1. Privacy Commitment
Edinburgh International Festival Society (“EIFS”) and Edinburgh Festival Centre (“EFC”) are data controllers for staff employed by our organisation.
This privacy notice explains how EIFS and EFC (in this privacy notice collectively “Edinburgh International Festival Society”, “EIFS”, “Edinburgh Festival Centre”, “EFC”, “Human Resources”, “Finance Team”, “we”, “us” and “our”) process information that identifies you, an employee of EIFS or EFC, as an individual (your personal information). Processing can refer to the initial collection as well as subsequent use, storage, access, disclosure and deletion of your personal information. With shared Human Resources, payroll and administrative functions, your personal information may be shared between EIFS and EFC as standard. We care about the privacy of our employees and take steps to keep your personal information secure. We may update this privacy notice when our processing changes and we recommend that you check this document regularly. The current notice is effective from 25 of May 2018.
EIFS delivers the Edinburgh International Festival every year. We are a charitable company limited by guarantee. EFC is a wholly-owned trading subsidiary of EIFS, comprising our ticketing vendor Hub Tickets, our events management company The Hub Edinburgh and The Hub Café. EIFS is registered as the Edinburgh International Festival Society at the Information Commissioner’s Office and the data protection registration number is Z7668082. EFC is registered as the Edinburgh Festival Centre Ltd at the Information Commissioner’s Office and the data protection registration number is Z4955593. We operate in accordance with current data protection legislation at all times.
Contact details for both Edinburgh International Festival Society and Edinburgh Festival Centre are:
You can contact us by telephone +44 (0)131 473 2099, through our website contact form www.eif.co.uk/contact-us and by email firstname.lastname@example.org.
If you would like to speak to someone about your personal information and its use, please contact our data protection lead contact email@example.com.
If you would like to speak to Human Resources, please contact the HR Manager by email Kirsten.Stewart@eif.co.uk or by telephone 0131 473 2087.
2. Our Employees
In this privacy notice, we outline the personal information we collect and process in relation to paid employees of EIFS and EFC. The privacy notice will also cover job applicants who apply for paid employment opportunities with us as well as employees who leave paid employment with us (“leavers”). For information on additional staff groups, including volunteers, interns, freelancers, the Edinburgh Festival Chorus and the Edinburgh International Festival Society Board, please refer to the additional privacy notices we have provided.
3. The personal information we collect and the purposes for which it is processed
We only collect and process personal information relating to our employees where we have a valid lawful basis for doing so. The personal information we process is either (1) provided directly by you as a job applicant or employee with EIFS or EFC (2) obtained from third parties or (3) created by us in the course of job-related activities during your employment/engagement with us. Data may be obtained from the following third parties: former employers or additional referees you provide to us, background-check agencies and/or recruitment agencies. We have worked in the past with a number of recruitment agencies, e.g. Execucare and Redmill Consulting.
3.1 Job Applicants
We normally process job applications for positions at EIFS and EFC through our web-based recruitment and HR administration software, teamdetails. This software is available to our employees and job candidates through the world wide web at an agreed URL.
From time to time we will recruit for special, short-term or casual roles where we will ask for job applications to be sent directly to a specific department – you can read more in our privacy notice for self-employed workers.
The personal information we process in regard to our job applicants will normally include:
- completed application forms or curriculum vitaes comprising personal contact details, education, employment history, work experience, and suitability and motivation for the role
- contact details for two referees, one of which will be a previous employer, if required for the role
- covering letters, if required for the role
- supporting documentation provided by job applicants, for example, education and training certificates
- equal opportunities monitoring information – you can read more in the section ‘special category personal information’ below
- correspondence and scheduling information if a job applicant is invited to interview
- aptitude or competency exercises, if required for the role
- notes on interview performance and recruitment outcome if a job applicant proceeds to attend an interview.
Legitimate interests – Recruitment
We process your personal information throughout our recruitment cycle on the basis of our legitimate interest in hiring qualified people to take up positions within our organisation. We review applications, organise interviews, hold interviews, and record and communicate recruitment outcomes. For some higher-level or permanent roles, we may organise aptitude or competency exercises to assist us in fairly evaluating the most suitable candidate.
We have a further legitimate interest in retaining application documentation related to all successful job applicants: this information will form a part of the employee personnel file. For unsuccessful job applicants, we retain application documentation for the nine-month period after the recruitment cycle ends, in case of claims being lodged by applicants or in case another recruitment opportunity arises for which the applicant may be suitable.
When you take the time and effort to make applications via our teamdetails website, we believe you have a reasonable expectation that we will process all of the personal information you have shared with us so that we can fulfil our recruitment purposes.
