Edinburgh International Festival Society (“EIFS”) and Edinburgh Festival Centre (“EFC”) are data controllers for staff employed by our organisation.
This privacy notice explains how EIFS and EFC (in this privacy notice collectively “Edinburgh International Festival Society”, “EIFS”, “Edinburgh Festival Centre”, “EFC”, “Human Resources”, “Finance Team”, “we”, “us” and “our”) process information that identifies you, an employee of EIFS or EFC, as an individual (your personal information). Processing can refer to the initial collection as well as subsequent use, storage, access, disclosure and deletion of your personal information. With shared Human Resources, payroll and administrative functions, your personal information may be shared between EIFS and EFC as standard. We care about the privacy of our employees and take steps to keep your personal information secure. We may update this privacy notice when our processing changes and we recommend that you check this document regularly. The current notice is effective from 25 of May 2018.
EIFS delivers the Edinburgh International Festival every year. We are a charitable company limited by guarantee. EFC is a wholly-owned trading subsidiary of EIFS, comprising our ticketing vendor Hub Tickets, our events management company The Hub Edinburgh and The Hub Café. EIFS is registered as the Edinburgh International Festival Society at the Information Commissioner’s Office and the data protection registration number is Z7668082. EFC is registered as the Edinburgh Festival Centre Ltd at the Information Commissioner’s Office and the data protection registration number is Z4955593. We operate in accordance with current data protection legislation at all times.
Contact details
Contact details for both Edinburgh International Festival Society and Edinburgh Festival Centre are:
The Hub
Castlehill
Edinburgh
EH1 2NE
You can contact us by telephone +44 (0)131 473 2099, through our website contact form www.eif.co.uk/contact-us and by email contact@eif.co.uk.
If you would like to speak to someone about your personal information and its use, please contact our data protection lead contact dataprotection@eif.co.uk.
If you would like to speak to Human Resources, please contact the HR Manager by email Kirsten.Stewart@eif.co.uk or by telephone 0131 473 2087.
In this privacy notice, we outline the personal information we collect and process in relation to paid employees of EIFS and EFC. The privacy notice will also cover job applicants who apply for paid employment opportunities with us as well as employees who leave paid employment with us (“leavers”). For information on additional staff groups, including volunteers, interns, freelancers, the Edinburgh Festival Chorus and the Edinburgh International Festival Society Board, please refer to the additional privacy notices we have provided.
We only collect and process personal information relating to our employees where we have a valid lawful basis for doing so. The personal information we process is either (1) provided directly by you as a job applicant or employee with EIFS or EFC (2) obtained from third parties or (3) created by us in the course of job-related activities during your employment/engagement with us. Data may be obtained from the following third parties: former employers or additional referees you provide to us, background-check agencies and/or recruitment agencies. We have worked in the past with a number of recruitment agencies, e.g. Execucare and Redmill Consulting.
We normally process job applications for positions at EIFS and EFC through our web-based recruitment and HR administration software, teamdetails. This software is available to our employees and job candidates through the world wide web at an agreed URL.
From time to time we will recruit for special, short-term or casual roles where we will ask for job applications to be sent directly to a specific department – you can read more in our privacy notice for self-employed workers.
The personal information we process in regard to our job applicants will normally include:
Legitimate interests – Recruitment
We process your personal information throughout our recruitment cycle on the basis of our legitimate interest in hiring qualified people to take up positions within our organisation. We review applications, organise interviews, hold interviews, and record and communicate recruitment outcomes. For some higher-level or permanent roles, we may organise aptitude or competency exercises to assist us in fairly evaluating the most suitable candidate.
We have a further legitimate interest in retaining application documentation related to all successful job applicants: this information will form a part of the employee personnel file. For unsuccessful job applicants, we retain application documentation for the nine-month period after the recruitment cycle ends, in case of claims being lodged by applicants or in case another recruitment opportunity arises for which the applicant may be suitable.
When you take the time and effort to make applications via our teamdetails website, we believe you have a reasonable expectation that we will process all of the personal information you have shared with us so that we can fulfil our recruitment purposes.
We regularly process personal information relating to our current employees through our HR web portal teamdetails, our Human Resources Department and our Finance Team. We undertake processing in order to fulfil our contractual and legal obligations as well as to meet our legitimate interests as a charitable company and employer.
We use your personal information for (1) human resources management; (2) staff administration and operational purposes; (3) detecting or preventing any inappropriate behaviour or breach of our policies including protecting our intellectual property, confidential information and assets; (4) making contact in an emergency; (5) ensuring that our (or any of our subsidiaries’) systems are used primarily for business purposes, have sufficient capacity for the needs of the business and are protected against cybersecurity threats such as malware; (6) for the purposes of any potential and/or actual litigation or investigations concerning us or any subsidiary or its officers; and (7) to carry out appropriate criminal record and background screening checks.
We may hold different types of personal information depending on your role as an employee, your personal requirements and the longevity of your employment. Below is an overview of the types of personal information we may hold in regard to your employment with us.
For agency staff currently employed in our Finance and Hospitality teams, the personal information we hold about you will be limited to your name and contact details. All additional personal information will be collected and processed through your agency and we recommend you refer to their own privacy notice for more information.
teamdetails Personnel Files
Hardcopy Personnel Files
Additional Electronic Files
Performance of contract – Referees, contract and salary
We process personal information that is necessary for the performance of the employment contract between the employer (EIFS or EFC) and the employee. The personal information we process for the performance of employment contracts will normally include:
In addition:
Legal obligations
We process personal information that is necessary to meet our legal obligations under UK employment, social security, asylum and immigration, health and safety, equalities, statutory pay, income tax and national insurance, pension, protection of vulnerable groups and other relevant laws. The personal information we process for the purposes of meeting our legal obligations includes:
We regularly review UK legislation and the UK regulatory bodies to ensure that we follow the latest guidelines in meeting our legal obligations as an employer.
