The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and changed the way organisations were able to deal with data.

We may have to collect and use information about people with whom we work. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.

We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly.

To this end we fully endorse and adhere to the principles of the General Data Protection Regulation.

This policy applies to the personal data of many people including; job applicants, existing and former employees, volunteers, and service users. These are referred to in this policy as relevant individuals.


Personal data

Information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.

Special categories of personal data

Data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

Criminal offence data

Data which relates to an individual’s criminal convictions and offences.

Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controllers

The ‘controller’ determines the purposes and means of processing the data.

Data processors

The ‘processor’ is responsible for processing personal data on behalf of the controller.

Data protection principles

Under GDPR, all personal data obtained and held by us must be processed according to a set of six core principles. In accordance with these principles, we will ensure that data is:

  • processed lawfully, fairly and in a transparent manner.
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals and;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Individual rights

Data subjects have the following rights regarding their personal data under the GDPR:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erase or “the right to be forgotten”
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • rights in relation to automated decision making and profiling

Lawful basis for processing

Personal data can only be processed where there is a lawful basis to do so and organisations must determine the lawful basis is for each processing activity before processing begins. The lawful basis which applies to each processing activity needs to be identified in certain pieces of documentation, e.g. in privacy notices and responses to subject access requests.

There are six lawful bases for personal data are:

  • consent: the individual has given clear consent for you to process personal data.
  • legitimate interests: the processing is necessary for your legitimate interests or the legitimate interest of a third party, unless there is a good reason to protect the individual’s personal data whish overrides those legitimate interests.
  • performance of a contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • vital interests: the processing is necessary to protect someone’s life.
  • public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

The lawful basis for processing sensitive data are:

  • valid explicit employee consent
  • necessary for carrying out employment rights and obligations, it is authorised by domestic or EU law and the employer has an appropriate policy document in place
  • necessary to protect the vital interests of the employee or another person where the employee is incapable of giving consent
  • processing by a foundation, association or not-for-profit with a political, philosophical, religious or trade union aim
  • if the employee has made the personal data public
  • necessary for the employer to establish or defend legal claims
  • necessary for reasons of substantial public interest (including the processing of personal data revealing race, religious beliefs, health or sexual orientation for the purposes of promoting equality of treatment, and including processing necessary to determine eligibility for or benefits payable under an occupational pension scheme which can reasonably be carried out without the employee's consent), and the employer has an appropriate policy document in place
  • necessary for the assessment of the employee's working capacity either on the basis of domestic or EU law or pursuant to a contract with a health professional, and subject to confidentiality safeguards.


In order to process information/data WWTW usually obtain explicit consent.

Consent must be freely given, informed and unambiguous. It requires positive opt in meaning that organisations cannot use default methods including pre-checked boxes. Individuals must be given detailed information on what their consent is being obtained for; the types of processing activity and the name of the controller. Blanket consent to cover many different aspects of processing will not be sufficient.

The Information Commissioner recognises that the free giving of consent may be compromised by the employer-employee relationship in that employers are in a position of power over individuals and so employees may feel they have no choice but to provide consent in order to gain or continue employment. Because of this, the ICO recommends organisations avoid relying on consent as a lawful basis unless there is evidence that it has been freely given.

Legitimate interests – marketing emails 

Another lawful basis of processing data is 'legitimate interests'. Broadly speaking 'legitimate interests' means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests. Before doing this we will carefully consider and balance any potential impact on you and your rights.

The only area where WWTW may use Legitimate Interest to communicate is to supporters who have shown an interest in some activity and may have a legitimate interest in another area of our activity.

Privacy notices

As part of the enhanced accountability provisions, organisations will have a general obligation to implement measures to show that data protection is a primary concern in processing activities. A privacy notice can be used to do this.

The privacy notice is one of the most important documents in GDPR compliance. It tells your employees exactly what types of data about them that you hold e.g. their name and other personal details, their previous employment history and other information included on a CV, their training records and disciplinary records etc. It also sets out the lawful basis for each type of data you hold.

It is important that employees have easy access to your privacy notice. It is also important for job applicants to see a privacy notice that relates to the data you hold on them too. Our Privacy Notice can be found on People HR and on the website.

Data protection impact assessments

You must, in certain circumstances, carry out a data protection impact assessment to help identify the most effective way to comply with our data protection obligations. This is part of the concept of “privacy by design” involved in GDPR.

An impact assessment must be carried out when you:

  • use new technologies and
  • the processing is likely to result in a high risk to the rights and freedoms of individuals. This can include systematic and extensive processing activities; large scale processing of special categories of data (currently known as ‘sensitive’ data) or large scale systematic monitoring of public areas.

If you believe you may need to conduct a data protection impact assessment, speak to the Data Protection Officer.

