Sage privacy notice for potential, current and former colleagues and other workers
Last updated: August 2019
Please read this privacy notice (“Notice”) carefully as it describes Our collection, use, disclosure, retention and protection of your Personal Data including Sensitive Data (collectively “Data”).
This Notice applies to individuals who are, seek to be or were previously engaged by Us as temporary or permanent colleagues, contractors and those engaged on an interim basis. In each case, any Data We collect or retain shall be processed in accordance with Applicable Laws and limited to what is necessary and appropriate for that particular purpose and function.
Where you provide Us with your Data, or where We acquire your Data from other sources in any of the ways described in Section 3 below, you acknowledge that We may collect, store and use it: (a) in order to perform our contractual obligations to you; (b) based on our legitimate interest for processing (i.e. for providing and managing our share plan and other employee benefit schemes, maintaining automated back-up systems, for internal administrative purposes or for the detection or prevention of crime); or (c) based on your consent, which you may withdraw at any time, as described in this Privacy Notice. In each case described in this Privacy Notice, we will only treat your Data in accordance with Applicable Laws.
Please note that there may be additional Applicable Laws, including employment laws, relevant to the country in which you work or are employed, e.g. governing the processing of Sensitive Data. If those Applicable Laws are in any respect inconsistent with this Notice, this Notice shall only apply to the extent that it is consistent with those Applicable Laws from time to time.
Definitions of capitalised terms used in this Notice can be found in the Glossary in Section 13.
- How do We collect information about you?
- Why do We collect your Data?
- What Information do We collect about you and what do We use it for?
- Who will We share your information with?
- Retention of Information
- Changes to this Notice
- Your rights
- How do We keep your information secure?
- International transfers of Data
- Further information and how to contact Us
- Sage Group Companies
1. How do We collect information about you?
We collect information about you and any other party whose details you provide to Us when you apply for a position with Us, commence employment with Us or start work under a service contract or interim engagement with Us. We may collect additional data from you if you join or participate in a benefit offered by Us, for example an employee share plan.
We also obtain information about you from third parties that are entitled to share that information; e.g., credit agencies, recruitment agencies, search information providers or public sources (e.g. for colleague due diligence purposes), or from service companies that We engage to fulfil Our staffing requirements, in each case as permitted by Applicable Laws.
If you intend giving Us Data about someone else, e.g., your next of kin, emergency contacts, dependents or beneficiaries, you must ensure that you gain their consent to do so beforehand and that you explain to them how We collect, use, disclose and retain their Data or direct them to read this Notice.
2. Why do We collect your Data?
We collect and store your Data in order to fulfil Our legal obligations for purposes related to your potential, current and/or past employment or other contractual relationship with Us. We also use your Data in order to administer and manage the relationship we have with you in general. We may disclose your Data to Our authorised service providers, other third parties and/or other Sage Group companies in the course of processing your Data provided it is disclosed in accordance with this Notice. To assist Us in maintaining accurate and up-to-date records, you must advise the People Function of any changes to your Data.
Additionally, if you participate or are eligible to participate in any share plan offered by Us from time to time, we may collect and send your Data to Our external share plan providers to enable participation in one or more of our share plans, where eligible, and/or to issue an annual invitation to join a share plan, where eligible. We and/or our external share plan providers also use this Data to carry out administration of the of the share plans, to manage the portal and to offer vesting/maturity services.
