indicating how organisations became aware of our services |
To understand how individuals and organisations became aware of our services |
|
Litigation and regulatory investigations |
To defend or issue claims or to co-operate with investigations by authorised bodies |
3. Sources and types of data we hold
3.1 We process information provided to us by the data subject. This includes basic identifying information (such as names, qualifications, phone number, email addresses and work history), and health information relating to disability. Where we carry out an audit for an organisation, it may also include data subjects’ opinions about the organisation’s attitude to disability or their experiences as an employee. If we are conducting a research project it may include additional detailed health information or subjective opinions provided by the data subject. Data subjects also provide us with testimonials, articles, blogs and videos.
3.2 We process information we generate about the data subject. This includes our assessment of an individual’s adjustments’ needs, their suitability for a role or event to which they apply or any alternative which we think may be more appropriate.
3.3 We process information about the data subject provided to us by third parties. This includes feedback from our partner employers and other organisations a data subject may have applied to, or reasons for an organisation refusing to provide adjustments. An organisation employing the data subject may provide us with adjustments’ contacts or decision-makers.
4. Our lawful bases
4.1 The following are our lawful bases for processing personal data belonging to EmployAbility staff.
|
EmployAbility Staff Type of Personal Data |
Lawful Basis |
Additional Condition |
|---|---|---|
|
Bank details |
Contract |
|
|
Criminal record checks Includes criminal offence data. |
Contract |
Employment, social security and social protection |
|
CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility |
Contract |
|
|
Disability-related reasonable adjustments relevant to applicants for roles with EmployAbility. Includes special category data. |
Contract |
Employment, social security and social protection |
|
Health and disability-related information Includes special category data. |
Contract |
Employment, social security and social protection |
|
Responding to a rights request under the UK GDPR Includes special category data. |
Compliance with legal obligation |
Consent |
|
Litigation and regulatory investigations |
Compliance with legal obligation |
Establishment, exercise or defence of legal claims |
|
Personnel records |
Contract |
4.2 The following are our lawful bases for processing the personal data of disabled individuals we support.
|
Supported Individuals Type of Personal Data |
Lawful basis |
Additional condition |
|---|---|---|
|
Complaints |
Compliance with legal obligation |
Substantial public interest |
|
Contact details for marketing purposes (individuals) |
Consent |
Consent |
|
Disability information about individuals for whom we are advocating to a university of professional body |
Contract |
Employment, social security and social protection law |
|
Disability information about individuals requiring assistance in obtaining adjustments from higher education institutions, examining and regulatory bodies. |
Contract |
Employment, social security and social protection law |
|
Disability information about individuals applying directly to a client organisation (Adjustments@Work in recruitment service). |
Consent (to 10th February 2025) Legitimate interest. Of assisting disabled applicants to obtain the recruitment adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies (from 11th February 2025). |
Consent (to 10th February 2025) Employment, social security and social protection law (from 11th February 2025). |
|
Disability information about individuals individuals registered with us applying to a client organisation for internships, graduate programmes, and experienced hire roles whether directly or via an EmployAbility programme |
Consent (to 7th April 2025) Legitimate interest. Of assisting disabled applicants to obtain the recruitment adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies (from 11th February 2025). |
Consent (to 7th April 2025) Employment, social security and social protection law (from 8th April 2025). |
|
Disability information about individuals employed by a client organisation in respect of workplace adjustments (Adjustments@Work workplace service). |
Consent (to 10th February 2025) Legitimate interest. Of assisting disabled applicants to obtain the recruitment adjustments they are entitled to under the Equality Act, the Employment Equality Directive (Directive 2000/78/EC) or equivalent or similar national legislation or in accordance with an organisation’s internal policies (from 11th February 2025). |
Consent (to 10th Febraury 2025) Employment, social security and social protection law (from 11th February 2025). |
|
Information indicating how individuals became aware of our services |
Legitimate interest Ensuring as many individuals as possible benefit from our services. |
Legitimate activity of not-for-profit body |
|
Litigation and regulatory investigations |
Compliance with legal obligation |
Establishment, exercise or defence of legal claims |
|
Monitoring individuals’ satisfaction with our services |
Legitimate interest Ensuring the quality of service provision to disabled individuals and making improvements where necessary. |
Legitimate activity of not-for-profit body |
|
Participation in a scholarship programme |
Consent |
Consent |
|
Participation in EmployAbility’s Alumni Programme |
Consent |
Consent |
|
Research |
Consent |
Consent |
|
Responding to a rights request under the UK GDPR |
Compliance with legal obligation |
Consent |
|
Statistical analysis |
Legitimate interest Understanding trends in disability employment, disability prevalence, and the take-up rate of our services. |
Research purpose |
4.3 The following are our lawful bases for processing personal data belonging to staff working for our client organisations.
