DATA PRIVACY POLICY (UK & EU OFFICES)
This policy sets out the personal information that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.
Please also refer to our Data Privacy Charter.
1.Types of personal information we collect
As part of our recruitment process we may use a 3rd party to obtain information about applicants such as a pre-employment screening service or the DBS (Disclosure Barring Service) where appropriate.
In the course of your employment, we may process personal information about you and your relatives or other individuals whose personal information has been provided to us. For example, emergency contacts or names on your expression of wish form for life assurance purposes.
The types of personal information we may process routinely include any of the following:
Employees:
- Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
- Family household composition: civil status (married, divorced, widow(er); number of children.
- Contact details: address; telephone number (fixed and mobile); email address; emergency contact information.
- Employment details: job title; company name; grade; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information; leave/absence requests.
- National identifiers: national ID/passport number; tax ID; government identification number; driver's license; visa or immigration status.
- Academic and professional qualifications: degrees; titles, skills; language proficiency; training information; employment history; CV/résumé.
- Financial data: bank account number; bank details; salary and compensation data; bonuses; pension qualification information; payroll data.
- IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes).
- Lifestyle: hobbies; social activities; holiday preferences.
- Identification data: name; age; date of birth; place of birth.
- Contact details: home address; telephone number (including mobile telephone number); email address.
- Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).
- Employees with authorised access and on a need-to-know basis only (including direct managers, senior management, office management and HR teams)
- Other employee representatives (including for any disciplinary proceedings), subject to the employee's right to consent or to object to it
- McCann/McCann World Group and IPG group entities
- Third party service providers appointed by and acting on behalf of McCann/McCann World Group or IPG
- Business associates and other professional advisers
- The recipient's legal department
- Any person or organisation to whom the recipient may be required by applicable law or regulation to disclose personal information, including law enforcement authorities, central and local government
Relatives:
- Identification data: name; age; date of birth; place of birth.
- Contact details: home address; telephone number (including mobile telephone number); email address.
- Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).
Employee Applicants:
- Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
- Contact details: address; telephone number (fixed and mobile); email address.
- Employment details: employment history; current job; company name; grade; geographic location.
- Academic and professional qualifications: degrees; titles; skills; language proficiency; training information.
If you are an independent contractor, intern or temporary worker, the type of personal information we process is limited to that needed to manage your particular work assignment.
Sensitive personal information may include any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, ("Sensitive Personal Information"). As a general rule, we try not to collect or process any Sensitive Personal Information about you, unless authorised by law or where necessary to comply with applicable laws.
We may also, in some circumstances, need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate employment-related purposes:
- Race and ethnicity may appear indirectly on photos and other information available on passports and national IDs, which are necessary to comply with local immigration laws and for employee travel management. However, race/ethnicity are not processed purposefully in Europe with the exception of where we are tracking to measure the effectiveness of our diversity efforts.
- Trade union membership may be collected but only where permitted and for the purposes defined under national privacy law.
In such circumstances we shall ensure that such Sensitive Personal Information is collected and processed in accordance with all applicable laws.
2. Purposes for processing personal information
For the processing of anypersonal data to be legal, there has to be a satisfactory reason for that processing to take place. These reasons are specified by law and include:
- We are processing your data for the performance of a contract:
- Processing is necessary to comply with a legal obligation:
- The processing is necessary for us to pursue our legitimate interests as an employer:
- for example, we process your bank details so that we can pay your salary, as agreed under the employment contract between you and us.
- for example, we are obliged to make national insurance and tax payments on your behalf, so we need your national insurance and tax reference numbers for this.
- for example, we may track diversity measurements to ensure that we achieve our diversity ambitions, to do this we may need to record and process certain of your characteristics.
The HR team will review each processing activity to establish the lawful basis of processing. We will only process your personal data where we can do so based on one of these three reasons.
We may process your personal information for the following purposes:
Employees:
- the management of employment-related activities including but not limited to: employment records; payroll; administrative and managerial tasks; time-tracking; compensation; equity-related awards; healthcare and other benefit administration; employee traveling, expense tracking and reimbursement; appointments or removals; disciplinary matters; ensuring compliance with Group and company policies; working time management; determining and reviewing salaries; employee career development (including superannuation, employee evaluations); talent management; compliance with applicable legal and other requirements; management reporting and analysis; enabling internal contacts and communication; providing training and learning services; providing IT support to Employees; management and maintenance of the functioning and security of the IT systems and network; social activities and personnel representation.
Relatives:
- Management of healthcare and other benefits for relatives of employees; providing social and cultural programs and activities to relatives of employees; storing emergency contact details.
Employee Applicants:
- Management of internal and external hiring process across the different group entities; selecting and scheduling meetings with potential new hires; communicating with employee applicants.