3. What information do We collect about you and what do We use it for?
Where permissible under Applicable Law and to the extent necessary, we collect the following information for the purposes described:
a) General information:
Name, preferred name, previous last name, address, date of birth, marital status, telephone and email addresses, nationality, citizenship, ethnic origin, race, gender, sexual orientation, religion, veteran and military status, preferred language and details of any disabilities or work restrictions.
b) Emergency contacts, next of kin and beneficiary details:
Name, address, telephone, e-mail addresses and their relationship to you.
c) Evidence of identity and legal eligibility to work:
Photographs, passport and/or driving licence details, marriage certificates, professional or regulatory certificates and/or visas and relevant diploma/education certificates.
d) Pre-engagement checks:
References, interview notes, work visas, records/results of pre-employment checks, including criminal record checks, credit and fraud checks, references, information included on your CV/resume and/or any application forms.
e) Terms of engagement with Us:
Records of offer and acceptance of employment, your employment contract, agreed hours, length of probation, secondment arrangements or other service contracts, changes to job description and reason for changes and reporting line, office location, function, job title, cost centre, line manager and hiring manager details.
f) Compensation details:
Salary, variable or commission pay, bonus details, bank account details, national insurance, social security numbers or other tax identifiers, retirement account details, pension details.
g) Benefit and other entitlement details:
Length of service, health information, leave of absence records, sickness records, relocation records, hours worked records and dependant and beneficiary details, which may include your children’s details.
h) Access rights and security:
Colleague number, computer or facilities access and authentication information, identification codes, passwords, answers to security questions, photographs, Skype name.
i) Information relating to your performance at work:
Performance ratings, performance reviews, performance improvement or development plans and related documents, colleague recognition awards, details of outside business activities and directorship(s), details of previous roles.
j) Information relating to discipline, grievance and other employment related processes:
Interview/meeting notes, recordings, correspondence and any settlement arrangements.
k) Information relating to your work travel and expenses:
Bank account details, passport, driving licence, vehicle registration and insurance details.
l) Cessation and termination details:
Letters of resignation, reasons for termination.
n) Data Science:
We also record, retain and use colleague Data for monitoring, statistical analysis, salary benchmarking and marketing purposes, provided that such processing is only undertaken on a pseudonymised basis and displayed at aggregated levels which are not linked back to any living individual. If you participate in a survey, We will only receive aggregated results.
o) Diversity and Inclusion:
We also collect Data from you to gather information on the diversity of Our workforce which aims to measure success in eradicating bias and understand how We can improve the experiences of Our workforce. By openly monitoring Our Diversity Data, We are providing confirmation both internally and externally that it is important to Us not to discriminate against colleagues and that We welcome everyone to work as their true self. Diversity Data is aggregated and pseudonymised with access to the data very much restricted to certain of Our personnel. Analysis of such data is used to identify trends in the workforce and monitor changes in the diversity identifying best practice or where interventions may be required. Please note that you are not required to provide your Diversity Data. You are free to choose whether or not you wish to provide all, some or none of your Diversity Data.
p) Share Plans:
Depending on the requirements of the individual share plan where an award is being granted or an invitation to participate being issued, Data can include Name, NI/Social security number, date of birth, address, salary details, tax information, citizenship and residence-related information, Sage People ID, Payroll ID, work email address, bank details, hire date, leave date, leave reason and individual share award data.
4. Who will We share your information with?
Where permissible under Applicable Law and to the extent necessary, we may share your information with:
- Any company within the Sage Group including those companies listed in Section 11, for the purposes set out in this Notice.
- Our service providers and agents (including their sub-contractors) or other third parties which process information on Our behalf (e.g. Internet service and platform providers, payment processing providers, organisations We engage to provide services and functionality that We require and to enable communications with you).
- External colleague benefit and share plan providers, including but not limited to our share plan administrators, trustees, registrars, brokers, administrators, regulators and external advisors, Sage’s Registrar and, where applicable, to the Trustees for The Sage Group Plc Employee Benefit Trust and any broker or other third party to whom Our share plan administrator may outsource elements of the service.
- Third parties where you have a relationship with that third party and you have consented to Us sending information (e.g. social media sites such as Facebook, Twitter or other third party application providers).
- Credit reference and fraud prevention agencies.
- Regulators where required to meet the Sage Group’s legal and regulatory obligations (e.g. tax and social security offices).
- Law enforcement agencies in order to detect or prevent crime or prosecute offenders.
