PRIVACY NOTICE FOR CANDIDATES AND EMPLOYEES OF TRC IN THE UK

GROUP ENABLING POLICY

Tindall Riley & Co Limited (“Tindall Riley”) respects the personal data that it controls and processes and is committed to safeguarding it.

Our privacy policies explain what personal data we collect about you and how we use it. If you wish to find out further details, rights in relation to your personal data, or the procedures that we have in place to safeguard your privacy then please read the policy or contact our privacy team at dataprotection@tindallriley.com

This recruitment and employee privacy notice applies to candidates applying for roles with Tindall Riley, covering work undertaken for Tindall Riley itself or for one of the mutual insurers that is managed by Tindall Riley, which are: the Britannia Group[1]; the Griffin Insurance Association Limited; or the Wren Insurance Association Limited.

As a candidate, it is important that you read this Recruitment Privacy Notice, together with any separate privacy notices that may be provided when collecting personal data from you, as these explain how we collect and use your personal data as part of our recruitment process.

As a matter of principle, through our candidate privacy policy we will

1. Always abide by local law for the country or territory that we operate in
2. Only collect data that we need to manage effective recruitment
3. Only use the data for the purpose of recruitment for the role that you have applied for, unless you agree otherwise and
4. Always give you the right to be forgotten and have your data deleted from our records, once there is no further reason for us to retain your personal data

Factors such as your nationality or the region in which our Business is located means our compliance obligations include but are not limited to: the General Data Protection Regulation (‘EU GDPR’), and the data protection laws applicable in the EEA countries where we operate, the UK General Data Protection Regulation (‘UK GDPR’) and the UK Data Protection Act 2018.

Country specific privacy notices are set out below

UK – RECRUITMENT DATA PRIVACY NOTICE

Protecting the privacy and security of your personal information is extremely important to us.  We want you to be clear on how your personal information is processed and how we comply with data protection laws.

This notice applies to prospective and actual employees whose personal information we hold in the context of a prospective or existing working relationship with Tindall Riley & Co Limited (“Tindall Riley”) in the UK.

If you have any questions about this notice, please speak to your recruitment contact or HR business partner.

A. Introduction – about this Privacy Notice

A1. About this Privacy Notice

This privacy notice does not form part of any contract of employment, or other contract to provide services.

Tindall Riley is committed to protecting your privacy. This notice tells you what personal information we collect, why we need it, how we use it in connection with the recruitment and on boarding processes during and after your employment or engagement with us and what protections are in place to keep your personal information secure. It also sets out your rights in relation to your personal information.

It is important that you read this notice, and any information notice that we may subsequently provide, carefully so that you remain aware of how and why we are processing your personal information.

We may update, or otherwise amend, this notice at any time and you will be notified of such amendments.

A2. About us

Tindall Riley & Co Limited acts as data controller in respect of the personal information that we process about you. This means that we are responsible for deciding how we hold and use personal information about you.

We have appointed a Data Protection Officer to oversee Tindall Riley’s compliance with data protection laws. The contact details of the Data Protection Officer are dataprotectionofficer@tindallriley.com.

If you have any questions about this notice, how we handle your personal information or you would like to update the information we hold about you, we strongly encourage you to speak to your recruitment contact in Tindall Riley (candidates) or HR business partner (current or former employees) in the first instance, but if you wish you can also contact the Data Protection Officer.

A3.  About you

Our obligations in relation to processing your personal information are set out in this notice, and in our Data Protection Policy and related procedures. The Data Protection Policy can be found on the intranet.

You also have responsibilities in relation to personal information, and must comply with our Data Protection Policy, which includes:

• taking appropriate steps to protect the security of personal information
• taking care when disclosing personal information to someone else, even a colleague
• protecting your communications and devices
• following other business processes in relation to the handling of customers’ personal information

B. What personal information do we hold about you?

B1. What is ‘personal information’?

Your ‘personal information’ means any information about you from which you can be identified – either by reference to an identifier (e.g. your name, location data or online identifier, such as an IP address) or from factors specific to your physical, cultural or social identity (e.g. your social background, outside interests etc).

It does not include information where the identity has been removed (such as anonymous information).

B2. What personal information do we process?

