OPRI PRIVACY NOTICE
DATA PROTECTION NOTICE FOR EMPLOYEES
This Privacy Notice (“Notice”) sets out the basis upon which Observational & Pragmatic Research Institute Pte Ltd and Observational & Pragmatic Research International Limited (“OPRI”, “Company”, “we”, “us” or “our”) may collect, use, disclose or otherwise process personal data of employees and candidates in accordance with the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) or the Personal Data Protection Act (‘PDPA’) depending on the region of applicability (collectively “Data Protection Laws”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.
APPLICATION OF THIS NOTICE
1. This Notice applies to all persons engaged in a contract of service with us (whether on a part-time, temporary or full-time basis) as well as individuals providing services under a contract for OPRI (including freelancers and consultants), and interns and trainees or volunteers working at or attached to us, or candidates applying for a role with the Company (collectively referred to as “employees”), and all references to “employment” shall apply equally to such employees.
2. As used in this Notice, “personal data” includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
3. Personal data which we may collect in the context of your recruitment or employment with us includes but not limited to your:
(a) name or alias, gender, passport number, date of birth, nationality, and country and city of birth;
(b) mailing address, telephone numbers, email address and other contact details;
(c) resume, educational qualifications, professional qualifications and certifications and employment references;
(d) employment and training history;
(e) salary information and bank account details;
(f) details of your next-of-kin, spouse and other family members;
(g) work-related health issues and disabilities;
(h) records on leave of absence from work;
(i) photographs and other audio-visual information;
(j) performance assessments and disciplinary records; and
(k) any additional information provided to us by you as a job applicant (that is, prior to being engaged as an employee).
4. Other terms used in this Notice shall have the meanings given to them in the Data Protection Laws (where the context so permits).
COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA
5. We generally collect personal data that:
(a) you knowingly and voluntarily provide in the course of or in connection with your employment with us, or via a third party duly authorised by you to disclose your personal data to us, e.g. your job placement agent;
(b) collection and use of personal data without consent is permitted or required by Data Protection Laws or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you except where permitted by law.
6. Prior to your employment, your personal data will be collected and used by us for the following purposes, and we may disclose your personal data to third parties where necessary for the following purposes:
(a) assessing and evaluating your suitability for employment in any current or prospective position within the organisation; and
(b) verifying your identity and the accuracy of your personal details and other information provided.
7. If you are an employee, your personal data will be collected and used by us for the following purposes, and we may disclose your personal data to third parties where necessary for the following purposes:
(a) performing obligations under or in connection with your contract of employment with us, including payment of remuneration and tax;
(b) all administrative and human resources related matters within our organisation, including administering payroll, granting access to our premises and IT systems and devices, processing leave applications, administering your insurance and other benefits, processing your claims and expenses, investigating any acts or defaults (or suspected acts or defaults) and developing human resource policies;
(c) managing and terminating our employment relationship with you, including monitoring your internet access and your use of our intranet email to investigate potential contraventions of our internal or external compliance regulations, and resolving any employment related grievances;
(d) assessing and evaluating your suitability for employment/appointment or continued employment/appointment in any position within our organisation;
(e) ensuring business continuity for our organisation in the event that your employment with us is terminated;
(f) performing obligations under or in connection with the provision of our services to our clients;
(g) facilitating any proposed or confirmed merger, acquisition or business asset transaction involving any part of our organisation, or corporate restructuring process; and
(h) facilitating our compliance with any laws, customs and regulations which may be applicable to us.
8. The purposes listed above may continue to apply even in situations where your relationship with us has been terminated or changed in any way, for a reasonable period thereafter including, where applicable, a period to enable us to enforce our rights under any contract with you.
HOW WE STORE PERSONAL DATA
9. OPRI is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored. We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is stored in line with applicable Data Protection Laws.
10. We have policies and procedures for the secure, permanent destruction of personal data when it is no longer required.
- UK GDPR Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- UK GDPR Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- UK GDPR Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- UK GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- PDPA Section 13: an organisation cannot collect, use, or disclose personal data about an individual unless the individual gives, or is deemed to have given, his/ her consent to the collection, use, or disclosure.
- PDPA Section 14: an individual has not given consent unless the individual has been notified of the purposes for which his/ her personal data will be collected, used, or disclosed, and the individual has provided his consent for those purposes.
