Privacy Notice for ParentPay Employees
ParentPay (Holdings) Limited (“ParentPay Group”) through its subsidiaries ParentPay Limited, Nimbl Limited, Cypad Limited, Just Education Limited, Pair Solutions GmbH, EDV-Schaupp GmbH, MensaMax GmbH and Education Software Solutions Ltd (ESS), is engaged in the design, development, sales, marketing, supply, operation and maintenance of, in the case of ParentPay Limited (“PPL”) and Cypad Limited, Pair Solutions GmbH, EDV-Schaupp GmbH, MensaMax GmbH, Education Software Solutions Ltd, payment collection, payment processing, school meal management, parent communication and management information systems and services for the education market, in the case of Nimbl Limited, youth banking, payment and debit card issuing services, and, in the case of Just Education Limited, education recruitment services (together the “Group Products and Services”).
ParentPay Group is a Data Controller under the UK GDPR, which means it determines the purposes and means of the processing of personal data. This notice explains to ParentPay Group Employees and contractors (“you/your”) how ParentPay Group (“we/us”) processes your personal data.
As an employee or contractor (or prospective employee), you understand and acknowledge that we may collect, use and disclose your personal data in accordance with this Privacy Notice.
While this Notice is intended to describe the broadest range of our personal data processing activities, those processing activities may be more limited under certain circumstances.
This privacy notice covers:
- Why we use your personal data
- The legal basis for processing
- What personal data we use
- How we use your personal data
- Your rights under data protection legislation
- Sharing personal data with third parties
- How long we may keep your personal data
- Changes to our privacy notice
- Contact details for our Data Protection Officer
Why we use your personal data
We process your personal data for the following purposes:
- to comply with legislative requirements within employment law
- to process your payroll, expenses and tax deductions
- for the verification of your identity where required, including the Right to Work Laws
- to conduct appropriate background checks, including basic disclosures and reference checks
- for the prevention and detection of crime, fraud and anti-money laundering
- to protect our business interests, goodwill, brand and business reputation from harm and damage
- for making contact with you and your proposed emergency contacts if required
- for enrolling you into relevant benefits and incentive schemes as agreed with you
- to meet applicable health and safety requirements and other safeguarding duties
- to enable us to comply with our legal and regulatory obligations
- to manage holiday, absences and other leave
- for recording grievances, disciplinaries and disputes if required
- to assist in employee development and training programmes
- for securing business premises, data, systems and other assets
- to successfully provision, operate, maintain and improve the tools and resources required for employees to complete their job roles effectively and as required by the business.
- conduct employee opinion surveys and administer employee recognition programs
- administer termination of employment and provide and maintain references
- other general administrative and human resource-related processes that would be reasonably expected
If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing.
The legal basis for processing
Under Data Protection Law, there are various grounds which are considered to be a ‘legal basis for processing’.
Our primary legal basis for processing your information in relation to your employment with ParentPay Group is:
‘processing is necessary for the performance of a contract to which the data subject is party’
Data relating to your health is known as Special Category Data, and we must satisfy an additional condition before processing it. Where we process your health data for the purposes of administering sick pay or making reasonable adjustments, we do so because:
‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law’
We are also under a legal obligation to process certain personal data, for example provision of payroll information to HMRC. Where such a legal obligation exists, our legal basis for processing your personal data is:
‘processing is necessary for compliance with a legal obligation to which the controller is subject’
Where you have opted to join employee benefit or incentive schemes, our legal basis for processing your personal data is:
‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’
You can withdraw this consent at any time by emailing the Group Data Protection Officer.
In some circumstances, for example where monitoring of tools and resources is undertaken for the purposes of security (please refer to the Acceptable Use Policy) and process improvement, our legal basis for processing your personal data is:
‘processing is necessary for the purposes of the legitimate interests pursued by the controller’
It should be noted that in some circumstances this legal basis may vary, however, we will only process data with a fair and reasonable legal basis for doing so.
