Employee Privacy Policy
Version 1.0 – 22 August 2024 (latest)
At Ember, we're committed to keeping your information private and secure. This notice sets out the personal data we collect about Ember employees and what we will do with it. This applies in addition to our Customer Privacy Policy and Candidate Privacy Policy.
This policy applies to current and former employees, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will publish the new version on this page as soon as reasonably practical.
Who are we?
We are Ember Core Ltd, a company registered in Scotland under company number SC633049 and registered office at Argyle House, 3 Lady Lawson Street, Edinburgh, Scotland, EH3 9DR (“we”, “our”, “us”), operating under the name Ember. We're registered with the Information Commissioner's Office under number ZA575885. We are the controller responsible for deciding how we hold and use personal information about you.
You can email us at it@ember.to or write to us at Codebase Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR.
What information do we collect?
When you work for Ember we will typically collect, store and process the following categories of personal information:
- Name and contact details (e.g. title, address, phone number and email address)
- Personal details including your location, date of birth, gender, marital status and dependants, next of kin and emergency contact information
- Bank details and other payroll/tax/pension information such as salary and National Insurance number
- Copies of documents such as driving license, passport, proof of address and address history
- Employment records (including job titles, work history, working hours, compensation history, holidays, performance information, training records and professional memberships)
- Start date, leaving date and your reason for leaving
- Disciplinary and grievance information
- Recruitment information, including references and other information information included in a CV or cover letter or as part of the recruitment process
- Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied
- Results of background checks from third-party providers we work with, including (where relevant) information about criminal convictions and your right to work in the UK
- Photographs and CCTV data from our sites or buses outfitted with CCTV cameras
- Information about your use of our information and communications systems
- Records of communications – e.g. call recordings, emails and chat transcripts
- Any further data you share with us as an employee such as information relating to periods of sickness
We may also ask for some 'special category' data, such as:
- Information about your health, including any medical conditions, along with health and sickness records
- Records of drug or alcohol use including test results
- Disability and neurodiversity status
- Ethnicity
- Gender identity
- Sexual orientation
- Information about criminal convictions and offences
How is your personal data collected?
We use different methods to collect data from and about you including through:
Your active interactions with us
You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- apply for a role directly or permit a recruiter to send us your details
- are onboarded as a new employee
- take part in an interview or assessment
- give us feedback or contact us
We will collect additional personal information in the course of job-related activities throughout the period you work for us.
Your passive interactions with us
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. This is explained further in our cookies policy.
Third parties or publicly available sources
We may receive personal data from various third parties including former employers, recruiters involved in your application, background check providers and credit reference agencies. In some cases, we may also collect personal information from your named referees.
We may also collect personal information from the trustees or manager of pension arrangements.
How your information is used
We will only use your personal information when the law allows us to. Most commonly, we will use it in the following circumstances:
- Where we need to perform the contract we have entered into with you
- Where we need to comply with a legal obligation
- Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests
In more rare cases, we may also use it where:
- We need to protect your interests (or someone else's interests)
- It is needed in the public interest of for official purposes
The information we collect and process is used to:
- Determine the terms on which you work for us
- Check you are legally entitled to work in the UK
- Pay you and, where appropriate, deduct tax and National Insurance Contributions
- Manage your enrollment and participation in any share plans
- Enroll you in a pension arrangement in accordance with our statutory automatic enrolment duties and liaise with a pension provider or other provider of employee benefits
- Administer the contract we have entered with you
- Conduct performance reviews, manage performance and make decisions about salary and compensation
- Manage absence due to sickness
- Make decisions about your continued employment or engagement including ascertaining your fitness to work
- Gather evidence for for possible grievance or disciplinary hearings
- Education, training and development requirements
- Deal with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Complying with health and safety obligations
- Prevent fraud and ensure network and information security
- Conduct data analysisto review and better understand employee retention and attrition
- Monitor equal opportunities
Particularly sensitive personal data, such as the 'special categories' listed above, require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data. We use 'special category' data in the following ways:
- In limited circumstances, with your explicit written consent
- Use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance
- Results of alcohol or drug tests to ensure your ability to carry out your role
- Where we need to carry out our legal obligations or exercise rights in connection with employment
- Where it is needed in the public interest, such as for equal opportunities monitoring
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
In the case of "equal opportunity monitoring", participation is voluntary and providing this information is optional. Any information you provide will have no effect on your opportunity for employment.
We will only collect information about criminal convictions if it appropriate given the nature of the role and where we are legally able to do so.
Who do we share data with?
As well as people working for us and other group companies, we may disclose your personal data to:
- Companies that provide services to us: This includes email, telecommunications and hosting providers like Amazon Web Services, Google Cloud, Notion, Sendgrid and Twilio. We make an effort to minimise the amount of data we share, for instance sharing anonymous IDs rather than names
- Companies who run background and reference checks on our behalf
- Companies who provide medical, drug and alcohol testing on our behalf
- Recruitment agencies that we engage with during the recruitment process
- Recruitment software service providers, for the purpose of processing your application, onboarding, or scheduling interviews
- Regulators or industry bodies such as the DVLA and HMRC
- Insurance companies, in the course of checking suitability for roles or providing ongoing coverage
- Law enforcement agencies and other third parties, where necessary to meet our legal obligations
- Anyone you give us permission to share the data with
We require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow third parties to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.
We may transfer your personal information outside the UK or the European Economic Area (EEA). If we do, you can expect a similar degree of protection in respect of your personal information.
How long we keep your information
We retain your personal information only for as long as it is necessary to fulfill the purpose for which it was collected.
To perform our contractual obligations and comply with applicable laws, we generally retain your information for the duration of your employment plus a further six years. Thereafter we will securely destroy your data, including data held by any third party, unless there is an obligation to retain it further.
We may keep some specific types of data, (for example tax records, pensions data) for different periods of time, as required by applicable law.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Where your data is stored
In some cases, the data we collect from you may be transferred to and stored by countries or organisations outside the UK or the EEA. In these cases, we'll make sure that the European Commission says the country or organisation has adequate data protection, or we’ve agreed to standard data protection clauses approved by the European Commission with the organisation. Contact us if you'd like a copy of the relevant data protection clauses.
Your rights
Your personal data is protected by legal rights, including your rights to:
- Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we’re lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Please do note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which we will notify you of, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
- Request the transfer of your personal data to you or to a third party. We’ll provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
- If you want us to establish the data's accuracy
- Where our use of the data is unlawful but you don’t want us to erase it
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
You won’t have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data isn’t disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we’ll notify you and keep you updated.
For more information or to exercise your data protection rights, please email it@ember.to.
How to complain
If you have a question or want to complain about how we've used your personal data, email us at it@ember.to. If you're not happy, you also have a right to complain to the data protection supervisory authority in the EU country where you live or work, or where you think a breach happened. The Information Commissioner's Office (ICO) is the UK regulator.
Changes to this notice
We may up date this notice from time to time. Any changes will be posted on this page and, if appropriate, sent to you by email.