Privacy Notice
Please read the below privacy notice to understand the personal data that CityFibre collect and how this data is used.
19 minute read
Last Change Summary: V1 document created - November 2023
Document Location:
Master Copy: HR Team
Read Only Copy: The Core
Authorisation:
Authorising Person: Justin Hines
Date: November 2023
This Notice is provided by CityFibre on behalf of itself, its subsidiaries and its affiliates (together, “CityFibre”, “we”, “us” and “our”), and is addressed to our current, former and prospective directors, officers, consultants, employees, temporary staff, individual contractors, interns, secondees and other personnel (together, “Personnel” or “you”). Defined terms used in this Notice are explained in Section (P) below.
For the purposes of this Notice, the Controller is the CityFibre group entity that has employed you or has engaged your services.
Our Group Privacy Statement is available on our website.
We may collect your Personal Data from the following sources:
When you provide this data to us.
In the ordinary course of your work relationship with us, or work for us (e.g., when we onboard you as a new employee, contractor or agency temp; when we Process your Personal Data for payroll purposes; and when you use our IT systems).
That you manifestly choose to make public, including via social media (to the extent that you choose to make those Personal Data publicly visible).
Where you are an applicant for a position within CityFibre, we may obtain your personal data. On your first day of employment with your prior express consent, we will use your personal data to conduct background checks, in accordance with the protections provided by applicable law.
From third parties who provide this data to us (e.g. past employers; referees; and law enforcement agencies).
We may also create Personal Data about you, such as (but not limited to) your job title, compensation details and performance reviews. This Personal Data helps us to conduct our operations and manage our workforce. If you do not provide certain Personal Data, we may not be able to achieve some of the aims outlined in this Notice.
The categories of Personal Data about you that we Process are:
Personal details: title, given name(s); preferred name; maiden name, gender identity; sex at birth; sexual orientation; pronouns; date of birth / age; veteran status; reservist status; nationality; ethnic group; religion; photographs and videos; CVs and/or applications; marital status; partner name, medical conditions; GP name; NHS number; GP address; long term health condition/ disabled; detail of disability; job title; employer entity; payroll system ID; salary and compensation details; Personnel ID type and number; passport number (where applicable); visa number (where applicable); work authorisation number (where applicable); and details of dependents, beneficiaries and family members.
Contact details: home address; work address; home telephone number; work telephone number; work mobile telephone number; personal mobile telephone number; personal email address; work email address; IP Address and emergency contact details.
Internal communication records: information concerning the use of, and Personal Data transmitted through, internal IT systems (e.g., emails, telephone records); and work-related social media profiles.
Compensation details: salary and benefits; benefit history; hourly rate (where applicable); first job since leaving the military, target commission; bonus type; stock awards; eligibility for bonus and/or long-term income; pension details; bank account information; tax code and number; National Insurance Number; student loan type and expenses information.
Communications: records of any communications or correspondence between you and us.
Consent records: records of any consents you have given, together with the date and time, means of consent and any related information (e.g., the subject matter of the consent).
Employment records: employee referral, recruitment agency, early careers hire, employee type; notice period; working calendar (full or part-time); FTE; original hire date; most recent hire date; probation end date; probation records; division, department, cost centre, line manager name; company name; job level; working hours; work absence and attendance records; Personnel promotions; job title, contractual location, employee number, employee type and absence and absence requests.
Personnel training and evaluation: Personnel learning objectives; progress and results; Personnel development plan; Personnel performance objectives and appraisal results; Personnel self-assessment results; training undertaken and completed; and dates of training, qualifications obtained, academic degrees.
Compliance and disciplinary records: reports of violations of internal policies and codes of conduct; disciplinary sanctions; manager’s name and reporting structure; acknowledgments regarding internal policies; and date and reason for resignation or termination.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express consent, including details of right to work in the UK, proof of address, settled status, address history, driving licence number, past employment, details of residence, credit reference information, and criminal records checks.
Security data: login details (including username and password); login records (including login location, login IP address, and failed login attempts); historic username and password details; CCTV records; internal investigations records; records of your use of our IT systems; and evidence relating to any actual or suspected breach of any CityFibre policy, or applicable law.
