General Data Protection Regulation (GDPR) and the Data Protection Bill


Policy Statement


Purpose and Scope

1. This Policy Statement sets out the New Directions Support (NDS) approach to HR-related data protection. It includes NDS’s commitment to data protection, and individual rights and obligations in relation to personal data.
The Policy Statement applies to the personal data, referred to as HR-related personal data, of employees, workers, apprentices, volunteers, contract for service providers, and former employees. NDS maintains separate Privacy Notices in relation to job applicants, and Service Users and their Carers.

2. NDS is committed to being transparent about how it collects and uses the personal data of employees of the Company, and to meeting its data protection obligations.

3. NDS has designated Collette Salt, Finance & Administration Co-ordinator, as the person with responsibility for data protection compliance. Questions about this Policy Statement, or requests for further information should be directed to Jill Aldridge who can be contacted via email at

4. NDS will provide training to all individuals about their data protection responsibilities. This will include coverage as part of the new employee Welcome Programme, and periodic briefings as part of NDS’s internal communication arrangements.
Individuals whose job roles require regular access to personal data, or who are responsible for implementing this Policy Statement or responding to subject access requests, will receive additional training to help them understand their duties and obligations, and how to comply with them.

NDS’s data protection principles

5. NDS processes HR-related personal data in accordance with the following data protection principles –

o It processes personal data in a lawful, fair, and transparent manner o It collects personal data only for specified, explicit, and legitimate purposes
o It processes personal data only where it is adequate, relevant, and limited to what is necessary for the purposes of processing
o It keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay o It keeps personal data only for the period necessary for processing o It maintains appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and also accidental loss, destruction, or damage

6. Using Privacy Notices, NDS tells individuals about the legal basis and reasons for processing their personal data, and how it uses such data. The Privacy Notices will also set how personal data gathered during employment or engagement is held, together with the periods of time that NDS retains HR
related personal data.

NDS will promptly update HR-related personal data where an individual advises that the relevant information about them has changed or is inaccurate.

Importantly, where NDS processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with relevant additional safeguards as set out in the GDPR and the Data Protection Bill.

7. In accordance with the requirements of the GDPR, NDS maintains a record of its processing activities in respect of HR-related personal data.

Individual rights

  8. As a data subject, an employee has the right to make a subject access request. To make a subject access request, the employee should send the request to the person designated in paragraph 3 of this Policy Statement.

In some cases NDS may need to ask the individual for proof of identification before the request can be processed. In such cases NDS will properly inform the individual and advise the type(s) of proof of identity needed.

9. NDS will normally respond to a subject access request within one month from the date it is received. NDS will write to the individual within one month of receiving the original request to advise if the response time will be extended to the maximum three months, together with an explanation for the permissible reason for the extended response period.

10. In response to a subject access request, NDS will tell the individual –

o Whether or not the individual’s data is processed and if so why, the categories of personal data concerned, and the source of the data if it is not collected from the same individual
o To whom the individual’s data is or may be disclosed, including to recipients outside the UK and the safeguards that apply to such transfers o For how long the individual’s data is stored
o The individual’s rights to rectification or erasure of data, or to restrict or object to processing
o The individual’s right to complain to the Information Commissioner if they think NDS has failed to comply with their data protection rights o Whether or not NDS carries out automated decision-making and the logic involved in any such decision-making

11. NDS will provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless the individual agrees otherwise.

If the individual wants additional copies, NDS will charge a fee based on the administrative cost of providing the additional copies.

12. If the subject access request is manifestly unfounded or excessive, NDS will not be obliged to comply with it. In these circumstances, NDS will notify the individual accordingly, including whether or not NDS will respond to the request.

Alternatively, and in light of the particular circumstances, NDS may decide to respond subject to payment by the individual of a fee that will be based on the administrative cost of responding to the request.

13. NDS will comply with all other rights that individuals have in relation to their personal data. These include the rights to –

o rectify inaccurate data
o stop processing or erase data that is no longer necessary for the purposes of processing
o stop processing or erase data if the individual’s interests override NDS’s legitimate grounds for processing data (where this is the reason for processing data)
o stop processing or erase data if processing is unlawful
o stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override NDS’s legitimate grounds for processing data

To exercise any of these rights, the individual should send their request to the person designated in paragraph 3 of this Policy Statement.

Individual responsibilities

14. Individuals are responsible for helping NDS to keep their personal data up to date. Individuals should notify NDS if any personal data provided to NDS changes eg home address, bank details, etc.

15. Individuals may have access to the personal data of other individuals in the course of their employment or engagement with NDS. Where this applies, NDS requires such individuals to help it to meet its data protection obligations.

16. Individuals who have access to personal data are required –

o To access only data that they have authority to access, and only for authorised purposes
o Not to disclose personal data to individuals, whether inside or outside NDS, who have appropriate authorisation
o To keep personal data secure, properly using all control and security arrangements
o Not to remove personal data in any form or using any devices from NDS premises without authorisation and without adopting appropriate additional security arrangements
o Not to store personal data on personal devices or in other insecure ways (eg local computer drives) that are used for work purposes

Failure to observe these requirements may amount to a disciplinary offence, which will be dealt with in accordance with the NDS disciplinary procedure. Significant or deliberate breaches of this Policy Statement (eg accessing personal data without a legitimate reason to do so and the appropriate authorisation) may constitute gross misconduct and could lead to dismissal without notice.

Data Security

17. NDS takes the security of HR-related data seriously. NDS uses internal policies and controls to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed other than by employees in the proper performance of their duties with NDS.

NDS may transfer personal data to countries outside the UK. If we do, individuals can expect a similar degree of protection in respect of their personal data.

18. Where NDS engages third parties to process personal data on its behalf, such parties operate in accordance with the appropriate NDS control policies and arrangements, together with a duty of confidentiality and an obligation to implement appropriate technical and organisational measures to ensure the security of data.

19. Some of the processing that NDS carries out may result in risks to privacy. Where processing would result in a high risk to individual’s rights and freedoms, NDS will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals, and the measures that can be put in place to mitigate the identified risks.

Data breaches

20. NDS will record all data breaches, regardless of their effect or assessed impact.

21. If NDS discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, NDS will report it to the Information Commissioner within 72 hours of discovery.

22. If the data breach is likely to result in a high risk to the rights and freedoms of individuals, NDS will tell all such affected individuals that there has been a breach. NDS will also provide the affected individuals with information about its likely consequences and the mitigation measures it has taken.

Document reference
NDS HR – GDPR Policy – Employment 06012021
Formally adopted by the trustees on 20.01.2021