Privacy statement (recruitment and employment)

How and why we collect and store the data of employees and applicants

Reviewed March 2022

This policy explains what personal data (information) we hold about you, how we collect it, and how we use and may share information about you during your employment application process, your employment and after it ends. We are required to notify you of this information under applicable data protection law.

In this policy references to ‘employee’ or ‘employment’ include references to agency workers, independent contractors, freelancers, volunteers, interns and any other non-employee workers.

Please ensure that you read this policy (sometimes referred to as a ‘privacy notice’) and any other similar policy or notice we may provide to you from time to time when we collect or process personal information about you (including in particular: ‘the Society of Authors – Privacy Policy: General’, which should be read in conjunction with this policy).

Who collects the information

The Society of Authors, a company incorporated and registered in England and Wales with company number 00019993 and its registered office at 24 Bedford Row, London, England, WC1R 4EH (SoA) is a ‘data controller’ and gathers and uses certain information about you. This information may also be used by our affiliated entities and group companies and accordingly references to ‘we’, ‘us’ or ‘our’ means the SoA.

Data protection principles

We will comply with the data protection principles when gathering and using personal information, as set out in the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018 (DPA), any laws which implement any of the foregoing, any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.

About the information we collect and hold

We may collect the following information before, during and after your employment (including during the recruitment process):

  • Your name, date of birth, personal and work contact details (i.e. address, home and mobile phone numbers, email addresses) and emergency contacts (i.e. name, relationship and home and mobile phone numbers);
  • Information collected during the recruitment process that we retain during your employment (including details of your qualifications, education, experience and employment history (including job titles, remuneration packages and working hours), information about your personal interests and hobbies, details of any written tests or assessments undertaken by you as part of the interview process, interview notes and other materials generated during the interview process, details of your referees and letters of reference);
  • Details relating to your employment contract information, including details of salary and benefits, bank/building society, National Insurance and tax information;
  • Your nationality and immigration status and information from related documents, such as your passport, driving licence or other identification and immigration information;
  • Details of your pension arrangements, and all information included in these and necessary to implement and administer them;
  • Information regarding your fitness for work, and information in your sickness and absence records (this may include sensitive personal information regarding your physical and/or mental health);
  • Details of your spouse/partner and any dependants;
  • Equal opportunities information, including your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs (this constitutes sensitive personal information);
  • Information regarding your criminal record in a criminal records certificate (CRC) or enhanced criminal records certificate (ECRC) and/or the results of Disclosure and Barring Service (DBS) checks;
  • Your trade union membership (this constitutes sensitive personal information);
  • Information on grievances raised by or involving you (depending on the nature of the grievance this may include sensitive personal information);
  • Information on conduct and/or other disciplinary issues involving you (depending on the nature of the issue this may include sensitive personal information);
  • Details of your appraisals and performance reviews, performance management/improvement plans (if any), your time and attendance records, information regarding your work output, and information in applications you make for other positions within our organisation;
  • Your image, in photographic and video form;
  • Your voice, in audio form; and
  • Details of your public use of social media social media, such as LinkedIn.

Certain of the categories above may not apply to you if you do not progress beyond the recruitment stage or if you are an agency worker, independent contractor, freelancer, volunteer, intern or any other non-employee worker.

How we collect the information

We may collect this information from you, your nominated referees, public locations (e.g. LinkedIn), your managers, your fellow employees, your personnel records, your trade union, your doctors, pension administrators, the Home Office, the DBS, overt audio and visual recordings and/or consultants and other professionals we may engage (e.g. to advise us generally and/or in relation to any grievance, conduct appraisal or performance review procedure).