3.2 Current employees
We regularly process personal information relating to our current employees through our HR web portal teamdetails, our Human Resources Department and our Finance Team. We undertake processing in order to fulfil our contractual and legal obligations as well as to meet our legitimate interests as a charitable company and employer.
We use your personal information for (1) human resources management; (2) staff administration and operational purposes; (3) detecting or preventing any inappropriate behaviour or breach of our policies including protecting our intellectual property, confidential information and assets; (4) making contact in an emergency; (5) ensuring that our (or any of our subsidiaries’) systems are used primarily for business purposes, have sufficient capacity for the needs of the business and are protected against cybersecurity threats such as malware; (6) for the purposes of any potential and/or actual litigation or investigations concerning us or any subsidiary or its officers; and (7) to carry out appropriate criminal record and background screening checks.
We may hold different types of personal information depending on your role as an employee, your personal requirements and the longevity of your employment. Below is an overview of the types of personal information we may hold in regard to your employment with us.
For agency staff currently employed in our Finance and Hospitality teams, the personal information we hold about you will be limited to your name and contact details. All additional personal information will be collected and processed through your agency and we recommend you refer to their own privacy notice for more information.
teamdetails Personnel Files
- equal opportunities data
- Application forms
- Contract of employment
- Bank details
- Contact and emergency contact details
- Statutory pay information
Hardcopy Personnel Files
- Earnings arrestment notice
- Student loan repayment start and stop notice
- Tax code change notice
- Statutory pay information
- Doctors’ letters
- Signed occupational health referrals
- Occupational health Reports
- Training and CPD records
- Hardcopy disciplinary, grievance and employee relations files
- Hardcopy pension files
Additional Electronic Files
- Trade union membership email archive
- Absence records
- Draft occupational health referrals
- Digital disciplinary, grievance and Employee relation files
- Digital pension files
- Bank details saved to Bankline
- Busybees and Cycle to Work email archive
Performance of contract – Referees, contract and salary
We process personal information that is necessary for the performance of the employment contract between the employer (EIFS or EFC) and the employee. The personal information we process for the performance of employment contracts will normally include:
- contact details of referees in order to take up and store references where job offers are made conditional on suitable references being provided
- names and signatures to agree binding contracts detailing the terms and conditions of employment
- timesheets in order to make regular wage payments as per the hourly rates agreed in the employment contract
- bank details, collected and stored via teamdetails and additionally saved to our banking software Bankline, in order to make regular wage payments as per the amounts agreed in the employment contract.
- we use Sage Payroll to process payroll.
We process personal information that is necessary to meet our legal obligations under UK employment, social security, asylum and immigration, health and safety, equalities, statutory pay, income tax and national insurance, pension, protection of vulnerable groups and other relevant laws. The personal information we process for the purposes of meeting our legal obligations includes:
- proof of right to work as per guidelines from the Home Office
- national insurance numbers as well as HMRC tax code information and change notices to ensure tax is deducted accurately when we run payroll
- basic personal and financial information to comply with child support and earning arrestment deductions through payroll
- HMRC student loan repayment start and stop notices in order to make accurate student loan deductions when we run payroll
- staff national insurance, tax and salary information in order to provide statutory PAYE reports to HMRC and to provide auditable payroll archives
- staff payslips, either electronically or by paper, showing earnings, tax and pension contributions as per employee rights under UK employment law
- wage tracking and review to ensure we comply with national minimum wage legislation and adjustments to the rate of this
- information saved to personnel files recording statutory pay information, including statutory sick pay (SSP), statutory maternity, paternity and adoption pay (SMP, SPP, SAP) and statutory shared parental pay (ShPP)
- absence records detailing employee name and absence dates in order to make accurate statutory sick payments to which employees are entitled – you can read more in the section ‘special category personal information’ below
- annual leave and holiday records to comply with legal obligations under the working time regulations
- pension information including pension joiner forms, pension contribution updates and pension correspondence to meet our employer obligations under current pension legislation
- processing and reporting to HMRC information regarding taxable benefits and expenses made to employees, such as childcare and cycle to work
- health and safety reporting via the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) and statutory accident reporting in the workplace, which may on occasion include employee personal information such as name and injury health data – you can read more in the section ‘special category personal information’ below
- training provision and training certification saved to personnel files to evidence statutory health and safety training for employees, for example, statutory hospitality and first aid training
- information related to the trade union membership of employees, namely the UK’s media and entertainment trade union BECTU, including membership dates, premiums, timesheets and scheduling information – you can read more in the section ‘special category personal information’ below
- disclosure certification for employees working with vulnerable groups in order to meet our requirements under the protection of vulnerable groups legislation and carried out under the control of the official authorities in Scotland – you can read additional information in the ‘Criminal Convictions’ section below
- information as above may be retained within leaver personnel files when employees cease employment with us - you can read more in the ‘leaver’ and ‘retention’ sections below.
