Privacy Policy

Data Protection & Handling Policy: Experience-Led HR Ltd


1. Introduction

Experience-Led HR Ltd (“the Company”) is committed to protecting the privacy and security of personal data. As a provider of HR consultancy, EDI audits, and independent investigations, we process "Special Category Data" which requires the highest level of protection. This policy outlines our commitment to the six data protection principles set out in the UK GDPR.

2. The Data Controller

Experience-Led HR Ltd is the Data Controller.

Registered Office: 2 Thornton Avenue, Plymouth, PL4 8RS

Company Number: 17039641

ICO Registration: ZC094840

3. Types of Data Collected

We collect and process the following categories of data:

Identity Data: Names, titles, and job roles.

Contact Data: Email addresses, phone numbers, and postal addresses.

Special Category Data: Information regarding race/ethnicity, religious beliefs, sexual orientation, health/disability, and Trade Union membership.

Case-Specific Data: Whistleblowing disclosures, safeguarding concerns, witness statements, and evidence gathered during investigations.

4. Lawful Basis for Processing

We process data under the following legal grounds:

Contractual Necessity: To fulfill our services to you as a client.

Legal Obligation: To comply with employment laws and ACAS codes.

Legitimate Interests: To conduct impartial investigations that protect the integrity of the workplace.

Substantial Public Interest: Specifically for processing sensitive data related to Safeguarding and Whistleblowing.

5. Data Storage and Security

We implement a "Secure by Design" approach:

Encryption: All digital files, including investigation reports and EDI data, are stored on AES-256 encrypted cloud servers.

Access Control: Access is strictly limited to the Lead Consultant. We use Multi-Factor Authentication (MFA) on all devices.

Anonymisation: For EDI audits and general consultancy, we use anonymised data sets wherever possible to protect individual identities.

6. Data Sharing

We do not sell or trade personal data. Data is only shared with third parties when:

Explicitly authorised by the client (e.g., providing a report to a Board of Directors).

Required by law (e.g., a court order or an Employment Tribunal summons).

Necessary for safeguarding (e.g., reporting a serious risk of harm to relevant authorities).

7. Data Retention Schedule

To ensure we do not hold data longer than necessary, we adhere to the following:

Investigation Files: Retained for 6 years following the closure of the case to defend potential legal claims.

EDI Data: Identifiable data is deleted after 3 years; anonymised data may be kept indefinitely for benchmarking.

Financial Records: Retained for 6 years plus the current tax year as per HMRC requirements.

8. Your Rights (The Data Subject)

Under UK law, individuals have the right to:

Access: Request a copy of the data we hold (Subject Access Request).

Rectification: Correct inaccurate data.

Erasure: Request deletion of data (subject to legal retention requirements).

Object: Object to processing based on legitimate interests.

9. Breach Notification

In the unlikely event of a data breach that poses a risk to individuals, Experience-Led HR Ltd will notify the ICO and the affected individuals within 72 hours, in accordance with legal obligations.

 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.