Tindall Riley collects and uses personal information that you provide as part of the recruitment and on-boarding processes or which we have received as part of background screening and vetting processes, as well as additional personal information that is collected in the course of your employment or engagement (e.g. for performance reviews).

We primarily use this personal information for the recruitment process, to comply with contracts of employment, or for managing the workforce and business purposes.

The personal information about you that we may collect, store and use include, but is not limited to, the following categories of information:

• General information such as your name, address, contact details (work and personal), date of birth, sex, marital status, dependents, next of kin and emergency contact information.
• Recruitment information such as your right to work documentation, driving licence, references, employment records, salary and benefits history and other information included in a CV or covering letter or otherwise received by Tindall Riley as part of the application and on boarding process.
• Financial information, such as your bank account details, payroll records, tax status information and national insurance / public service number.
• Remuneration and benefits information, such as salary, pension, benefits and annual leave.
• Current employment terms and employment records, such as start date, job title, workplace, working hours, attendance records, sick leave/ pay records, holiday and leave records, performance, disciplinary and grievance records, education and training records and professional memberships.
• Images and recordings, such as CCTV footage, electronic records – e.g entry card footage (where used), photographs, video images, voice recordings, information about your use of our IT and communications systems to the extent that this is required by law
• Information about family members (including dependents) for the purpose of providing benefits.

Please note that the type of personal information we collect about you will depend to some extent on your circumstances, your role and our legal obligations.

B3. What ‘special category’ personal information do we process?

Certain ‘special categories’ of more sensitive personal information (such as information about racial/ ethnic origin, sexual orientation, political opinions, religious/ philosophical beliefs, trade union membership, biometric or genetic data and health data) are given a higher level of protection by data protection laws.

The special categories of more sensitive personal information we may collect, store and use includes, but is not limited to, the following categories of information:

• Information about your race or ethnicity, gender identity, sexual orientation and disability to the extent that is allowed by law
• Information about your health, including any medical condition and health and sickness records
• Information about your criminal record (or lack of criminal record)

B4. Is providing personal information required?

The provision of your personal information is necessary to enter into an employment contract with Tindall Riley.

Where the personal information is processed to perform the employment contract or to comply with a legal obligation, its provision is mandatory. Failure to provide such personal information would prevent Tindall Riley from entering into or continuing the employment contract with you, or at least to perform its main obligations under the employment agreement.

Special category personal data is not requested without a clear business purpose.  Information about health is required where necessary to meet the Tindall Riley absence policy, to support reasonable adjustments to working conditions, sick pay and PHI, to monitor diversity and meet Health and Safety obligations, and where needed to pursue or defend a legal claim.

Criminal record information is required to assess the suitability of employees to work in a regulated business environment, with information required being proportionate to the seniority of the employee.

Information about your race or ethnicity, gender identity, sexual orientation, religious view or disability is requested to allow Tindall Riley to monitor its Diversity, Equality and Inclusion (DE&I) performance.  This information is not mandated and is processed with the consent of the candidate or employee.  Where information has been given, but you no longer consent to the data being held, please contact your recruitment point, HR business partner or, for employees, you can edit your special category data on the People Portal.

C. Where do we collect your personal information from?

C1. Where does your personal information come from?

We collect your personal information:

• From you: we typically collect your personal information directly from you through the application and recruitment process.
• In the course of job-related activities: throughout the period you are working for us, we collect additional personal information about you, including from your line manager, other managers and colleagues (e.g. feedback on your performance as part of the performance management process).
• From third parties: we may sometimes collect additional information from third parties including former employers, credit reference agencies, medical officers or other background check agencies and details of those third parties are available from your recruitment contact or HR business partner.The categories of personal information we may collect, store and use from third parties includes, but is not limited to, the following categories of information:
  • • References
    • Credit Checks
    • Occupational health reports
    • Criminal record check results to the extent allowed by law

  We will only seek this information in relation to successful candidates that have accepted a conditional offer of employment or engagement with us and we will specifically inform such candidates that we will be contacting these third parties in advance of doing so.

D. How will we use your personal information?

D1. What is the legal basis for using your personal information?