Why we collect the information and how we use it

We will typically collect and use this information for the following purposes:

  • for the performance of a contract with you, or to take steps to enter into a contract;
  • for compliance with a legal obligation (e.g. our obligations under applicable tax, pensions and health and safety legislation);
  • for the purposes of our legitimate interests or those of a third party (e.g. a benefits provider) i.e. to help with note taking, to ensure that accurate records of work calls and meetings are kept. To ensure the safety of all participants at physical and online meetings and events, but only if these are not overridden by your interests, rights or freedoms;
  • because it is necessary for carrying out obligations or exercising rights in employment law;
  • for reasons of substantial public interest (i.e. equality of opportunity or treatment, promoting or retaining racial and ethnic diversity at senior levels, promoting or retaining female and LGBTQIA+ employment at senior levels, promoting or retaining neurodiversity at senior levels, regulatory requirements); and
  • to defend any legal claims that may be brought against us in connection with your employment, or to establish, bring or pursue any claim against you e.g. to enforce post-termination restrictions (this will typically involve passing information on to our legal advisers, who will be subject to strict professional and contractual duties of confidentiality).
  • to process any complaints or support training and development.

We seek to ensure that our information collection and processing is always reasonable and proportionate. We will notify you of any material changes to information we collect or to the purposes for which we collect and process it.

How we may share the information

We may also need to share some of the above categories of personal information with other parties, such as HR consultants, professional advisors, insurers, pension administrators, external contractors and potential purchasers of some or all of our business or on a re-structuring. Where possible, information will be anonymised or pseudonymised. Where this is not possible, we will seek to ensure that the recipient of the information is bound by confidentiality obligations.

Where information may be held

Information may be held at our offices and any third party agencies, service providers, representatives and agents as described above in the UK. Information may be transferred internationally, including to countries that do not have data protection laws equivalent to those in the UK, for the reasons described above. Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) on the basis of legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law.

How long we keep your information

We keep your information before, during and after your employment for no longer than is necessary for the purposes for which the personal information is processed.

If your application for employment is unsuccessful, we may ask if you would like us to retain your personal information for a period of twelve (12) months. If you agree, we may contact you should any further employment opportunities arise during that period (after which period your data may be deleted or anonymised).

If your application for employment is successful, we will retain your personal information for the duration of your employment with us, and for a period of up to six (6) years thereafter (in line with the Statute of Limitations) (after which period your data may be deleted or anonymised).

Otherwise, we will keep your information for the period(s) specified in the Privacy Policy – General and in Annex 1, below.

Your right to object to us processing your information

Where our processing of your information is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or we have another legal ground for the process (e.g. to comply with our legal and regulatory obligations; for the performance of a contract with you or if the processing is for the establishment, exercise or defence of legal claims).

Please contact us if you wish to object in this way.

Your rights to correct and access your information and to ask for it to be erased

Please contact us if (in accordance with applicable law) you would like to correct or request access to information that we hold relating to you or if you have any questions about this policy. You also have the right to ask for some/all of the information we hold and process to be erased (the right to be forgotten) in certain circumstances. We will provide you with further information about the right to be forgotten, if you ask for it.

Keeping your personal information secure

We have appropriate organisational, security and technical measures in place to prevent personal data from being accidentally lost, or used or accessed unlawfully, e.g.:

  • We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner after GDPR training and are subject to a duty of confidentiality.
  • If you engage in an email exchange with us, whilst we cannot guarantee the security of email communications, your email correspondence will be stored securely on our email and, if appropriate, employee filing systems.
  • Data files shared by us with any third parties will be password protected.
  • Before introducing any new systems or technologies relevant to the processing of your personal data, we will where necessary and appropriate undertake and complete a data protection impact assessment (DPIA) identifying any associated risks.
  • When processing any special category personal data, we will anonymise or pseudonymise that data (e.g. by removing identifiers such as names and addresses) to minimise the damage that may be caused by a data breach.
  • We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to contact us

You can contact us by post, email or telephone if you have any questions about this policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our contact details are shown below:

Our contact detailsOur Data Protection Officer’s contact details
The Society of Authors
24 Bedford Row
London
England
WC1R 4EH

info@societyofauthors.org
020 3880 2230
Peter Kennedy
Head of Member Services

PKennedy@societyofauthors.org

020 3880 2230

How to complain

We hope that we can resolve any query or concern you raise about our use of your information. If not, contact the Information Commissioner at ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.