- Any third party in the context of actual or threatened legal proceedings, provided We can do so lawfully (e.g. in response to a court order).
- Any third party in order to meet Our legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts.
- Our own and Sage Group professional advisors and auditors for the purpose of seeking professional advice or to meet Our audit responsibilities.
- Another organisation if We sell or buy (or negotiate to sell or buy) any business or assets.
- Another organisation to whom We may transfer Our agreement with you. However, in the event the transaction is completed, your Data will remain protected by Applicable Law and in the event the transaction is not completed, we will require the other party not to use or disclose your Data in any manner whatsoever and to completely delete such data.
- Government departments where reporting is mandatory under Applicable Law.
Retention of information
We retain information about you during and after termination or cessation of your relationship with Us. This information is held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business interests such as the administration of benefit schemes, in accordance with the current Sage Group Data Retention, Marking and Destruction Policy or as otherwise permitted under Applicable Law.
All Diversity Data is handled in accordance with this Notice and any provisions relating to Data apply also to Diversity Data unless expressly stated otherwise. Unless there is an overriding legal obligation why the Diversity Data should be retained beyond this period, data for applicants is retained for 1 year.
For any share plans that you participate in, We and our external share plan providers, will retain the Data for as long as is necessary in accordance with Applicable Laws, to administer the plan and any services offered and to meet Our regulatory obligations. For your information, some of the factors which will affect how long we retain your data include your continued employment within Us and your continued participation in share plans operated by Us. Where We collect and send Data to Our external share plan provider annually to enable an invitation to be issued to you to join a share plan, if you choose not to join the plan, and are not already participating in another share plan where this Data is already held in their system, this Data will be deleted from their system as soon as practicable.
We may retain information about you following an unsuccessful application for employment with Us, provided that, in those jurisdictions requiring consent, you have consented to Us doing so.
We may also retain statistical information about individuals for recruitment and employment purposes.
6. Changes to this Notice
We may update, amend or otherwise change this Notice from time to time. We shall always publicise and, if legally required, consult with you on substantial changes before they are introduced. All revised Notices shall be made available on the colleague Intranet site, so please try to read it when you visit Your Sage.
7. Your rights
If you are based within the EEA or within another jurisdiction having similar data protection laws, in certain circumstances you have the following rights:
- The right of access to your Data and the rectification or erasure of the same.
- The right to object to the processing of your Data and to request a restriction.
- The right to have any Data you provided to Us on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent to another company, where technically feasible.
- Where the processing of your Data is based on consent, the right to withdraw that consent, subject to legal or contractual restrictions.
- The right to be informed from where we obtained your Data if not direct from you;.
- The right not be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects for you.
- The right to lodge a complaint with the relevant supervisory authority.
If you have specific questions relating to your rights under Applicable Laws, please refer to Section 10.
8. How do We keep your information secure?
Your Data may be stored and processed on both internal and external systems, some of which are cloud based.
We will keep your information secure in line with Our policies, including our Personal Data Protection Policy, by taking appropriate technical and organisational measures against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data transmitted, stored or otherwise processed.
We do Our best to protect your Data but We cannot guarantee the security of any Data which is transmitted to Our website, applications or services or to other websites, applications and services via an Internet or similar connection.
If We have given you (or you have chosen) a password to access certain areas of Our websites, applications or services please keep this password safe – we will not and you must not share this password with anyone.
If you believe your account has been compromised, you must contact Us immediately at [email protected].
9. International transfers of Data
Data in the EEA and certain other jurisdictions having equivalent requirements are protected by stringent data protection laws but other countries do not necessarily protect your Data in the same way. In some situations, detailed in this section, your Data may be transferred, processed and stored outside your country of residence, in which case it may be available to government authorities under lawful orders and laws applicable there.
Our websites and some of Our applications or services or any part of them may be hosted in the United States or other countries and this means that We may need to transfer information submitted by you through such websites, applications or services outside your country of origin to the United States or to other countries outside your country of origin.