We will only process your personal information when the law allows us to. In most cases, we will process your personal information where it is necessary:

Basis 1 – to take steps necessary to enter into an employment contract or working relationship with you or to perform the contract we have entered into with you for the purposes of employment or engagement (e.g. your bank details in order to pay you)

Basis 2 – to comply with a legal obligation (e.g. provision of tax information to a government department or regulatory body)

Basis 3 – for our legitimate interests as a business and as an employer (or those of a third party). Where we rely on legitimate interests as the reason for processing personal information (e.g. to assess performance or for disciplinary purposes), we have considered whether those interests are overridden by any separate rights or freedoms of our workforce and have concluded that they are not.

We may also process your personal information in the following circumstances, but this is likely to be rare:

• with your specific consent (for criminal record checks, credit checks and information in relation to the monitoring of Diversity, Equality and Inclusion performance)
• where we need to protect your interests (or someone else’s interests)

D2.. What is the purpose for processing your personal information?

We need all the personal information referred to above in B2. We process your personal information for several purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in D1 above:

• Recruitment decisions and background checks conducted as part of the vetting process in connection with our recruiting and on boarding activities (1, 2 ,3)
• Diversity monitoring to the extent it is allowed by law (requires your consent)
• Checking your legal entitlement to work in the country (2)
• Administering your employment contract (1, 2)
• Payroll (1, 2)
• Providing and facilitating benefits (1, 2)
• Education, training and development requirements (1, 2)
• Recording and managing attendance (1)
• Performance and salary reviews and promotions (1)
• Disciplinary and grievance processes (1)
• Recording and managing sickness absence and other leave (1, 2)
• Business management/ planning (1, 2, 3)
• Health and safety compliance (1, 2)
• Tax and regulatory authority compliance (2)
• IT and communications monitoring, security and compliance (1)
• Managing actual and potential legal disputes, including accidents at work (1, 2, 3)
• Managing the termination of your employment (1, 2, 3)

Some of the grounds for processing will overlap, and in some cases, there will be several grounds which justify our use of your personal information.

D3. Change of purpose

We will only use your personal information for the purposes for which we collected it – unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and explain the basis upon which that is necessary.

D4. What is the legal basis for processing your ‘special category’ information?

We may process special categories of personal information when the law allows us to, which will be in the following situations:

• Basis A – Where we need to do so to fulfil our legal obligations or exercise our rights in connection with employment (e.g. for making reasonable adjustments for individuals with a disability where this is required by law)
• Basis B – Where it is needed to assess your working capacity on health grounds (e.g. for an occupational health report), subject to appropriate confidentiality safeguards
• Basis C – Where it is necessary in order to establish, exercise or defend a legal claim

Where, in exceptional circumstances, it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent (e.g. in a medical emergency)

• Basis D – With your explicit consent, where the processing is voluntary – this will only be in limited circumstances as set out in section B4, primarily relating to criminal record checks, financial checks and protected characteristics that help DE&I monitoring

D5. What is the purpose for processing ‘special category’ personal information?

‘Special categories’ of particularly sensitive personal information attract higher levels of protection, and we must have specific justification for collecting, storing and using this type of personal information.

We process special category data relating to you for a number of purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in D4 above.

Where we process such data, we will use such data in the following ways:

• Tindall Riley’s People Portal provides individuals with the opportunity to voluntarily provide information relating to their race, ethnic origin, disability, gender identity, religious belief or sexual orientation for the purposes of equal opportunities monitoring and to better understand the effectiveness of its policies to enhance its Diversity, Equity and Inclusion (DE&I) offering. This information is processed for this purpose only with your consent (Basis D).
• Wherever possible, the monitoring will be conducted based on anonymised data so that individuals cannot be identified.  The information processed for monitoring purposes will be maintained separately from general management and personnel records.
• Information about your health, including any medical condition, health and sickness records to monitor and manage sickness absence, to assess your fitness to work, to provide appropriate workplace adjustments (where this is required by law), to ensure your health and safety in the workplace and to administer benefits (Basis A, Basis B and Basis C) is only accessed by those members of the HR and line management team needed to meet the business use.

D6. Information about criminal convictions

Criminal record information is required as well as credit checks and references to assess the suitability of employees to work in a regulated business environment, with information required and the frequency of checks being undertaken kept proportionate to the seniority of the employee.

