Last updated 14 July 2021

Introduction

UPP Group Holdings Limited (“UPP”) and its subsidiaries collects, uses, and shares personal data relating to its employees, workers, and contractors to manage the working relationship. UPP is committed to complying with its data protection obligations.

A full list of all UPP Companies is in Appendix 1.

This privacy notice describes how we collect, use, and share personal data about you during and after your working relationship with us. It applies to all employees, workers, and contractors.

UPP is a data “controller” for the purposes of the applicable UK data protection legislation. This means that we are responsible for deciding how, why and for how long we hold and use personal data about you.

The best contact details to use if you have queries about this privacy notice or about our handling of your personal data generally, are as follows:

UPP Compliance Team 

UPP Group Holdings Limited
1st Floor
12 Arthur Street
London
EC4R 9AB   

Telephone: 0207 398 7200
Email: compliance@upp-ltd.com

This notice applies to current and former employees, workers, and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so an updated copy of this notice will be made available on the company’s intranet as soon as possible.

It is important that you read this notice and retain it together with any other separate specific privacy notices that we may provide when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information.

If you believe that we have not complied with your data protection rights, you can raise a grievance in line with our grievance procedures and you have the right to lodge a complaint with the Information Commissioner’s Office.

Data protection principles

We will comply with the data protection principles under the applicable data protection legislation when we process personal data about you.

The data protection principles are set out in UPP’s Data Protection Policy document which is available in the Policy Centre on Campus.

The principles are:

  1. Processed lawfully, fairly and in a transparent way (‘Lawfulness, fairness and transparency’).
  2. Collected only for specified, explicit and legitimate valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes (‘Purpose limitation’).
  3. Adequate, relevant, and limited to what is necessary for the purposes that we have told you about (‘Data minimisation’).
  4. Accurate and where necessary kept up to date (‘Accuracy’).
  5. Kept only as long as necessary for the purposes we have told you about and for which the data is processed (‘Storage limitation’).
  6. Processed securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage (‘Security, integrity and confidentiality’).
  7. UPP is responsible for and must demonstrate compliance with the principles listed above (‘Accountability’).

UPP is also responsible for and must be able to demonstrate compliance with the principles listed above (‘Accountability’).

How we keep your personal information safe

We have put in place measures to protect the security of your information. Details of these measures are available from the ICT Security Manager. Third party data processors will only process your personal data under contract based on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal data from being accidentally or unlawfully used, destroyed, lost, altered, disclosed, or accessed. Details of these measures may be obtained from ICT Security Manager.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. They must also comply with their obligations under a contract of service and in line with the applicable data protection legislation.

We have put in place procedures to deal with any suspected data security breach (our UPP Data Protection Guidelines on Handling Personal Data Breaches) and will notify you and any applicable regulator of a suspected   breach without undue delay where we are legally required to do so.

The information we hold about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity of the individual has been removed (i.e., anonymous data).

On certain limited occasions you might also provide more sensitive personal information to us, known as “special category data”. This is explained in the section called ‘How we use ‘Special Category Data’.

The categories of personal data that we collect, store, and use about you are set out in Appendix 2, along with the purposes for which we will process that data and the lawful reasons that we rely on to carry out that processing.

How is your personal data collected?

We collect personal data about you through the application and recruitment process either directly from you or sometimes from an employment agency. We will also collect additional personal data from you in the course of job-related activities throughout the period of you working for us and for personal development purposes, e.g., a during a performance appraisal.

We collect additional information from third parties including: former employers, pension administrators and, where appropriate, your doctors, medical and occupational health professionals, your trade union, and other employees. We also conduct monitoring of our website, swipe card systems, CCTV and access control systems and use of the intranet from UPP devices.

How we will use information about you

Our obligations as an employer when using any type of personal data about you

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful reasons:

  1. Where we need to use the information so that we can perform a contract we have entered into with you, such as your employment contract with us.
  2. Where we need to use the information to comply with a legal obligation.
  3. Where it is necessary to use the information for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 
  4. We may also use your personal data in the following situations, which are likely to be rare:
  5. Where we need to use the information to protect your vital interests (or someone else’s vital interests). For example, in a life and death type situation.
  6. Where we need to use the information to carry out a task in the public interest.