Emails sent or received over Sage Group networks are stored on Our email servers which are hosted in the United States.
We may use service providers based outside your country to manage Our relationship with you and to provide you with certain benefits. This means that We may transfer your Data to those service providers for the purpose described in this Notice.
We take steps to ensure that where your Personal Data is transferred outside of the EEA by Our service providers and hosting providers, appropriate measures and controls are in place to protect that information in accordance with Applicable Law. For example, We may share information with our group companies or affiliates based outside the EEA for the purposes envisaged by this Privacy Notice. All Sage group companies are subject to Sage group data protection policies designed to protect data in accordance with EU data protection laws. In each case, such transfers are made in accordance with the requirements of Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) and may be based on the use of the European Commission’s Standard Model Clauses for transfers of personal data outside the EEA.
If you have further questions about the legal basis on which We transfer your Data outside your country of origin, please refer to Section 10.
10. Further information and how to contact Us or our Chief Data Protection Officer
If you have any questions about this Notice, how We treat your Data or with whom we share it, including how to affect any of your rights in relation to the same as described in Section 7 or information on international transfers as described in Section 9, please contact your local People Function in the first instance.
For current colleagues and other workers, any changes to the way We use your Data will be notified to you: (i) by your Sage responsible manager; (ii) by a notification on Our colleague Intranet site, Your Sage; or (iii) by a written notification to you or your employing service company.
Unsuccessful applicants, former colleagues or contractors may request a copy of this Notice from the Talent Acquisition Team.
Sage’s Chief Data Protection Officer is Chris Lauder, who can be contacted at The Sage Group plc, North Park, Newcastle upon Tyne, NE13 9AA or by email at [email protected].
Where permissible under Applicable Law and to the extent necessary, We deploy tools and technologies in order to protect Our assets (including intellectual property rights), Our clients’ assets and Our employees and other workers from unacceptable behaviour.
In particular, We may monitor your use of Our systems and networks (including computers, mobile devices and telephones) in order to: (i) record evidence of business transactions; (ii) to detect and prevent misuse of Our networks and systems and to maintain the effective operation of the same; (iii) to detect and protect against unauthorised or unlawful access to and against accidental loss or destruction of, or damage to, Our proprietary and confidential materials (including Data); (iv) to monitor standards of training and service; and (v) to detect and prevent criminal activity.
We may also deploy CCTV in order to maintain health and safety standards, to safeguard the security of Our property and premises and to prevent and investigate crime. It may also be used to monitor employees and other workers when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about Our employees and other workers, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the individuals themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
12. Sage Group Companies
Details of Sage Group companies that may act in the capacity of a Data Controller are listed here.
Sage List of Companies
For the purposes of this Notice:
“Applicable Laws” means any applicable local laws, rules statutes, regulations, guidelines, orders, judgments, decrees, summons, treaties or other requirements having the force of law in the country in which you are engaged.
“Data Controller” means the Sage Group company that determines the purposes and means of processing your Data and which is responsible for its collection, use, disclosure, retention and protection of your Data and which is the company with which you have your primary relationship with in the first instance.
“Diversity Data” means all information related to nationality, ethnic origin, race, gender, age, sexual orientation, religion, veteran and military status, preferred language and details of any disabilities or work restrictions, working patterns and carer responsibilities.
“Personal Data” means all information arising from or relating to your application for employment or the performance of your duties under your contract with Us. It includes any information which relates directly or indirectly to you as an identifiable individual and includes information from which you are or can be identified or identifiable including, without limitation, information in respect of your physical or mental health, biometric data, your racial or ethnic origin and religious or similar beliefs and / or in respect of criminal or civil proceedings in which you are or were involved.
“Sage Group” means The Sage Group plc (registration number 02231246) and its affiliated companies.
“Sensitive Data” means Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and includes details of criminal convictions and offences where permitted under Applicable Laws.
"We", "Our" and "Us" each mean your employing company and all the companies that make up the Sage Group, as appropriate.