E. Do we need your consent?

E1. When might we need your consent?

Section D1 sets out the limited circumstances where your consent is needed to process your personal information relating to criminal record checks, financial credit checks, some health information and the monitoring of DE&I.

In these cases we will approach you to obtain your explicit consent to allow us to process certain particularly sensitive data.  We will only seek and rely on your consent where you are fully informed and your consent can be freely given.

We will provide you with full details of the information that we require and the reason we need it, so that you can carefully consider whether you wish to consent.

E2. Your right to withdraw consent

If you do provide your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for that purpose.

If you wish to withdraw your consent, please speak to your local HR business partner in writing in the first instance, who will refer to the Data Protection Officer as needed.

What steps do we take to protect your data?

F1. How do we secure your data?

Tindall Riley has security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, or inappropriately altered or disclosed. Where processing includes special categories of Personal Data, additional security measures, such as greater access controls, are in place.

In addition, we limit access to your personal information to those who need to process that information for business reasons. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected information security breach and will notify you and any applicable regulator of a suspected breach as appropriate and in accordance with our legal obligations.

G. Who do we share your personal information with?

G1. Sharing your personal information within the Tindall Riley Group

Where this is relevant to their role, your line managers, certain HR professionals, and in some cases certain colleagues (i.e. where necessary to fulfil business requirements) will have access to some of your personal information.

G2. What is the legal basis for sharing your personal information with third parties?

We may share your personal information with third parties, including third party service providers and other Tindall Riley Group companies in the following situations:

• where required by law
• where it is necessary to administer the working relationship with you
• where we have another legitimate interest in doing so, as a business and as your employer or prospective employer

In these circumstances, we require third parties to ensure the security of your personal information and to treat it in accordance with the law.

G3. What protections are in place?

The terms of our contracts with third parties include obligations on them in relation to what personal information they can process and what they can do with that information. All our third-party service providers, professional advisers and other entities in the Tindall Riley Group are required to take appropriate security measures to protect your personal information in line with our policies.

G4. Which third parties process your personal information?

We may disclose your personal information to the third parties listed below where relevant to the purposes described in this notice. This might include:

• other companies within the Tindall Riley Group as part of business reporting activities on company performance, in the context of a business reorganisation or Group restructuring exercise, for system maintenance support and hosting of data
• agents or contractors that provide services to us including, for example, payroll, pension administration, benefits provision and administration, IT services and background screening checks carried out as part of the recruitment process and any routine screening during the employment/working relationship
• relevant tax bodies
• visa and immigration authorities
• regulatory authorities
• professional advisers
• medical officers, occupational health officers

Further details can be obtained from your local HR business partner.

Any questions or details required regarding pre-employment background screening checks should be directed to the HR Operations Team GroupHR@tindallriley.com and/or the Group Data Protection Officer dataprotection@tindallriley.com.

H. Which countries do we transfer data to?

H1. International data transfers

Your personal information may be disclosed to members of the Tindall Riley Group outside of the UK or European Economic Area (EEA). Those countries (being the US, Hong Kong, Singapore and Japan) require additional protections to meet legislation on data transfers and these are detailed in section G2 below.

Certain suppliers and service providers may also have personnel or systems located outside the UK and EEA, although this is assessed when engaging third parties and contractual obligations and other protections are put in place in order to progress with these suppliers. Your personal information may therefore be transferred outside the UK to non-EEA countries, details of which are available from your local HR business partner.

H2. What protections are in place?

Tindall Riley has data protection memoranda in place between its offices which regulates cross-border transfers of your personal information within the Group. These make use of the EU Standard Contractual Clauses in order to maintain the protection of personal data that is afforded by UK and EU legislation, but on a contractual basis.

Where we share your personal data with third parties who are outside the UK or the EEA, we will take steps to ensure that your personal information receives an adequate level of protection, for example by, entering into the EU Standard Contractual Clauses or stipulating the countries in which data can be held.

You have a right to request further information relating to the transfer of your personal information and the safeguards in place.

If you require further information about this, you can request it from your local HR business partner.