We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:
It is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
It is necessary for the purposes of exercising rights, of fulfilling obligations, under applicable employment law, social security law, or social protection law;
It is necessary for the detection or prevention of crime;
It is necessary for the establishment, exercise or defence of legal claims;
It is necessary to protect the vital interests of any individual; or
we have, in accordance with applicable law, obtained your prior explicit consent before Processing your Sensitive Personal Data (as above, this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
The purposes for which we Process Personal Data, subject to applicable law, and the legal bases on which we perform such Processing, are as follows:
Processing Activity | Legal Basis for Processing |
|---|---|
Recruitment: Recruitment Operations via SmartRecruiters including:
In addition for advertising opportunities, internal applications / promotions, changes of role, record-keeping and performing background checks. |
|
HR management: human resources management and other required management of Personnel throughout the course of the employment relationship; checking entitlement to work; recruitment, performance management, promotions and succession planning; internal communication and management of industrial relations; surveys; mobility management, including international assignment and travel administration; appraisal/review; accounting; learning and development; attendance and absence management; administration of sick leave; administration of annual leave; promotions; transfers; secondments; and creating and maintaining one or more internal directories. |
|
Business management: management and operation of our business: management of business activities; arranging meetings; marketing; procurement; internal communications; external communications; and the sale, transfer or reorganisation of any portion of our business. |
|
Training: Personnel training and awareness; legally required training for compliance purposes; career development activities; and skills management. |
|
Communications and IT operations: management of internal communications; provision and maintenance of IT systems and office equipment; equipment allocation record-keeping; operation of IT security, firewalls and anti-virus software; IT security processes; and audits. |
|
Health and safety: workplace health and safety management; health and safety assessments and record keeping; and compliance with related legal obligations. |
|
Compensation: compensation planning and payments; administration of payroll, compensation, incentives programmes, benefits and pensions; expense reimbursement; stock administration; and administration of bonuses. |
|
Management of systems and operations: administration of our IT systems; economic, financial and administrative management; planning; and reporting. |
|
Financial management: sales; finance; corporate audit; and vendor management. |
|
Future planning: succession and organisational planning, including budgeting. |
|
Compliance and disciplinary procedures: compliance with internal policies, codes of conduct and legal/regulatory obligations; disciplinary and grievance investigations; conciliation procedures; disciplinary procedures; and governance and internal reporting. |
|
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; exercise and defence of legal rights and claims, including formal legal proceedings. |
|
Personnel Monitoring: in accordance with applicable laws, CityFibre may monitor the use of its IT and communications systems (including personal devices connected to CityFibre networks) and the information they contain, including network traffic and usage data, for purposes that may include systems maintenance, security, compliance with legal requirements and implementation of internal policies and procedures, as described in further detail in [the IT Security Policy]. Personal Data collected through such monitoring activities may be analysed and otherwise Processed in accordance with this Notice. |
|
Summary - Disclosure of Personal Data to Third Parties |
|---|
We disclose Personal Data to: legal and regulatory authorities; our external advisors; our Processors; any party as necessary in connection with legal proceedings; any party as necessary for investigating, detecting or preventing criminal offences; and any purchaser of our business. |
We may disclose Personal Data to other CityFibre group companies, for legitimate business purposes, in accordance with applicable law. In addition, we may disclose Personal Data to:
legal, tax and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, lawyers and other outside professional advisors to the CityFibre group, subject to binding contractual obligations of confidentiality;
third party Processors (such as providers of payroll, pension scheme, insurance, medical benefits, human resources services, IT systems and support, and other third parties engaged to assist us in carrying out business activities), located anywhere in the world, subject to the requirements noted below in this Section (G);
any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; and
any relevant third party acquirer(s), in the event that we sell or transfer all or any portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation).
If we engage a third-party Processor to Process Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data.
Because of the nature of our business, we may need to transfer Personal Data to other entities internationally within the CityFibre group and suppliers, and to third parties as noted in Section (G) above, in connection with the purposes set out in this Notice. For this reason, we may transfer Personal Data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located. In particular, basic information about your role may be shared with other CityFibre group companies, via our internal Personnel directories. Other Processing of Personal Data by CityFibre is generally limited to our Personnel who have a legitimate business need to access Personal Data for one or more of the purposes set out in this Notice.
If an exemption or derogation applies (e.g., where a transfer is necessary to establish, exercise or defend a legal claim) we may rely on that exemption or derogation, as appropriate. Where no exemption or derogation applies, and we transfer your Personal Data from the UK to recipients located outside of the UK who are not in Adequate Jurisdictions, we would enter into an International Data Transfer Agreement and/or a International Data Transfer Addendum. You may request a copy of these documents using the contact details provided in Section (O) below.