Annex 1

Data retention periods for HR documents:

DocumentMinimum Retention PeriodAuthority/Justification
Employee Relations  
Application forms and interview notes (for unsuccessful candidates)6 months to a yearRecommended practice (CIPD) Defamation Act 1996 1-year limitation (in respect of any shared comments)
Applications (successful)6 months following end of probation period – may retain useful data eg skillsAssess and verify suitability for role Limitation incl. EC for unfair dismissal and discrimination claims etc.
Authorised absence records (annual leave, time of for dependents, jury service etc.)2 years from when the entry was madeWorking Time Regulations 1998 Part II
CCTVrelevant footage relating to an investigation or formal process*consider any insurance obligations* Extend normal retention period of CCTV for 6 months following a formal outcome or any appeal outcomeRecommended practice (ICO) Limitation incl. EC for unfair dismissal and discrimination claims etc.
Collective agreements6 years after endingLimitation Act 1980 – limitation for breach of contract and negligence
Contracts, offer letters and variations (including any flexible working outcome)6 years following end of employmentLimitation Act 1980 – limitation for breach of contract
Criminal record checks and disclosures (eg a DBS certificate)6 years following end of employmentLimitation Act 1980 – limitation for negligence (made by public etc.)
Capability and disciplinary documents (substantiated)2 years following the issue of the warningTUPE 2006 Case law permitting expired warnings to be referred to (but not built upon). Unreasonable to refer back after 2 years
Driving licence (if required)*consider any insurance obligations* Duration drives on business plus 3 yearsLimitation Act 1980 – 3-year limitation for negligence for a known act/incident
Driving offencesRemove once the conviction is ‘spent’ unless subject to exemptions.Rehabilitation of Offenders Act 1974
Drug and alcohol testing records6 years from a positive result 6 months from a negative resultTribunal limitation incl. EC for breach of contract and discrimination claims etc.
Flexible working request documents18 months following outcome (including any appeal outcome)12-month statutory embargo on a further request plus 6-month tribunal limitation incl. EC for auto-unfair dismissal and discrimination claims etc.
Grievance documents6 months following end of employment  Limitation incl. EC for ‘last straw’ constructive dismissal and discrimination claims etc
Investigations – no case to answer6 months following conclusionLimitation incl. EC discrimination claims etc
Maternity medical records3 years after the end of the tax year in which the maternity period endsThe Statutory Maternity Pay (General) Regulations 1986 as amended
Medical capability documents and records incl. OH reports6 months following end of employmentEquality Act 2010 Limitation incl. EC for unfair dismissal and discrimination claims etc.
Monitoring (eg vehicle trackers)6 months rolling unless there is an overriding reason or on-going relevance of the recordRecommended practice (ICO)
Professional insurance (including insurance for driving on business), licence to practice and professional registrations.*consider any insurance, regulatory or supervisory obligations eg GMC, NMC, CQC, FCA* 6 years following end of employmentLimitation Act 1980 – limitation for negligence (made by public etc.)
Qualifications6 years following end of employment  Limitation Act 1980 – limitation for negligence (made by public etc.)
Right to work checksTwo years after employmentRecommended practice (Home Office)
Redundancy details, calculations of payments, refunds, notification to the Secretary of State6 years from the date of redundancyRecommended practice (CIPD) Limitation Act 1980
Redundancy – documentation6 years following end of redundancyLimitation Act 1980
References received for employment*consider any insurance, regulatory or supervisory obligations eg GMC, NMC, CQC, FCA* 6 months following end of probation periodAssess and verify suitability for role Limitation incl. EC for unfair dismissal and discrimination claims etc.
References issued for employment1 yearDefamation Act 1996 1-year limitation (in respect of any shared comments)
References and correspondence that may produce legal affects (mortgage, loan, etc)3 years following issueLimitation Act 1980 – limitation for negligence when immediately aware
Sickness records and unauthorised absence records6 months following end of employment Pseudonymise where feasibleLimitation incl. EC for unfair dismissal and discrimination claims etc. Recommended practice (data laws)
Sickness and injury records (work related) (other than those listed under ‘Health and Safety’)15 years3 years for personal injury claim 15 years for negligence (in respect of latent damage) Limitation Act 1980
Subject access request letters1 year following completion of a requestMay charge a fee for repeat copies. May be unreasonable to charge a fee after 12 months.
Trust deeds, rules and minute booksPermanentlyRecommended practice (CIPD)