We regularly review UK legislation and the UK regulatory bodies to ensure that we follow the latest guidelines in meeting our legal obligations as an employer.
We process your personal information in accordance with our legitimate interests as a charitable company and an employer. Our legitimate interests require us to (1) ensure effective administration and management of your employment or engagement, benefits, management of the business and business continuity; (2) ensure our assets are protected, kept confidential and not used for inappropriate or unlawful purposes; (3) protect prevent, detect, or investigate unauthorised use of our systems and ensure we comply with law and our policies; (4) ensure we can contact you or your family in the case of an emergency; (5) manage performance and promotion processes; (6) manage training and development requirements; (7) deal with disputes and accidents and take legal or other professional advice; (8) prevent fraud; and (9) ensure network and information security. These legitimate interests allow us to manage our business as effectively and efficiently as possible, while ensuring our employer interests are balanced with your interests as an employee and your rights in the workplace. The personal information we process for the purposes of our legitimate interests may include:
- both personal and work contact details for the purposes of providing you with relevant staff communications, for example, adverse weather warnings, public holiday information, office closures, major incidents, policy updates and corporate information
- professional details and activity logs routinely shared within our information management system comprising our ICT Team, Microsoft Office 365 and our own dedicated network that enables our day-to-day business
- staff photographs in order to create staff ID passes for building access, security and property management
- emergency contact details should you have an injury, incident or emergency in the workplace
- salary information, including historical salary information, for the purposes of processing salary increases
- salary and wage payment back-ups and correspondence between our Human Resources Manager and our Finance Team
- information related to redundancy, which may include your name and job title plus the context of redundancy
- personal appearance and behavioural information recorded via the CCTV system in operation on our premises – you can read more in the ‘CCTV’ section below
- monitoring and interception of employee telecommunications on the internal network to ensure that work standards are being met, to ensure that our assets are protected, kept confidential and not used for inappropriate or unlawful purposes and to prevent, detect or investigate unauthorised use of the system and to ensure we comply with the law and our policies
- personal information stored via teamdetails and hardcopy personnel files that allows us to manage our employees to the best of our ability and provide for their professional development in the workplace, including original recruitment and application documents, training certificates and continuous professional development (CPD) records
- participation information necessary to provide non-statutory benefits to employees, including Busybees childcare vouchers (in the process of being replaced with the government’s tax-free childcare scheme) and cycle-to-work membership
- health data that is processed for occupational health purposes to meet our legitimate interest in providing a safe working environment and ongoing support for our employees, including referral documentation; correspondence with our occupational health provider to organise employee appointments; occupational health reports saved to personnel files; and further actions to follow up on occupational health recommendations - you can read more in the section ‘special category personal information’ below
- names, contact details and/or biographical information of employees for use on our official websites and social media channels as part of our client and customer engagement strategies
- employees in customer-facing roles may also be required to wear name badges and have their name printed on customer receipts as part of our client and customer engagement strategies
- disciplinary information including lateness records, correspondence and case information in order to manage employee relations, claims, disputes and grievances – you can read more in the section ‘employee rights’ below.
- we have a legitimate interest in using online applications to reduce paper usage where possible in order to meet our sustainability commitments as a Green Arts Initiative member, including our preference for electronic payslips and electronic expense claims
- we have a legitimate interest in using data processors and data systems to help us manage our recruitment, payroll and HR functions as efficiently as possible – you can read more in the section ‘How we share employee personal information’ below.
Leavers (employees who cease paid employment with us) should be aware that we will retain personal information in order to meet our ongoing legal obligations and legitimate interests. However, we will not retain personal information about our leavers where it is unnecessary for us to do so. Personnel files will be kept for six years after employment ceases, though contracts- including breach of contract information, settlements and other legal documentation- may be retained for longer periods to provide for potential litigation under the statute of limitations.
Full details of our retention of employee records is given in the ‘retention’ section below.
4. Special Category Personal Information
Several categories of personal information are classified as sensitive ‘special category’ data that require additional conditions be met before processing proceeds. EIFS and EFC are committed to protecting the special category personal information of employees when we engage in processing of this nature. Access to special category information that is shared with us by job applicants, current employees and former employees is restricted and monitored both online and offline. All managerial staff granted access will be made aware of their confidentiality obligations and duty of care responsibilities in handling special category personal information. Security techniques including pseudonymisation, anonymisation and encryption may be deployed to keep information secure.