Situations in which we will use your personal information

We need all the categories of information in Appendix 2 primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal data to pursue our legitimate interests (or those of a third party) provided your interests and fundamental rights do not override those interests. Situations in which we will process your personal data are listed in Appendix 2 together with the purpose or purposes for which we are processing your personal information, as well as indicating which categories of data are involved.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for another compatible and legitimate purpose, we will notify you and we will explain the legal basis which allows us to do so.

How we use ‘Special Category Data’

On certain limited occasions you might also provide more sensitive personal information to us, known as “special category data”. Special category data includes information about a person’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data and data relating to a person’s sex life or sexual orientation. We only process this data in very limited circumstances, for example, it may be helpful to know about an employee’s medical condition or disability so that we can adapt their working environment for them.

Where we use “special categories” or particularly sensitive personal data relating to you, we need to have further justification for collecting, storing, and using these types of personal data. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data. We may process these special categories of personal data in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. Where it is necessary for us to process your information to carry out our legal obligations or exercise our rights under employment law.
  3. Where the processing is necessary in the substantial public interests. Our processing for these purposes may include where we use the personal data:
  4. For equal opportunities monitoring purposes;
  5. To prevent or detect unlawful acts;
  6. To comply with regulatory requirements relating to unlawful acts and dishonesty etc.;
  7. To prevent or detect fraudulent acts or where there is suspicion of terrorist financing or money
  8. laundering;
  9. For provision of confidential counselling;
  10. For purposes of occupational pensions;
  11. For purposes of occupational medicine; and
  12. Where the processing is necessary to administer our occupational pension scheme.
  13. Where the processing is necessary to assess your working capacity on health grounds, provided that our processing is subject to appropriate confidentiality safeguards and in compliance with the applicable data protection legislation.
  14. We will use trade union membership information to manage the payment of employee premiums to a trade union

Our additional obligations as an employer when using your special categories of data

We will use your special category or other sensitive personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws;
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance, if applicable.
  • We will use any information provided voluntarily about your race or national or ethnic origin, to ensure meaningful equal opportunity monitoring and reporting.
  • Where we need to process the information in relation to legal claims.
  • Where we need to process the information for national security reasons.
  • The purposes for which we will process your different special categories of data are listed in Appendix 2.

Do we need your consent to process special categories of data about you?

We do not need your consent if we use special categories of your personal data about you for one of the other reasons set out above.

In very limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like to process and the reason we need to do so, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us to process your personal data.

Processing in accordance with our other policies

Any personal data processed about you (including special categories of data) will be processed in accordance with the UPP Data Protection Policy, UPP Data Retention Policy, UPP Guidelines on Data Destruction as well as in accordance with UPP’s Data Protection Guidelines on Data Processing for HR Purposes.

Automated decision making

We do not envisage that any decisions will be taken about you based solely on automated decision-making; however, we will notify you if this position changes either by updating this Privacy Notice or by contacting you directly.

Information about criminal convictions and offences

We only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and exercise our rights and we will do so in line with the UPP Data Protection policy, Data Retention policy and UPP Guidelines on Data Destruction as well as in accordance with UPP’s Data Protection Guidelines on Data Processing for HR Purposes.

Sometimes, we may use information relating to criminal convictions:

  1. Where the processing is necessary to protect your vital interests (or someone else’s vital interests) and you or they are not capable of giving consent.
  2. Where you have given your consent.
  3. Where you have already made the information public.
  4. Where the processing is necessary in relation to legal claims.

We do not envisage that we will hold information about criminal convictions.

Data sharing

We will share your personal data with third party data controllers, outside our UPP group for the following reasons:

  • Where required by law (for example, with HMRC to pay PAYE tax);
  • Where we are permitted to do so under the exemptions under the applicable data protection legislation. For example, to regulators, law, and tax enforcement agencies, HMRC and fraud prevention agencies;
  • Where it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or it is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
  • Where it is necessary to administer our working relationship with you (for example, where we pay contributions to our group personal pension scheme on your behalf);
  • Where we have another legitimate business interest in doing so (for example to insurance providers to ensure appropriate insurances are in place, to pursue industry standard recognition scheme or
  • accreditation e.g. (IIP) to obtain or receive references about you, to our third-party advisors such as our Auditors);
  • For the following benefits provision and administration such as private medical insurance providers, childcare vouchers provide life assurance, income protections and other such benefits provided to you.
  • For pensions administration i.e. Scottish Widows; or our insurers for the purposes of underwriting life assurance, income protection and any other such benefits provided to you;
  • Where we have a legal obligation to provide the underwriters of our life assurance policy, absence reasons for all employees who are not actively at work on the renewal date of such life assurance policy or within seven days of the start of the benefit period. The underwriters will use this information to determine the risks of potential claims;
  • For provision of occupational health services i.e., our occupational health providers and any associated doctors.
  • To ask to receive or to provide reference requests from third parties (for example, in relation to jobs, academic performance, qualifications or experience; and
  • To book or administer training courses with third party training providers