Data Protection Officer (DPO)

Our appointed compliance officer in respect of our data protection activities is:

Andrew Delve, IT Manager,

The responsibilities of the DPO include:

  • inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
  • monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
  • be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)

Types of data held

We keep several categories of personal data on our employees and service users in order to carry out effective and efficient processes and support.

For employees

We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems on People HR.

Specifically, we hold the following types of data:

  • personal details such as name, address, phone numbers
  • information gathered via the recruitment process such as that entered into a CV or included in a C cover letter, references from former employers, details on your education and emplyment history etc.
  • details relating to payment administration such as National Insurance numbers, bank account details and tax codes
  • medical or health information
  • information relating to your employment with us, including:
    1. job title and job descriptions
    2. your salary
    3. your wider terms and conditions of employment
    4. details of formal and informal proceedings involving you such as letters of concern, disciplinary or grievance proceedings, your annual leave records, appraisal and performance information
    5. internal and external training modules undertaken

All of the above information is required for our processing activities. More information on those processing activities are included in our Privacy notice for employees / workers, which is available on People HR.

For service users

In order to support our service users we hold detailed information in the above areas of I, II and IV inclusive of (potentially) detailed GP information, mental health information including clinical scores, (potentially) criminal conviction information and information regarding safeguarding or critical incidents which may include details about service users and actions taken.

Access to data

As stated above, employees and service users have a right to access the personal data that we hold on them. To exercise this right, employees and service users should make a Subject Access Request. We will comply with the request without delay, and within one month unless, in accordance with legislation, we decide that an extension is required. Those who make a request will be kept fully informed of any decision to extend the time limit.

No charge will be made for complying with a request unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request. In these circumstances, a reasonable charge will be applied.

Further information on making a subject access request is contained in our Subject Access Request Policy.

Data disclosures

WWTW may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:  

  • any employee benefits operated by third parties;
  • disabled individuals - whether any reasonable adjustments are required to assist them at work;
  • individuals’ health data - to comply with health and safety or occupational health obligations towards the employee;
  • for Statutory Sick Pay purposes;
  • HR management and administration - to consider how an individual’s health affects his orher ability to do their job;
  • the smooth operation of any employee insurance policies or pension plans;
  • to assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.

These kinds of disclosures will only be made when strictly necessary for the purpose.

Data security

All our employees are required to undertake GDPR Data Protection Training on induction and every three years after. Employees are aware of their roles and responsibilities when their role involves the processing of data including that;

  • Stored files or written information of a confidential nature in a secure manner so that are only accessed by people who have a need and a right to access them and to ensure that screen locks are implemented on all PCs, laptops etc when unattended. No files or written information of a confidential nature are to be left where they can be read by unauthorised people.
  • Where data is computerised, it should be stored on our secure databases (Salesforce and People HR) or coded, encrypted or password protected both on a local hard drive or a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
  • Employees must always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
  • Personal data relating to employees or service users should not be kept on USB sticks, or similar devices, unless prior authorisation has been received. Where personal data is recorded on any such device it should be protected by:
    • ensuring that data is recorded on such devices only where absolutely necessary.
    • using an encrypted system
    • ensuring that laptops or USB drives are not left where they can be stolen

All WWTW laptops are encrypted with Bitlocker and require password access.

Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

Third party processing

Where we engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain WWTW commitment to protecting data.

International data transfers

On rare occasions WWTW may be required to transfer personal data to a country/countries outside of the EEA. Where this occurs, appropriate safeguards are adopted.

Requirement to notify breaches

All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach.

A personal data breach has a wider definition than simply losing personal data. It is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may include a hacking attack or human error e.g. sending information to the wrong email address.

Reportable breaches must be reported to the relevant supervisory authority (this will be the Information Commissioner unless the data is transferred to another country) without undue delay and within 72 hours of discovery. Organisations will be permitted to provide information on the breach in phases where a full investigation is not possible within that timeframe.

A reportable breach is one which is likely to result in a risk to people’s rights and freedoms. If this is not a likely consequence, the breach does not need to be reported.

If there is a high risk to people’s rights and freedoms, the affected individual(s) will also need to be notified. This may be, for example, where an individual may be discriminated against, suffer financial loss or detriment to reputation or other social or economic disadvantage. Where the breach is such that the public need to be informed, this should be done without delay.

Guidelines will be made available on assessing the threshold of a breach. Failure to report can lead to a fine of up to €10million.

More information on breach notification is available in our Data Breach Procedure.


New employees must read and understand the policies on data protection as part of their induction.

All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.

The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR.

All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.


WWTW keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities. Details on records processed and stored by department can be found in our Records Management Policy.

Please contact us if you want further information or return to the homepage.