We will process your special categories of personal data to (1) comply with employment, social security, social protection and other laws and to record and administer sickness and maternity leave; (2) to ensure your health and safety in the workplace and to assess your fitness to work on health grounds subject to appropriate confidentiality safeguards and to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits; (3) to ensure meaningful equal opportunity monitoring and reporting (where relevant), (4) to on-board you as an employee and for administrating your employment contract, and (5) we will use trade union membership information to pay trade union premiums and to comply with employment law obligations.
- During our recruitment tracks, we will ask job applicants to submit equal opportunities information including age, disability, ethnicity, gender, religion and belief, and sexual orientation. We will use this information to ensure meaningful equal opportunity monitoring and reporting. We do not need your consent if we use this information in accordance with our written policy to exercise specific rights in the field of employment law. Equalities information is currently anonymised when it is shared with our HR Manager.
- We may on occasion process trade union information in relation to certain employees, such as trade union premium payments, timesheets and scheduling information to comply with members’ rights. We process trade union information to meet our legal obligations as an employer when we recognise a trade union. We are allowed to use your information in this way in order to exercise specific rights and meet our obligations in the field of employment law.
- We may process the health data of employees when we organise and follow up on occupational health appointments, should these be required. We have a legitimate interest in providing a secure work environment, choosing a suitable occupational health provider and ensuring our staff are fit for work. We are allowed to use your information in this way as it is necessary for the purposes of preventative or occupational medicine and/or necessary for the assessment of the working capacity of employees.
- Health data pertaining to employees may additionally be included in our absence and statutory payment records, however, under normal circumstances absence tracking is recorded in a way from which no health inference can be made from the data. When health inferences can be made, we process information in this way to meet our legal obligations to provide statutory sick, maternity, paternity, adoption and shared parental leave/pay to employees. We are allowed to use information in this way in order to exercise specific rights and meet our obligations in the fields of employment and social security law.
- Health data pertaining to employees may additionally be included in our statutory health and safety reporting. Health data disclosed to the Health and Safety Executive in this way will either be anonymised or, where this is not possible, we will seek your explicit consent if required for the reporting.
5. Information about criminal convictions
We will only collect information about criminal convictions via background screening if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you. In addition, where it is appropriate in relation to certain roles, we will also check criminal convictions periodically.
We will use information about criminal convictions and offences in the following ways (1) where it is necessary to protect your interests, our interests and those of other employees or to protect clients and other third parties from theft, fraud and similar risks; and (2) where it is necessary in relation to legal claims. We are allowed to use your personal information in this way where it is necessary to carry out our employment rights and obligations.
6. Sharing and data processing
Subject to us taking reasonable measures to ensure that the personal information of our employees is kept secure at all times, we may disclose and share your personal information in a number of ways, including:
- internal sharing, for example, between EIFS and EFC, the HR Manager and the Finance Team and/or between the HR manager and relevant line managers
- internal sharing within our information management system comprising our ICT Team, Microsoft Office 365 and our own dedicated network, including log-on and telephony information, activity and incident logs related to user accounts as well as professional information and activities outlined in official documents such as minutes from meetings, emails and project documents
- sharing with our web-based recruitment and HR administration software, teamdetails
- sharing with future and prospective employers, for example, when we provide references for you at your request
- sharing with recruitment agencies, such as Execucare and Redmill Consulting, that carry out pre-employment screening and background checks on our behalf
- sharing with consultants, legal advisors and other professional advisors
- sharing with UK statutory and regulatory bodies, including HMRC, the Home Office, the Pensions Regulator, the Department of Work and Pensions, the Health and Safety Executive and Disclosure Scotland
- sharing with government agencies or any other authorised body where we are required to do so to comply with a law or court order
- sharing with additional authorised auditors
- sharing of relevant pension information with our current staff pension providers, including Standard Life, Lothian Pension Fund, The People’s Pension and Royal London Group
- personal information including special category health data may be shared with our occupational health provider
- our weekly and monthly payroll information is shared via Sage 50 payroll software installed locally on a server at The Hub; our banking software, Bankline; and salary information back-ups shared on the cloud through Microsoft Office 365
- we currently share employee expense claims, including basic personal information, via an online application called Claim Expenses developed by Creative Carbon Scotland and InGenerator
- sign-up information will be shared through the websites for the Busybees childcare voucher and Cycle to work schemes, should staff choose to make use of these benefits
- a number of our staff will receive online training through our selected training provider based in Edinburgh, Flow Hospitality Training, and basic personal information such as name, work email and job title will be shared through their online portal to allow module access
- a number of our staff, if required for their role, will share their name and contact details with our Scottish-based building security provider
teamdetails is a web-based recruitment and HR administration software provided to EIFS and EFC by InGenerator Ltd, a Scottish company. Except in a number of specific cases, personal information shared via the teamdetails site will be processed within the European Economic Area (EEA). Cases where personal information may be transferred to and/or accessed from outside the EEA include: an InGenerator staff member processing information from outside the EEA; additional international access enabled by end-to-end encryption; limited information, such as logging data, processed by a sub-processor located outside the EEA; and email messages processed internationally once they have left dedicated networks. Data processing contracts are in place between EIFS/EFC and InGenerator; and between InGenerator and any sub-processors they use ensuring that your personal information is protected to the UK standard at all times.