Where possible we will seek to anonymise or minimise the personal data before sharing personal information and when sharing personal data with third party controllers, we will comply with our UPP Data Protection Guidelines on Sharing Personal Data with Third Parties.

Which third-party processors/ service providers, outside our UPP group companies, will process my personal data and how secure will it be?

“Third parties” includes third-party service providers (including contractors and designated agents). The following data processing activities are carried out by third-party service providers in relation to your personal data:

  • Payroll services;
  • Pension administration by brokers;
  • Benefits brokers,
  • Staff surveys;
  • Referencing agencies
  • Exit Interviewing; and
  • HR Database 

When might you share my personal data with other entities in our UPP corporate group?

We may also share your personal data with other entities in our UPP corporate group where they are acting as an independent or joint data controller or data processors for the following reasons:

  • where it is necessary as part of our regular reporting activities on the performance of the organisation
  • where your employing entity is separate from the support entity that provides HR or IT services

Where possible we will anonymise your personal data before sharing.

What steps do you take to protect my information when you share it with data processors inside or outside our UPP corporate group?

All our third-party service providers, as well as other entities in our corporate group acting as data processors under the applicable data protection legislation, are required to take appropriate security measures to protect your personal data and are appointed in accordance with our UPP Data Protection Guidelines on Appointing Data Processors.

 

We do not allow data processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions as the controller of that information. Data processing by processors is covered by contracts which include Standard Contractual Clauses which are included to ensure adequate protection of personal data.

Transferring information outside the European Economic Area (EEA)

We will try not to transfer your personal data to countries outside the EEA, but our third-party suppliers may use hosting back up services outside the EEA. We will insert an obligation in their contracts for them to notify us before they do or as soon as they become aware that your data will be transferred outside the EEA. We will ensure adequate level of protection for your personal data by putting in place adequate safeguards.

Data retention

How long will you use my information for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of periods of time for which we keep different aspects of your personal data are available in our UPP Data Retention Policy which is available from the Policy Centre on the Intranet or from a member of the UPP Compliance Team.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; any applicable legal requirements regarding retention period, the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means.

In some circumstances we anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once you are no longer an employee, worker, or contractor of UPP we will retain and securely destroy your personal data in accordance with our UPP Data Retention Policy and UPP Guidelines on Data Destruction.

Your rights and duties

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your rights in connection with personal data

Under certain circumstances, by law you have the right to:

  • Request access to your personal data (commonly known as a “subject access request”). This enables you to ask for and receive a copy of the personal data we hold about you.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). Sometimes we may need to decline such a request when we have an over-riding requirement to retain the data in question, e.g., to comply with the law.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) to process your personal data and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes and where we process your personal data to make decisions solely by automated means which have legal effects or similarly significant effects.
  • Withdrawal of consent. Where our processing is based on your explicit consent, you have a right to withdraw consent at any time (see below for further information about this).
  • Request the transfer of your personal data to another party.
  • Lodge a complaint with the UK’s Information Commissioner, or other applicable data protection regulator.

If you want to make a request in relation to these rights, please refer to the UPP data Subjects Rights Policy.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee:

if your request for access is clearly unfounded or excessive – we may also refuse to comply with the request in those circumstances; or

in the event that you ask for further copies of the information.

We may need to request specific information from you to help us confirm your identity (where it is appropriate for us to do so) and to ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where we have requested your consent to the collection, processing, and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Compliance Team. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless the applicable data protection legislation otherwise permits us to do so, for example, as a result of exemptions under the law. This will not affect the lawfulness of the processing that you consented to before you withdrew your consent.

If you have any questions about this privacy notice or how we handle your personal data, please contact the UPP Compliance Team or the UPP HR team. 