|
Client Organisation Type of Personal Data |
Lawful Basis |
Additional Condition |
|---|---|---|
|
Client organisation’s contacts and staff (non-disability data) |
Contract |
|
|
Client organisation’s contacts and staff (disability data) Includes special category data. |
Legitimate interest (Adjustments@Work for employees) Providing contracted services to organisations (audits and other) |
Employment, social security and social protection law (Adjustments@Work for employees) Consent (audits) |
|
Complaints |
Compliance with legal obligation |
Substantial public interest |
|
Responding to a rights request under the UK GDPR |
Compliance with legal obligation |
Consent |
|
Contact details for marketing purposes (organisations) |
Legitimate interest Of marketing our services to clients and prospective clients. |
|
|
Litigation and regulatory investigations |
Compliance with legal obligation |
Establishment, exercise or defence of legal claims |
5. Retaining data
5.1 We retain personal data for different lengths of time, depending on the purpose for which we process the data.
5.2 The following are our retention periods for personal data of EmployAbility staff.
|
EmployAbility Staff Type of Personal Data |
Retention Period |
|---|---|
|
Bank details |
2 years after the end of employment |
|
Criminal record checks |
6 months |
|
CVs, passports and other non-health information provided by applicants’ for roles with EmployAbility |
6 months after communicating to the data subject that they were unsuccessful |
|
Disability-related reasonable adjustments relevant to applicants for roles with EmployAbility Includes special category data. |
6 months after communicating to the data subject that they were unsuccessful |
|
Health and disability-related personnel records |
6 years after the end of employment |
|
Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing A pseudonymised record is kept in respect of all-data erasure requests. |
|
Litigation and regulatory investigations |
10 years |
|
Non-health personnel records |
6 years after the end of employment |
5.3 The following are our retention periods for processing personal data belonging to disabled individuals we support.
|
Supported Individuals Type of Personal Data |
Retention Period
|
|---|---|
|
Complaints |
10 years |
|
Contact details for marketing purposes (individuals) |
4 years |
|
Disability information about individuals for whom we are advocating to a university of professional body |
6 years |
|
Disability information about individuals applying directly to a client organisation. |
1 year |
|
Disability information about individuals applying to a client organisation for internships, graduate programmes, and experienced hire roles. Our services include personalised support, adjustments advice for recruitment and the workplace, advocacy, skills enhancement and placement. |
6 years for students and graduates 4 years for experienced hires |
|
Disability information about individuals employed by a client organisation in respect of workplace adjustments. |
1 year |
|
Information indicating how individuals became aware of our services |
6 months |
|
Litigation and regulatory investigations |
10 years |
|
Monitoring individuals’ satisfaction with our services |
6 months |
|
Participation in a scholarship programme |
6 years |
|
Participation in EmployAbility’s Alumni Programme |
6 years |
|
Research |
10 years |
|
Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing. A pseudonymised record is kept in respect of all-data erasure requests. |
|
Statistical analysis |
Indefinite With ongoing monitoring of data and erasure where it is no longer relevant. |
5.4 The following are our retention periods for personal data of staff working for our client organisations.
|
Client Organisation Type of Personal Data |
Retention Period |
|---|---|
|
Client organisation’s contacts and staff (non-disability data) |
1 year In the case of an ongoing relationship, one year after the end of that relationship, unless we agree otherwise by contract, or by asking for your consent to retain your contact details. |
|
Client organisation’s contacts and staff (disability data) |
2 months |
|
Complaints |
10 years |
|
Responding to a rights request under the UK GDPR |
To the retention date applicable to the underlying processing. A pseudonymised record is kept in respect of all-data erasure requests. |
|
Contact details for marketing purposes (organisations) |
4 years |
|
Information indicating how organisations became aware of our services |
6 months |
|
Litigation and regulatory investigations |
10 years |
6. Data subjects’ rights
6.1 Data subjects can exercise their rights by contacting us at our dedicated data protection email address, or in any other way they find convenient.
6.2 We may ask for confirmation of a data subject’s identity exercising a right before we comply with a request.
6.3 In most cases, we should be able to comply with a request free of charge and within one month. In limited circumstances we may charge an administration fee, or extend the deadline for responding to the request. Where this is the case, we will provide the data subject with our reasons. We will also provide the data subject with an explanation if we cannot comply with a request.