What personal data we process
In order to carry out these services, we collect and process the following information:
Data Subject (Who) | Data Category (What) | Description |
Employee | Forename | This is the forename of the employee. |
Employee | Surname | This is the surname of the employee. |
Employee | Date of Birth | This is the date of birth of the employee. |
Employee | Gender | This is the employee’s gender. |
Employee | Title | This is the employee’s title (Mr, Mrs, Ms, etc). |
Employee | Authentication data | Username and password, single-sign-or multi-factor-authentication tokens. |
Employee | House Name | The text entered as the employee’s house name. |
Employee | Street | The text entered as the employee’s street. |
Employee | Locality | The text entered as the employee’s locality. |
Employee | Town | The text entered as the employee’s town. |
Employee | Postcode | The text entered as the employee’s post code. |
Employee | Day Telephone | The employee’s daytime telephone number. |
Employee | Home Telephone | The employee’s home telephone number. |
Employee | Mobile Telephone | This is the employee’s mobile telephone number. |
Employee | Email (Work and Personal) | This is the employee’s e-mail address(s) used for correspondence. |
Employee | Identity Documents | Used for identity and background checks. e.g. Passport or Drivers Licence. |
Employee | Medical Conditions | To that we can manage any special requirements and ensure your safety. |
Employee | Proof of Address | Used for identity and background checks. e.g. Utility bill or council tax. |
Employee | Photograph | Used for identity cards and communication enhancements. |
Employee | Salary and Payment Details | This is the employee’s renumeration details and history of payments. |
Employee | National Insurance Details | This includes your National Insurance Number, Tax Code and contributions |
Employee | Bank Account Details | This is your bank details, so that we can pay you (Account number, sort code etc) |
Employee | Pension Subscription* | We share basic information to enrol employees into the company pension scheme |
Employee | Healthcare Subscription* | We share basic information to enrol employees into the company health scheme |
Employee | Life Insurance Scheme* | We share basic information to enrol employees into the company life insurance |
Employee | Training Records | To record any relevant training |
Employee | Qualifications | To record appropriate qualifications relevant to your job role |
Employee | Disciplinaries | Where applicable, we retain records of any disciplinary proceedings |
Employee | Absence Records | Holiday, Sickness, and other absence is recorded |
Employee | Development Plans | Line managers may retain personal development plans and discussions |
Employee | CCTV Camera Footage | Video and images retained from security cameras for securing physical premises. |
Employee | Access Records | Digital logs of Access Control systems used for tracking and controlling access. |
Employee | Office Email | Used to service business communications and compliance. |
Employee | Office Messenger | Used to service business communications and compliance. |
Employee | Internet Access Logs | Used to manage the safe, secure and compliant use of internet access. |
Employee | Phone Call Recordings | Used for training, security and quality purposes. |
Emergency Contact | Name | This is the name of employee’s nominated emergency contact. |
Emergency Contact | Address | This is the address of employee’s nominated emergency contact. |
Emergency Contact | Phone Number | This is the contact number of employee’s nominated emergency contact. |
Employee | IP Address | The network address of your device or internet connection. |
Employee | Approximate Location | Your devices approximate geographical location when accessing company data. |
Employee | Browser Type and Version | The type of Web Browser your device is using. |
Employee | Cookies | Special records in your browser to help the website operate. |
Employee | Web Usage and Analytics | Details of web pages visited and general information about behaviour and statistics. |
* Note: Not all employees will necessarily be subject to all processing activities as described.
How we process your personal data
We use your personal data, and some of our employees have access to such information, only to the extent required to carry out the purposes described within this notice.
We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal data during storage, processing and transit.
We are a Level 1 PCI-DSS certified organisation and are subject to regular and comprehensive security audits. We operate an ISO27001 compliant security programme to help protect your data at all times.
Some of our activities (for example ZenDesk), might use cloud platforms that operate from Third Countries outside of the EEA and UK. Where this is the case, we ensure that adequate safeguards are established to protect your data.
Your rights under Data Protection Law
Right to Access
You have the right of access to your personal data that we process and details about that processing.
You can raise a Data Subject Access Request (DSAR) to receive this information.
Right to Rectification
You have the right to request that information is corrected if it’s inaccurate.
You can contact us to make the changes on your behalf.
Right to Erasure (Right to be Forgotten)
You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.
Right to Object
You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.
Right to Restriction of Processing
You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.
Right to lodge a complaint with a supervisory authority
If you think we have infringed your privacy rights, please contact us by sending an e-mail to dpo@parentpay.com. stating clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.
Note: We may need to request additional information to verify your identity before we action your request.
If you feel that your concerns have not been addressed, you have the right to lodge a complaint with the relevant supervisory authority; in the United Kingdom this is the Information Commissioner’s Office. You can, however, lodge your complaint in the country where you live, your place of work or place where you believe we infringed your right(s).
Sharing personal data with third parties
We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations.
These service providers include:
- PeopleHR/HiBob – A cloud HR platform used to manage personnel records.
- Productivity Platforms – to facilitate business communications and activities (eg Microsoft Office365 and Atlassian).
- Hosting Providers – to manage our secure enterprise datacentres.
- Payroll and Tax Entities – to pay your salary and arrange tax deductions.
- HMRC
- Sage 50 \ SageID \ Sage200
- Benefits Suppliers – to enrol you into company schemes.
- Childcare Vouchers
- Cycle-to-work
- Pension providers
- Healthcare providers
- Life Insurance
- Eye-care vouchers
- Employee Assistance Programmes
- Security Providers – to protect our systems from attack.
- Background Check Providers – to help conduct security and background checks.
- Telephony Providers – we might record calls for training, quality and security purposes.
- Training Platforms – for compliance training, team development and company product training.
- Support Portal (ZenDesk) – to provide internal and external support capabilities.
- ExpenseIn – to help you manage expenses with the finance team.
- Couriers and delivery networks – to send you equipment, correspondence, or benefits.
If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.
We will only disclose your information to other parties in the following limited circumstances
- where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
- where there is a duty to disclose in the public interest
- where disclosure is necessary to meet a legitimate interest e.g. to prevent or detect crime and fraud
- where you give us permission to do so e.g. by providing consent via an online application or consent form
How long we may keep your personal data
ParentPay need to retain some records to maintain compliance with applicable legislation – for example finance, taxation, fraud and money laundering law. We require certain records to be retained for an extended duration, in some cases for up to twelve years. Basic personnel records will be retained for six years past the cessation of employment, in line with the Limitation Act 1980; a more detailed record retention schedule is available upon request.
Changes to our Privacy Notice
This policy will be reviewed regularly and updated versions will be posted on our websites.
Contact details for our Data Protection Officer
We have appointed a Data Protection Officer (DPO); their contact details are as follows:
dpo@parentpay.com
or
Data Protection Officer, ParentPay, Coventry Building Society Arena, Phoenix Way, Coventry, CV6 6GE, United Kingdom