Legitimate interests
We process your personal information in accordance with our legitimate interests as a charitable company and an employer. Our legitimate interests require us to (1) ensure effective administration and management of your employment or engagement, benefits, management of the business and business continuity; (2) ensure our assets are protected, kept confidential and not used for inappropriate or unlawful purposes; (3) protect prevent, detect, or investigate unauthorised use of our systems and ensure we comply with law and our policies; (4) ensure we can contact you or your family in the case of an emergency; (5) manage performance and promotion processes; (6) manage training and development requirements; (7) deal with disputes and accidents and take legal or other professional advice; (8) prevent fraud; and (9) ensure network and information security. These legitimate interests allow us to manage our business as effectively and efficiently as possible, while ensuring our employer interests are balanced with your interests as an employee and your rights in the workplace. The personal information we process for the purposes of our legitimate interests may include:
In addition:
Leavers (employees who cease paid employment with us) should be aware that we will retain personal information in order to meet our ongoing legal obligations and legitimate interests. However, we will not retain personal information about our leavers where it is unnecessary for us to do so. Personnel files will be kept for six years after employment ceases, though contracts- including breach of contract information, settlements and other legal documentation- may be retained for longer periods to provide for potential litigation under the statute of limitations.
Full details of our retention of employee records is given in the ‘retention’ section below.
Several categories of personal information are classified as sensitive ‘special category’ data that require additional conditions be met before processing proceeds. EIFS and EFC are committed to protecting the special category personal information of employees when we engage in processing of this nature. Access to special category information that is shared with us by job applicants, current employees and former employees is restricted and monitored both online and offline. All managerial staff granted access will be made aware of their confidentiality obligations and duty of care responsibilities in handling special category personal information. Security techniques including pseudonymisation, anonymisation and encryption may be deployed to keep information secure.
We will process your special categories of personal data to (1) comply with employment, social security, social protection and other laws and to record and administer sickness and maternity leave; (2) to ensure your health and safety in the workplace and to assess your fitness to work on health grounds subject to appropriate confidentiality safeguards and to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits; (3) to ensure meaningful equal opportunity monitoring and reporting (where relevant), (4) to on-board you as an employee and for administrating your employment contract, and (5) we will use trade union membership information to pay trade union premiums and to comply with employment law obligations.
We will only collect information about criminal convictions via background screening if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you. In addition, where it is appropriate in relation to certain roles, we will also check criminal convictions periodically.
We will use information about criminal convictions and offences in the following ways (1) where it is necessary to protect your interests, our interests and those of other employees or to protect clients and other third parties from theft, fraud and similar risks; and (2) where it is necessary in relation to legal claims. We are allowed to use your personal information in this way where it is necessary to carry out our employment rights and obligations.
Subject to us taking reasonable measures to ensure that the personal information of our employees is kept secure at all times, we may disclose and share your personal information in a number of ways, including:
teamdetails is a web-based recruitment and HR administration software provided to EIFS and EFC by InGenerator Ltd, a Scottish company. Except in a number of specific cases, personal information shared via the teamdetails site will be processed within the European Economic Area (EEA). Cases where personal information may be transferred to and/or accessed from outside the EEA include: an InGenerator staff member processing information from outside the EEA; additional international access enabled by end-to-end encryption; limited information, such as logging data, processed by a sub-processor located outside the EEA; and email messages processed internationally once they have left dedicated networks. Data processing contracts are in place between EIFS/EFC and InGenerator; and between InGenerator and any sub-processors they use ensuring that your personal information is protected to the UK standard at all times.
We only share your information outside of the UK with data processors that can offer an appropriate level of data protection during (i) their own processing and (ii) any processing undertaken by sub-processors on their behalf. Microsoft Office 365 primarily uses datacentres located in the UK for UK-based customers and the Microsoft corporation participates in the EU-US privacy shield framework. Flow Hospitality processes data through a USA-based company called Rackspace that participates in the EU-US privacy shield framework.
We will share personal data with companies, organisations or individuals outside EIFS and EFC if we have a belief in good faith that disclosure of the information is reasonably necessary to: (1) meet any applicable law, regulation, legal process or enforceable governmental or regulatory request, for example to public authorities/bodies (for tax and social security administration); (2) enforce your employment agreement with us, including investigation of potential violations; (3) detect, prevent or otherwise address fraud, security or technical issues; (4) protect against harm to the rights, property or safety of us or our subsidiaries, our employees, contractors, customers or the public, as required or permitted by law.
Our employees should be aware that we use CCTV on our premises at The Hub. CCTV is used for maintaining the security of the property and premises and for preventing and investigating crime. It may also be used to monitor staff when carrying out work duties. For these reasons, the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. In general terms this means that we will retain your personal information for the duration of your employment/engagement with us and for the length of any applicable limitation period for claims which might be brought against us later. There are also certain types of information, such as tax records, which require to be retained for a certain period by law.
EIFS and EFC place a high importance on the privacy of employees. We take steps to keep personal information secure throughout our recruitment and HR processing activities:
All of our employees have rights in relation to the personal information we process. Depending on our lawful basis for processing certain types of personal information, you will be able to exercise different rights:
Please note that some information in the employment context may come under the ‘confidentiality of communications’ exemption from subject access. If you have any queries about how we use your personal information as an employee, you can contact the HR manager or send details of your query to dataprotection@eif.co.uk. For a full overview of your privacy rights or if you would like to lodge a complaint with the supervisory authority, please contact the Information Commissioner’s Office www.ico.org.uk