Education Endowment Foundation:Privacy notice for employees

Privacy notice for employees

This privacy notice will inform you, our employees, of the types of data we process about you.

This privacy notice will inform you, our employees, of the types of data we process about you. This notice applies to current and former employees, workers and contractors.

This page should be read in conjunction with the information on the main EEF privacy notice page which covers information relevant to anyone whose data is used by EEF including your rights.

We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our holiday booking system.

Specifically, we hold the following types of data:

  • a) personal details such as name, address, phone numbers
  • b) name and contact details of your next of kin
  • c) your photograph
  • d) your gender, marital status, information of any disability you have or other medical information
  • e) right to work documentation
  • f) information for equality monitoring purposes, such as race and religion.
  • g) information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter
  • h) references from former employers
  • i) details on your education and employment history etc
  • j) National Insurance numbers
  • k) bank account details
  • l) tax codes
  • m) driving licence
  • n) criminal convictions
  • o) information relating to your employment with us, including:
    • job title and job description
    • your salary
    • your wider terms and conditions of employment
    • details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information
    • internal and external training modules undertaken
    • information on time off from work including sickness absence, family related leave etc
  • p) CCTV footage
  • q) building access card records
  • r) IT equipment use including telephones and internet access
  • s) information about staff wellbeing for the purposes of providing support
  • t) occupational health records

You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.

Personal data is kept in files or within the Company’s HR and IT systems.

The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to effectively manage the employment contract we have with you, including ensuring you are paid correctly.

The information below categorises the types of data processing we undertake and the lawful basis we rely on.

Activity requiring your dataLawful basis
Carry out the employment contract that we have entered into with you e.g. using your name, contact details, education history, information on any disciplinary, grievance procedures involving youPerformance of the contract
Ensuring you are paidPerformance of the contract
Ensuring tax and National Insurance is paidLegal obligation
Carrying out checks in relation to your right to work in the UKLegal obligation
Making reasonable adjustments for disabled employeesLegal obligation
Making recruitment decisions in relation to both initial and subsequent employment e.g. promotionOur legitimate interests
Making decisions about salary and other benefitsOur legitimate interests
Ensuring efficient administration of contractual benefits to youOur legitimate interests
Effectively monitoring both your conduct, including timekeeping and attendance, and your performance and to undertake procedures where necessaryOur legitimate interests
Maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintainedOur legitimate interests
Implementing grievance proceduresOur legitimate interests
Assessing training needsOur legitimate interests
Implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustmentsOur legitimate interests
Gaining expert medical opinion when making decisions about your fitness for workOur legitimate interests
Managing statutory leave and pay systems such as maternity leave and pay etcOur legitimate interests
Business planning and restructuring exercisesOur legitimate interests
Dealing with legal claims made against usOur legitimate interests
Preventing fraudOur legitimate interests
Conducting auditsOur legitimate interests or legal obligation
Ensuring our administrative and IT systems are secure and robust against unauthorised accessOur legitimate interests
Equality monitoring for employeesOur employment obligations and substantial public interest.
Providing wellbeing supportOur legitimate interests

Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.

Data is shared with the following third party recipients:

  1. A payroll service provider (at the time of writing, RSM payroll)
  2. A HR provider who advises us on HR matters and manages our HR documents and system online (at the time of writing, Peninsula)
  3. Your pension provider (at the time of writing, Aviva)
  4. Our pension advisers (at the time of writing, Secondsight)
  5. A company that provides life insurance in the event of death in service (at the time of writing, Canada Life)
  6. The HMRC for tax purposes; with our accounting software for accounting of net pay (at the time of writing, Quickbooks Online (Intuit))
  7. Our bank for payment details (at the time of writing, CAF Bank)
  8. Our auditors (including the DfE)
  9. The Disclosure and Barring Service for the purpose of DBS background checks (at the time of writing, completed through PeopleCheck in partnership with Yoti)
  10. Our annual staff survey provider (at the time of writing, The People Experience Hub)
  11. A provider of right to work checks (at the time of writing, completed through PeopleCheck in partnership with Yoti)
  12. Our online signing platform (at time of writing, Docusign)
  13. An e‑learning platform (at time of writing, Kallidus)
  14. The UK visa sponsorship management system for visa application administration

We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

Data stored within Quickbooks Online (Intuit) is shared with bodies outside of the European Economic Area. These countries are the United States and the reason for sharing with these countries is that we use Quickbooks Online (Intuit) as our accounting software package, who store our data in the USA. We have put the following measures in place to ensure that your data is transferred securely and that the bodies who receive the data that we have transferred process it in a way required by EU and UK data protection laws: The data transfer mechanism used by Quickbooks Online (Intuit) is standard contractual clauses. For more details about how Quickbooks Online (Intuit) use the data, please visit

We otherwise do not share your data with bodies outside of the European Economic Area.

You will have been notified in EEF’s privacy notice for job applicants that we use the Webrecruit system for recruitment.

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

We only keep your data for as long as we need it for, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period after your employment has ended. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data, as set out below:

RecordStatutory Retention Period
Children/​young adultsUntil the child reaches 21
Retirement Benefits Schemes6 years from the end of the scheme year
Statutory Maternity Pay (calculations, certificates, medical evidence)3 years after the end on the tax year in which the period ends
Wage/​salary (overtime, bonuses, expenses)6 years after the end of employment
National Minimum Wage3 years after the end of the consequent pay reference period
Working hours2 years after they are made
RecordRecommended Maximum Retention Period
Allegation of a child protection natureUntil the person’s normal retirement age or 10 years from the date of the allegation (whichever is the longer) then review.
Application forms and interview notes6 months to a year
Assessments under health and safety regulations and records of consultations with safety representatives and committeesPermanently
HMRC approvalsPermanently
Money purchase details6 years after transfer or value taken
Parental leaveUntil child is 18 (birth/​adoption)
Pension scheme investment policies12 years from the ending of any benefit payable under the policy
Pensioners’ records12 years after end of benefit
Personnel files, training records (disciplinary records, working time records)6 years after end of employment
Redundancy details, calculations of payments, refunds, notification to the Secretary of State6 years after date of redundancy
Statutory Sick Pay records, calculations, certificates, self-certificatesat least 3 months after the end of the period of sick leave, but 6 years after the employment ceases advisable
Time cards2 years after audit
Trade Union agreements10 years after end
Works Council minutesPermanently

Where we are processing your personal data under consent or for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see​‘Your rights’​on our privacy notice main page.

Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.