Their contact details are as follows: compliance@upp-ltd.com or helloHR@upp-ltd.com.

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Appendix 1

List of all UPP Companies:

UPP Group Holdings Limited

James Square Plymouth Limited 

UPP Loring Hall Limited

UPP (East Park) LLP

 UPP (Exeter 2) LLP 

UPP Projects Limited

UPP Residential Services Limited 

UPP (Alcuin) Limited

UPP (Duncan House) Limited

UPP (Lancaster) Limited 

UPP (Hull) Limited

Leeds Student Residences Limited 

UPP Leeds Student Residences Limited

 UPP (Nottingham) Limited

UPP (Byron House) Limited 

UPP (Clifton) Limited

UPP (Broadgate Park) Limited

UPP (Loughborough Student Accommodation) Limited 

UPP (Exeter) Limited

UPP (Plymouth 3) Limited

UPP (SAC2) Limited

UPP (Swansea) 1C Limited 

UPP (Swansea 2) LLP 

UPP (Reading I) Limited 

UPP (Reading) Limited

UPP (Reading St George’s) Limited

UPP (Kent Student Accommodation) Limited 

UPP (Kent Student Accommodation II) Limited 

UPP (Kent Turing) Limited

UPP (Cartwright Gardens) Limited 

UPP (Oxford Brookes) Limited

Appendix 2

  1. Categories of personal data

We will collect, store, and use the following categories of personal information about you:

  1. Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  2. Date of birth.
  3. Gender.
  4. Marital status and dependants.
  5. Next of kin and emergency contact information.
  6. National Insurance number.
  7. Bank account details, payroll records and tax status information.
  8. Salary, annual leave, pension, and benefits information.
  9. Start date and, if different, the date of your continuous employment.
  10. Leaving date and your reason for leaving.
  11. Location of employment or workplace.
  12. Copy of driving licence or passport
  13. Recruitment information (including copies of right to work documentation, references and other information included in a CV as part of the application process).
  14. Employment records (including job titles, work history, working hours, holidays, training records and professional memberships).
  15. Compensation history.
  16. Performance information.
  17. Disciplinary and grievance information.
  18. CCTV footage and other information obtained through electronic means such as swipe card records.
  19. Information about your use of our information and communications systems.
  20. Photographs.
  21. Training records
  22. Types of sensitive /’special category’ data

We may also collect, store, and use the following more sensitive types of personal information:

  1. Information about your race or ethnicity.
  2. Trade union membership.
  3. Information about your health, including any medical condition, health, and sickness records
  4. Information about criminal convictions and offences.
  5. Purpose of processing personal data

The purpose or purposes for which we are processing or will process your personal information and we have indicated in asterisks the legal basis we rely on to carry out this processing.

  • Making a decision about your recruitment, appointment, or career development. *
  • Determining the terms on which you work for us. *
  • Checking you are legally entitled to work in the UK. **
  • Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs)*.
  • Providing the following benefits to you: Employee Assistance Programme; Group Personal Pension Scheme; Group Income Protection; Life Assurance; Private Medical Insurance; UPP Rewards; Season Ticket Loans; Childcare Vouchers; Cycle Scheme.*
  • Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties. **
  • Administering the contract, we have entered into with you. *
  • Business management and planning, including accounting and auditing. ***
  • Conducting performance reviews, managing performance, and determining performance requirements. *
  • Making decisions about salary reviews and compensation. *
  • Assessing qualifications for a particular job or task, including decisions about promotions. *
  • Gathering evidence for possible grievance or disciplinary hearings. *
  • Making decisions about your continued employment or engagement or making arrangements for the termination of our working relationship. ***
  • Education, training, and development requirements. *
  • Dealing with legal disputes involving you, or other employees, workers, and contractors, including accidents at work. *
  • Ascertaining your fitness to work. *
  • Managing sickness absence. *
  • Complying with health and safety obligations. **
  • To prevent fraud. **
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies. ***
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. ***
  • To conduct data analytics studies to review and better understand employee retention and attrition rates. ***
  • Equal opportunities monitoring. **

Key

* Processing is necessary for the performance or in anticipation of our contract with you
** Processing is necessary to enable us to comply with our legal obligations
*** Processing is necessary for us to pursue our legitimate interests or those of a third

party and your interests and fundamental rights do not override those interests