We only share your information outside of the UK with data processors that can offer an appropriate level of data protection during (i) their own processing and (ii) any processing undertaken by sub-processors on their behalf. Microsoft Office 365 primarily uses datacentres located in the UK for UK-based customers and the Microsoft corporation participates in the EU-US privacy shield framework. Flow Hospitality processes data through a USA-based company called Rackspace that participates in the EU-US privacy shield framework.
We will share personal data with companies, organisations or individuals outside EIFS and EFC if we have a belief in good faith that disclosure of the information is reasonably necessary to: (1) meet any applicable law, regulation, legal process or enforceable governmental or regulatory request, for example to public authorities/bodies (for tax and social security administration); (2) enforce your employment agreement with us, including investigation of potential violations; (3) detect, prevent or otherwise address fraud, security or technical issues; (4) protect against harm to the rights, property or safety of us or our subsidiaries, our employees, contractors, customers or the public, as required or permitted by law.
Our employees should be aware that we use CCTV on our premises at The Hub. CCTV is used for maintaining the security of the property and premises and for preventing and investigating crime. It may also be used to monitor staff when carrying out work duties. For these reasons, the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. In general terms this means that we will retain your personal information for the duration of your employment/engagement with us and for the length of any applicable limitation period for claims which might be brought against us later. There are also certain types of information, such as tax records, which require to be retained for a certain period by law.
EIFS and EFC place a high importance on the privacy of employees. We take steps to keep personal information secure throughout our recruitment and HR processing activities:
- hardcopy records are stored in locked cupboards in the HR office, with access restricted to the HR Manager
- all managers handling the personal information of job applicants, employees, leavers and other staff groups will be made aware of their confidentiality obligations and duty of care responsibilities
- we ensure the data protection and security compliance of all our data processors, data systems as well as any sub-processors they may additionally use when fulfilling our data controller instructions
- insofar as possible in relation to the different purposes we collect it for, we protect special category personal information through pseudonymisation, anonymisation and encryption.
- our own information management system is protected through a secure internet connection, boundary and local firewalls, secure devices and software, controlled access to data, virus and malware protection and regular patching in line with recommended timeframes
- teamdetails ensure that all of their staff and contractors are committed to confidentiality and to actively maintaining data security, ensuring personal information does not leave the production environment. Strong unique passwords, multi-factor authentication, secure connections and encryption are additional technical measures implemented to ensure security.
10. Employee Rights
All of our employees have rights in relation to the personal information we process. Depending on our lawful basis for processing certain types of personal information, you will be able to exercise different rights:
- you have the right to be informed about how we collect and process your personal information as an employee and we have provided this privacy notice to give you the information you require
- you have the right to withdraw or withhold consent where we rely on consent or explicit consent
- You have the right to object to our processing your personal information for reasons of our legitimate interests
- you have the right to correct your personal information in cases where the information we hold about you is inaccurate or incomplete and the easiest way to keep your personal information accurate is to manage it yourself via your teamdetails applicant/employee account
- you have the right to ask us to stop processing your personal information in certain circumstances, though the information may continue to be stored in our systems until a permanent decision is taken
- you can further request that we delete your personal information in a number of circumstances including when you withdraw consent, when you successfully object to processing and when the personal data we hold about you is no longer required for the purpose we collected it
- Under the General Data Protection Regulation 2018, you can request to see full details of the personal information that EIFS and/or EFC holds about you. You can send us a description of the information you would like to access using the contact details outlined in the ‘Privacy Commitment’ section or by emailing our data protection lead at firstname.lastname@example.org.
Please note that some information in the employment context may come under the ‘confidentiality of communications’ exemption from subject access. If you have any queries about how we use your personal information as an employee, you can contact the HR manager or send details of your query to email@example.com. For a full overview of your privacy rights or if you would like to lodge a complaint with the supervisory authority, please contact the Information Commissioner’s Office www.ico.org.uk