- PDPA Section 15 An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —
(a) the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b) it is reasonable that the individual would voluntarily provide the data
YOUR DATA PROTECTION RIGHTS
11. Under Data Protection Laws, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Note that these rights apply to the data we hold in our capacity as data controller
- Your right to be informed
- Your right of access
You have the right to ask us for copies of your personal data held by OPRI.
- Your right to rectification
You have the right to ask OPRI to change or correct information you think is inaccurate about you. You also have the right to ask OPRI to complete information you think is incomplete.
- Your right to erasure
You have the right to ask OPRI to erase your personal data in certain circumstances.
- Your right to restriction of processing
You have the right to ask OPRI to restrict the processing of your information in certain circumstances.
- Your right to object to processing
You have the right to object to processing if we are able to process your information because the process is in our legitimate interests.
- Your right to data portability
This only applies to information you have given to OPRI. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information with your consent.
12. You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
ACCESS TO AND CORRECTION OF PERSONAL DATA
13. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold, you may submit your request in writing or via email to the HR department. We will respond to your access request as soon as reasonably possible. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the Data Protection Laws).
14. Please note that depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.
PROTECTION OF PERSONAL DATA
15. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures to secure all storage and transmission of personal data by us and disclosing personal data both internally and to our authorised third-party service providers and agents only on a need-to-know basis.
The steps we take to keep the personal data we collect secure include:
- Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
- Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
- Regularly ensuring that our staff and contractors only access personal data when needed.
- Ensuring our staff and contractors are regularly trained on data protection at least annually.
- Conducting regular internal audits to assess compliance with these measures and the UK GDPR/DPA or PDPA.
- Observational & Pragmatic Research International Limited is a registered data controller with the Information Commissioner’s Office, registration number: Z190430X.
16. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures
ACCURACY OF PERSONAL DATA
17. We generally rely on personal data provided by you (or your authorised representative). To ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our HR department in writing or via email at the contact details provided below.
RETENTION OF PERSONAL DATA
18. We may retain your personal data for as long as it is necessary to fulfil the purposes for which they were collected, or as required or permitted by applicable laws.
19. We will cease to retain your personal data or remove the means by which the data can be associated with you as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data were collected and are no longer necessary for legal or business purposes. Please refer to OPRI’s Documents and Records Management Policies for further information on data retention schedules for various types of data including employee or staff personal data.
TRANSFERS OF PERSONAL DATA OUTSIDE OF THE UK OR SINGAPORE
20. For employees within the UK, if we transfer your personal data to countries outside of the UK, we will take steps to ensure that your personal data continues to receive the standards of adequate protection required by Data Protection Laws.
21. For employees within Singapore, if we transfer your personal data to countries outside of Singapore, we will take steps to ensure that your personal data continues to receive the standards of adequate protection required by Data Protection Laws.
DATA PROTECTION OFFICER AND CONTACT OPRI
22. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures; or if you wish to make any request, in the following manner:
Our Data Protection Officer is Sophie Harriman. You can email her at firstname.lastname@example.org or write to her using our postal address below. Please mark the envelope ‘Data Protection Officer’.
23. Additionally, If you have any questions or complaints or you require any information about how we handle personal data at OPC, please contact our Data Protection Team by email, phone or post using the details below:
Write to us: Warren House, Sankence, Aylsham, Norfolk, UK NR11 6UN
Email us: email@example.com
Phone us: 01223 967 855 (UK) or (+65) 3105 1489 (Singapore)
24. In the UK, you can make a complaint about the way we process your personal data to the Information Commissioner’s Office (ICO) using their contact information below. You can also request independent advice from the ICO.
Phone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ICO website: https://ico.org.uk/make-a-complaint/
In Singapore, you can make a complaint about the way we process your personal data to the Personal Data Protection Commission.
Phone: +65 6377 3131
Post: 10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438
EFFECT OF NOTICE AND CHANGES TO NOTICE
25. This Notice applies in conjunction with any other policies, notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
26. We keep our privacy notice under regular review to make sure it is up to date and accurate. When we make changes to this notice, we will amend the last updated date at the bottom of this page. Any update to this notice will be applied to the handling of personal data as of that update date.
Privacy Notice last updated 5 September 2022