Whistle-blowing – reports and documents linked to an investigation which is partially or wholly substantiated.6 months following the outcome of the report or any remedial action taken because of the reportPublic Interest Disclosure Act 1998 (‘PIDA 1998’) Employment Rights Act 1996
Whistle-blowing – documents linked to an entirely unsubstantiated claimRemove immediately any personal dataRecommended practice (IAPP)
Health and Safety  
Accident books, records and reports15 years3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980  
Assessments under health and safety regulations and records of consultations with safety representatives and committeesIndefinitelyRecommended practice (CIPD)
First aid training6 years after employmentHealth and Safety (First-Aid) Regulations 1981
Fire warden training6 years after employmentFire Precautions (Workplace) Regulations 1997
H&S representatives training5 years after employmentHealth & Safety (Consultation with employees) Regulations 1996
H&S training – employees5 years after employmentH&S Information for Employees Regulations 1989
Health records made in connection with health surveillance (according to HSE)40 yearsRecommended practice (HSE) The Control of Substances Hazardous to Health Regulations 1999 and 2002
Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos Medical records – 40 years from the date of the last entry; Medical examination certificates – 4 years from the date of issue The Control of Asbestos at Work Regulations 2002 and the Control of Asbestos Regulations 2012
Medical records and details of biological tests under the Control of Lead at Work Regulations40 years from the date of the last entry Control of Lead at Work Regulations 2002
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)40 years from the date of the last entry if person is identifiable and the record represents exposure, otherwise at least 5 years.The Control of Substances Hazardous to Health Regulations 1999 and 2002
Medical records under the Ionising Radiations Regulations 1999Until the person reaches 75 years of age, but in any event for at least 50 yearsThe Ionising Radiations Regulations 1999 
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)5 years from the date on which the tests were carried outThe Control of Substances Hazardous to Health Regulations 1999 and 2002 
Risk assessmentsIndefiniteRecommended practice (CIPD)
Statutory and regulatory training6 years after employmentLimitation Act 1980
Payroll and Finance
Accounting records3 years (private company) 6 years (public)Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006
Expense accounts6 years following year end (public companies)Companies Act 1985, section 222 as modified by the Companies Act 1989 and Companies Act 2006
Income tax and NI returns, income tax records and correspondence with HMRCNot less than 3 years after the end of the financial year to which they relateThe Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended
Inland Revenue/HMRC approvalsPermanentlyRecommended practice (CIPD)
National minimum wage records3 years after the end of the pay reference period following the one that the records coverNational Minimum Wage Act 1998
Statutory Maternity Pay records, calculations, certificates (Mat B1s) and leave3 years after the end of the tax year in which the maternity period endsThe Statutory Maternity Pay (General) Regulations 1986 as amended and Maternity & Parental Leave Regulations 1999
Statutory Adoption Pay records, calculations, matching certificates and leave3 years after the end of the tax year in which the maternity period endsMaternity & Parental Leave Regulations 1999
Statutory Paternity Pay records, calculations and leave3 years after the end of the tax year in which the maternity period endsMaternity & Parental Leave Regulations 1999
Statutory Shared Parental Pay records, calculations, certificates (Mat B1s), notices and leave3 years after the end of the tax year in which the maternity period endsMaternity & Parental Leave Regulations 1999
Wage/salary records (also overtime, bonuses, expenses)6 yearsTaxes Management Act 1970.
Benefits  
Pension scheme investment policies12 years from the ending of any benefit payable under the policy however no information should ever be retained unless it is a necessary consequence of the fundingRecommended practice (ICO)
Pension records12 years after benefit ceases. Avoid access unless requiredRecommended practice (CIPD)
Retirement Benefits Schemes – records of notifiable events6 years from the end of the scheme year in which the event took placeThe Retirement Benefits Schemes (Information Powers) Regulations 1995
Private medical Avoid access unless required as part of making a reasonable adjustment etcRecommended practice (ICO)
Working time  
Timesheets, overtime records and other documents relating to working time2 years from date on which they were madeWorking Time Regulations 1998 Part II
Young people and children  
Records relating to children and young adultsUntil the child/young adult reaches the age of 21Limitation Act 1980 – limitation for negligence (made by public etc.) Conditions for processing may need to be reviewed when a child turns 13