3. Who we share your personal information with
We may share your personal information with the following recipients or categories of recipients:
4. Monitoring
The Company may engage in the monitoring of electronic messages and files processed by the Company’s Electronic Services for business purposes. This monitoring may consist of (but is not exclusive to):
- Establishing evidence of the Company’s financial transactions,
- Gaining routine access to the Company’s business communications,
- Ensuring compliance with regulatory or self-regulatory rules or guidance,
- Maintaining the effective operation of the Company’s systems and procedures (for example, so as to detect and prevent the spread of malicious code),
- Ensuring that the Company’s standards of service are maintained and determining where employees may need further training, and
- combating crime and investigating or detecting unauthorised use of the Company’s telephone, e-mail and Internet systems and procedure.
If the Company suspects that its electronic facilities are being abused or used inappropriately it may monitor anyone at any time. This may include opening any e-mails or messages sent or received, or content posted, to assess their content.
Please see the IT & Digital Acceptable Use & User Responsibilities policy for further information (SP & P 662).
5. Transfer of personal information abroad
As we operate on a global level, we may need to transfer personal information to countries other than the ones in which the information was originally collected. When we export your personal information to a different country, we will take steps to ensure that such data exports comply with applicable laws. IPG has in place a group wide EU data transfer agreement regulating how data exports are handled, this agreement includes EU standard contractual clauses for transfers of personal information from the European Economic Area to a country outside it, such as the United States.
6. Data retention periods
Personal information will be stored in accordance with applicable laws and kept as long as required in order to carry out the relevant purposes or as otherwise required by applicable law. For specific retention periods please refer to Appendix A (page 6 of this policy document).
7. Your data privacy rights
In the European Economic Area, you have certain rights under data protection laws which include the right: (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure if your personal information is inaccurate, no longer necessary in relation to the purposes for which it was collected, or is being unlawfully processed; (iii) to restrict or object to the processing of your personal information; and (iv) if applicable, to portability of your personal information.
To make such a request please contact Lisa Pemberton, see contact details below. We will consider and act upon any such requests in accordance with applicable data protection laws.
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, and our collection and use of employee personal data is generally not based on consent but some other basis as permitted by law.
8. Updates to this Information
This information may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you via email updates and or staff intranet, and indicate in the information when it was most recently updated. We encourage you to check periodically in order to be aware of the most recent version of this information.
9. Questions and Concerns
You can address any questions or concerns relating to this or our privacy practices to the contact details below.
You also have a right to lodge a complaint with your local data protection authority (DPA). We will cooperate with the relevant DPA in investigations and resolutions of complaints relating to this information, and will seek to comply in good faith with the advice of these authorities, including any remedial measures they advise
10. Contact details
Please address any questions or requests relating to this policy to lisa.pemberton@mccann.com or alternatively, you can raise any concerns with your manager, local HR team, local GDPR Champion or IPG’s Data Protection Officer (DPO).
A list of our current DPO and their contact details can be accessed here
Lisa Pemberton HR GDPR Champion
T: 0121 713 379
E: lisa.pemberton@mccann.com
Anil Mangal: IT GDPR Champion
T: 0121 713 394
M: 07900 138 05
E: Anil.Mangal@mccann.com
Karen McCoy: Recruitment GDPR Champion
T: +44 713 387
M: +44 775703008
E: karen.mccoy@mccann.com
Dr Deborah Prince: Data Protection Officer (IPG)
T: +44 207 961 248
M: +44 777308053
P: 7-11 Herbrand Street, London, WC1N 1E
E: deborah.prince@interpublic.com
APPENDIX
Retention Periods for Personal Data (subject to ongoing review)
TALENT ATTRACTION & ACQUISITION
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Speculative Applications (i.e. CVs, Cover Letters, References, etc.) |
12 months from submission + rolling consent |
|
Applications for Job Posting or Direct Approach (i.e. CVs, Cover Letters, References, etc.) |
12 months from completion of recruitment + rolling consent |
|
Applications from Recruitment Agents/ Third Party Vendors (i.e. CVs, Candidate profile summary, References, etc.) |
12 months from completion of recruitment + rolling consent |
|
Job Descriptions |
Perpetuity |
|
Interview Notes |
12 months from completion of recruitment |
|
Ability Tests |
12 months from completion of recruitment |
|
Internships and Apprenticeships |
12 months from completion of recruitment |
|
Job Offer and Contract of Employment |