We have implemented appropriate technical and organisational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, in accordance with applicable law.
We take every reasonable step to ensure that:
your Personal Data that we Process are accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that are inaccurate are erased or rectified without delay.
From time to time we may ask you to confirm the accuracy of your Personal Data.
We take every reasonable step to ensure that your Personal Data that we Process are limited to the Personal Data reasonably required in connection with the purposes set out in this Notice.
We take every reasonable step to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Notice. The criteria for determining the duration for which we will retain your Personal Data are as follows:
(1) we will retain Personal Data in a form that permits identification only for as long as:
(a) we maintain an ongoing relationship with you (e.g., for the duration of the period for which you are employed or engaged by us); or
(b) your Personal Data is necessary in connection with the lawful purposes set out in this Notice, for which we have a valid legal basis (e.g., where your personal data is included in a contract with one of our customers, and we have a legitimate interest in Processing the data for the purposes of operating our business and fulfilling our obligations under that contract; or where we have a legal obligation to retain your Personal Data),
Plus:
(2) the duration of:
(a) any applicable limitation period under applicable law (i.e., any period during which any person could bring a legal claim against us in connection with your Personal Data, or to which your Personal Data may be relevant); and
(b) an additional two (2) month period following the end of such applicable limitation period (so that, if a person brings a claim at the end of the limitation period, we are still afforded a reasonable amount of time in which to identify any Personal Data that are relevant to that claim),
And:
(3) in addition, if any relevant legal claims are brought, we may continue to Process your Personal Data for such additional periods as are necessary in connection with that claim.
During the periods noted in paragraphs (2)(a) and (2)(b) above, we will restrict our Processing of your Personal Data to storage of, and maintaining the security of, the data, except to the extent that those data need to be reviewed in connection with any legal claim, or any obligation under applicable law.
Once the periods in paragraphs (1), (2) and (3) above, each to the extent applicable, have concluded, we will either:
permanently delete or destroy the affected Personal Data; or
anonymise the affected Personal Data.
Subject to applicable law, you may have the following rights regarding the Processing of your Relevant Personal Data:
the right not to provide your Personal Data to us (however, please note that we will be unable to provide you with the full benefit of your relationship with us – e.g., we might not be able to process your payroll or benefits entitlements without the necessary details);
the right to request access to, or copies of, your Relevant Personal Data, together with information regarding the nature, Processing and disclosure of those Relevant Personal Data;
the right to request rectification of any inaccuracies in your Relevant Personal Data;
the right to request, on legitimate grounds: erasure of your Relevant Personal Data; or restriction of Processing of your Relevant Personal Data;
the right to have certain Relevant Personal Data transferred to another Controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process your Relevant Personal Data on the basis of your consent, the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of your Relevant Personal Data with a Data Protection Authority (in which you live, or in which you work, or in which the alleged infringement occurred, each if applicable).
Subject to applicable law, you may also have the following additional rights regarding the Processing of your Relevant Personal Data:
the right to object, on grounds relating to your particular situation, to the Processing of your Relevant Personal Data by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the UK GDPR; and
the right to object to the Processing of your Relevant Personal Data by us or on our behalf for direct marketing purposes.
This does not affect your statutory rights.
To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Notice, or about our Processing of your Personal Data, please use the contact details provided in Section (O) below. Please note that:
in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.
It is important that you are aware of your data protection compliance obligations, and that you fulfil those obligations. This means that you must adhere to CityFibre’s policies, standards and procedures regarding the Processing of Personal Data to which you have access in the course of your duties. In particular:
you must familiarise yourself with this Notice;
you must abide by applicable law at all times when Processing Personal Data;
you must not access or otherwise Process any Personal Data beyond the extent necessary for your work with CityFibre; and
you must keep all Personal Data that you Process strictly confidential. This obligation of confidentiality continues after termination of your professional relationship with CityFibre.
If you have any comments, questions or concerns about any of the information in this Notice, or any other issues relating to the Processing of Personal Data by CityFibre, please contact dataprocessing@cityfibre.com.
“Adequate Jurisdiction” means a jurisdiction that has been formally designated by the UK Government as providing an adequate level of protection for Personal Data.
“Controller” means the entity that decides how and why Personal Data are Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
“Relevant Personal Data” means Personal Data in respect of which we are the Controller.
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law.