6.4 Data subjects have the following rights:
|
To receive copies of personal data |
Data subjects have the right to see copies of the personal data we hold about them. Asking to see copies of data is called a subject access request. |
|
To have personal data erased |
This is a condition right, which applies in particular circumstances. If consent is the legal basis for processing a data subject’s request will be complied with unless we need to retain it for legal purposes. We will not erase personnel records or complaint records before the end of the retention period. We will not erase data where we rely on legal obligation or public task as the lawful basis for processing. |
|
To withdraw consent |
Where consent is the lawful basis for processing, a data subject may withdraw that consent at any time. |
|
To rectification |
A data subject has the right to have inaccurate personal data corrected, and incomplete personal data completed. |
|
To object to processing |
In certain circumstances, data subjects have the right to object to our processing their personal data. If we rely on legitimate interest as our lawful basis for processing or if a data subject believes the information we hold about them is inaccurate or incomplete. The right to object does not apply where our lawful basis for processing is legal obligation or contract with the data subject. |
|
To make a complaint |
Data subjects may complain to the ICO if they believe we have infringed their rights when processing their personal data. |
|
To data portability |
Data subjects have the right to receive the personal data they provided to a controller, and have the controller transfer that data to another controller, where the lawful basis for processing is consent or contract. |
7. How we protect personal data
7.1 We have extensive controls in place to maintain the security of our information and information systems. The data we process is protected with safeguards appropriate to its sensitivity.
7.2 Employees have access to different categories of personal data on a need-to-know basis.
7.3 ;All employees are provided with data protection and security training, and are required to act in accordance with applicable data protection legislation and our policies. Employees are prohibited from any unauthorised use or disclosure of personal data to a third party.
7.4 Where possible, we anonymise or pseudonymise personal data.
8. Transfer of data outside the UK
8.1 If a data subject applies for a role outside the UK with one of our employer partners, we may transfer their personal data to that jurisdiction.
8.2 Where the data is being transferred to a country which the UK government has designated as having adequate data protection safeguards, we rely upon that adequacy decision.
8.3 Where the data is being transferred to the United States, if the organisation to which the transfer is being made to an organisation which has signed up as a participant, we rely upon the EU-US Data Privacy Framework (the ‘Privacy Framework’), and the UK Extension to the Privacy Framework, as applicable. If the organisation has not signed up to the Privacy Framework, we rely upon the International Data Transfer Addendum to the new EU Standard Contractual Clauses (the ‘Addendum’), or the UK International Data Transfer Agreement (the ‘IDTA’).
8.4 Where the data is being transferred to a country which has not been designated by the UK government as having adequate protections for data and we are the controller, we will either rely upon the Addendum or the IDTA.
8.5 Individuals wishing to further understand the protections given to personal data we transfer to a non-adequacy country should contact us at dataprotection@employ-ability.org.uk.
9. Sharing personal data with third parties
9.1 We may discuss an individual’s application and adjustment needs with an employer partner to whom the individual has applied. In most cases we will not tell the employer about the applicant’s disability, but if it is necessary to do so to ensure the individual receives appropriate adjustments, we will seek separate consent. Our employer partners may provide feedback on applications. They may also retain information about an applicant if they are unsuccessful, in case they are suitable for a future role. Applicants should check the privacy policy of the employer organisation they are applying to.
9.2 We may have discussions about an applicant’s adjustment needs with any third party employer who is not one of our partners but to whom we advocate on the applicant’s behalf. Such employers may provide feedback to EmployAbility on occasion.
9.3 We do not sell, share or lease personal data, other than as described in this privacy notice, unless the data subject gives us consent to do so.
9.4 We may disclose personal data in order to meet a legal or regulatory requirement. In the case of a suspected criminal offence, personal data may be shared with the police.
9.5 If personal data has been provided to us in respect of a matter about which we are providing advocacy support, we may share that information with the organisation to which we are making submissions about reasonable adjustments.
9.6 We do not share information about applicants for roles with EmployAbility.
9.7 Employees’ personal data may be shared with insurers, our accountants or our legal advisors.
9.8 A student or graduate’s personal information may be shared with their university, where that university is one of our partners, or if it is not one of our partners but we are advocating for the student.
9.9 Personal data about those we have supported may be shared on our website or in our newsletter with the individual’s consent, for example where they act as a Campus Ambassador, write an article, win an award or provide a testimonial.
10. Marketing
10.1 When an individual registers with us, they receive a welcome email which describes the information we will send to them about current opportunities and other news. Anyone who does not wish to receive this material can opt out at any time, either via the welcome email, or by clicking the unsubscribe link in any direct marketing communications they receive.
11. Automated decision-making
11.1 We do not use personal data to make automated decisions.
12. How we store data
12.1 We store data electronically on our database or in the cloud.
13. Cookies
13.1 Our website uses only cookies which are strictly necessary for the essential functions of our website.
14. Contact
14.1 Our dedicated email for matters relating to protection is dataprotection@employ-ability.org.uk.
15. Update and review
15.1 We may update this privacy notice from time to time.