12 months from non-acceptance |
|
Visa Application and Immigration Specialists |
12 months from non-acceptance |
ONBOARDING & INDUCTION
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Personal details (i.e. Name, Personal Contact Details, NINO, Home Address, DOB/Age, Gender, Bank Account, Dependent Personal Detail, Emergency Contact Personal Details, Diversity Questionnaires, etc.) |
Refer to Active Refresh During Employment and Offboarding |
|
Employment References |
Refer to Active Refresh During Employment and Offboarding |
|
Signed Policies & Procedures |
Refer to Active Refresh During Employment and Offboarding |
|
Beneficiary Information |
Refer to Active Refresh During Employment and Offboarding |
|
Emergency Contact Details |
Refer to Active Refresh During Employment and Offboarding |
|
Right to Work: Passport and Visa, Visa Entry and Exit Stamps |
Refer to Active Refresh During Employment and Offboarding |
PAYROLL ADMINISTRATION
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
HRLink |
Refer to Active Refresh During Employment and Offboarding |
|
ADP/Sage |
End of Tax Year + 6 years. |
|
Online Payslips, P45s, P60s, P11Ds and all other tax return documentation |
End of Tax Year + 6 years. |
|
HMRC Requests and Notifications |
End of Tax Year + 6 years. |
|
Financial References |
Refer to Active Refresh During Employment and Offboarding |
BENFITS & PENSION ADMINISTRATION
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Pension: Auto-Enrolment and Private Plans |
End of Tax Year of departure + 6 years |
|
Independent Financial Advice |
End of Tax Year of departure + 1 year |
|
ChildCare Vouchers: Enrolment, Queries and Leavers |
End of Tax Year of departure + 6 year |
|
Medical Insurance: Enrolment, Queries and Leavers |
End of Tax Year of departure + 6 years |
|
Leisure Travel Insurance: Enrolment, Queries and Leavers |
End of Tax Year of departure + 6 years |
|
Permanent Health Insurance, Life Insurance and Critical Insurance |
End of Tax Year of departure + 6 years |
|
Permanent Health Insurance: Claims, Processing and Requests |
End of Tax Year of departure + 6 years |
|
Cycle to Work Scheme: Application and Repayment |
End of Tax Year of departure + 6 year |
|
Payroll Giving: Application and Repayment |
End of Tax Year of departure + 6 year |
TIME & ATTENDANCE
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Holiday and Absence Management System |
Refer to Active Refresh During Employment and Offboarding |
|
Client Profitability |
Refer to Active Refresh During Employment and Offboarding |
|
Rate Card |
Refer to Active Refresh During Employment and Offboarding |
|
Family Need Leave: Maternity, Paternity, Parental and Adoption Leave |
Refer to Active Refresh During Employment and Offboarding |
|
Sickness Absence Management: Fit Notes, Self-Certifications, Doctor’s Letter and Occupational Assessment |
Refer to Active Refresh During Employment and Offboarding |
|
Personal Assistant Emails and/or Files |
No retention. |
EMPLOYEE MONITORING
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Entry Systems |
No Retention of Security Pass post-employment. Not routinely monitored but may be accessed |
|
CCTV |
Server Room recorder set to overwrite every 30 days. Not routinely monitored but may be accessed |
|
|
No Retention. Not routinely monitored but may be accessed |
|
Internet |
No Retention. Not routinely monitored but may be accessed |
EMPLOYEE PERFORMANCE MANAGEMENT
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Manager Communications: Coaching & Mentoring, Annual Performance Reviews & Performance Correspondence, Disciplinary Correspondence, Grievance Correspondence, Settlement Agreement and Termination Details. |
Refer to Active Refresh During Employment and Offboarding |
|
Annual Performance Reviews (incl. 360 feedback) |
Refer to Active Refresh During Employment and Offboarding |
|
Performance Improvement Plans |
Refer to Active Refresh During Employment and Offboarding |
|
Disciplinary Correspondence |
Refer to Active Refresh During Employment and Offboarding |
|
Grievance Correspondence |
Refer to Active Refresh During Employment and Offboarding |
|
Feedback Using an eSurvey |
Refer to Active Refresh During Employment and Offboarding |
LEARNING & DEVELOPMENT
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Assessing Training Needs |
Refer to Active Refresh During Employment and Offboarding |
|
Development Activities |
Refer to Active Refresh During Employment and Offboarding |
|
Obtaining Training Feedback |
Refer to Active Refresh During Employment and Offboarding |
ACTIVE REFRESH DURING EMPLOYMENT
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
| Retained for the Perpetuity of Employment
* All Migrant application data and supporting documentation should be retained where Company Sponsorship has occurred |
| Current Year + 6 Years of Historical Data
*HRLink training records are retained for 7 years to comply with SOX compliance |
| No Retention During the Course of Employment |
OFFBOARDING
| TYPES OF PERSONAL DATA | RETENTION PERIOD |
|---|---|
|
Archived Employee File: Level 1
| End of Tax Year of departure + 6 Tax Years |
|
Archived Employee File: Level 2
| End of Tax Year of departure + 1 Tax Year
* Perpetuity of ICT Visa or End of Tax Year of departure + 2 years only. ** Retained for End of Tax Year of departure + 2 years |
|
Archived Employee File: Level 3
| End of departure month |
|
Employment Reference – employer issued post departure |
End of Tax Year of departure + 1 year |