I. How long do we use your personal information for?

I1. Data retention

We will retain your personal information only for as long as is reasonably necessary to satisfy the purposes for which it was collected, and for the purposes of satisfying any legal, accounting or reporting and regulatory requirements. These legal and other requirements require us to retain certain records for a set period of time, including following the termination of your employment. In addition, we retain certain records in order to resolve queries and disputes that may arise from time to time.

When you are no longer an employee, we will retain and subsequently securely destroy your personal information in accordance with our Data Retention policy. If you would like further details about the Records Retention policy, please speak to your local HR business partner.

We will typically retain personal data collected during the recruitment process in relation to an unsuccessful candidate for a maximum period of 12 months from the end of the process subject to any exceptional circumstances and/or to comply with particular laws or regulations.

We will typically retain personal data held in archived e-mails or other electronic files for seven years after cessation of employment for employees and 12 months for unsuccessful candidates.

If you are offered and accept employment with Tindall Riley, the personal data we collected during the application and recruitment process will become part of your employment record and we may use it in connection with your employment in accordance with this Privacy Notice.

J. What are your rights and responsibilities?

J1. Inform us of changes

Please ensure you inform us if your personal information changes while you are an employee or work with us as it is important that the personal information we hold about you is accurate and current. We also encourage you to monitor and update your personal information on Workday where appropriate.

J2. Failure to provide personal information

Certain information must be provided so that we can enter into a contract with you (e.g. your contact details, right to work in the country and payment details).  You also have some obligations under your contract to provide certain information to us (e.g. to report absences). Without this information, we may not be able to consider your suitability for employment or engagement or enter into an employment contract or working relationship with you or carry out the rights and obligations efficiently that arise as a result of the employment or working relationship.

In addition, you may have to provide us with information so that you can exercise your statutory rights (e.g. parental leave (where applicable)).  If you fail to provide the necessary information, this may mean you are unable to exercise your statutory rights.

J3. Your rights in relation to your personal information

You have several rights in relation to the personal information that we hold about you (subject to certain exemptions).

You have the following rights (subject to certain exemptions):

• to make a data subject access request: to obtain a copy of the personal information we hold about you
• to ask us to correct inaccurate personal information, including the right to have any incomplete information about you made complete
• to ask us to erase your personal data where it is no longer necessary in relation to the purposes for which it was collected
• to ask to restrict the processing of your personal information where:
  • the accuracy of the personal data is contested – while steps are taken to correct or complete it or to verify the accuracy
  • the processing is unlawful but the erasure of the personal data is not appropriate
  • we no longer require the personal data for the purposes for which it was collected but it is required for the establishment, exercise or defence of a legal claim
• to object to processing which we have justified based on a legitimate interest – in which case the relevant processing will only continue where we have compelling legitimate grounds for processing your personal information
• to object to any decisions based solely on automated decision making
• to ask to obtain a portable copy of those parts of your personal data where we rely on consent or performance of the contract as the justification for processing, or to have a copy of that personal data transferred to a third party controller
• to withdraw your consent to processing where, in rare circumstances, we have relied on your consent as the justification for processing your personal information
• to ask to obtain a copy of any data transfer agreement, or to access information about safeguards under which your personal data is transferred outside of the UK or European Economic Area
• to lodge a complaint with the appropriate supervisory authority. You have the right to raise any concerns regarding how your personal data is being processed with the Information Commissioner’s Office (ICO) by going to the ICO’s website: https://ico.org.uk/concerns/ or contacting the ICO on 0303 123 1113 or casework@ico.org.uk.

Subject access requests

There is generally no fee to access the personal information that we hold about you, however we may charge a reasonable fee if your request is clearly unfounded or excessive or if you request further copies of the same information.

Alternatively, we may refuse to comply with a request that is unfounded or excessive.

No automated decision-making is performed regarding your personal data.

Further information about your rights is available from your HR business partner.

If you want to make one of these requests, please speak to your HR business partner or contact the Data Protection Officer at dataprotection@tindallriley.com.

[1] the Britannia Group means The Britannia Steam Ship Insurance Association Holdings Limited and its subsidiaries, including The Britannia Steam Ship Insurance Association Europe, The Britannia Steam Ship Insurance Association Limited, Universal Shipowners Marine Insurance Association Limited and the Britannia Group’s Hydra Cell