Staple HR

Privacy Policy

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
This notice was last updated on October 2024, and complies to UK GDPR, underpinned by the Data Protection Act (2018), and additional relevant UK data protection legislation, regulated by the Information Commissioners Office (ICO).

Scope & Responsibilities
Our scope is any data subject, whose personal data is collected whilst we are providing services to our paying clients, or responding to a query, in line with the requirements under the Data Protection Act (2018) and UK GDPR. Sapern HR Ltd must adhere to the UK GDPR data processing principles when processing personal data. These principles require any personal data processing to be carried out in a lawful, fair, open, and transparent manner. Sapern HR Ltd has further responsibilities with regards to controlling and processing personal data, which fall under the responsibility of the data protection lead.
All associates and employees of Sapern HR Ltd who interact with data subjects are responsible for ensuring that this privacy notice is drawn to the data subject’s attention.

Who are we?
Sapern HR Ltd are an HR and business support services company providing tailored HR support, Professional Training and Education, and a DPO Service to clients who are mainly SMEs in Primary Care and Care Home Sectors. We offer telephone advice, e-mail support and on-site support and can also conduct meetings (disciplinaries, grievances, absence management) on behalf of the company so will be privy to very sensitive data when required by our clients.

Sapern HR Ltd is a private limited company, registered in England and Wales, under company registration number 13952737.

Sapern HR Ltd is registered with the ICO under registration number ZB530803.

We collect, control and process certain personal information about you, when we do so we are regulated under the UK General Data Protection Regulation, which is underpinned by the Data Protection Act (2018) and other relevant UK data privacy legislation.
We are responsible as the data controller & data processor for all personal information collected, controlled, and processed under those laws and regulations. The DPO of Sapern HR Ltd is Liberty Apted, who can be contacted via email at liberty@sapernhr.co.uk, or phone on 0117 4715047.

Lawful bases for processing of personal data:
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these will apply whenever Sapern HR Ltd processes your personal data:
• Contract – the processing is necessary for Sapern HR Ltd to fulfil the obligations of an agreement, contract, or service level agreement (SLA) for the provision of our HR, Training, DPO and business support services. Both parties would be provided with a copy of the contract and directed to this Privacy Notice.
• Legal Obligations – the processing is necessary for Sapern HR Ltd to meet the requirements of a UK law and/or regulatory compliance. Sapern HR Ltd will identify the source for obligation (e.g., Immigration Law) and explain why your personal data is required to meet such obligations.
• Legitimate Interests – the processing is necessary, as Sapern HR Ltd has ascertained the legitimate interest of the individual/organisation and explained why the processing of personal data is required to action the legitimate interest.
You can find more about the UK GDPR lawful bases here or by visiting www.ico.org.uk

What information we collect about you.
The personal data you have provided, or we have collected from you, includes but is not limited or restricted to:
• Personal Contact Data (e.g., addresses, contact name, email addresses, telephone numbers)
• Employee Data (e.g., payroll number, recruitment information, training information)
• HR Service Data (e.g., right to work data, emergency contact details, employee performance related data, disciplinary and grievance data, maternity leave data, paternity leave data, exit interviews etc.)
• Special Category (Sensitive) Data – (e.g. supporting Occupational Health processes, when aspects of a staff member’s health is directly relevant to a Client’s query for HR or DPO) Further information on this is detailed below under the ‘Special Category Data’ section.

Special category data
Special category data is personal data that needs more protection because it is sensitive. For Sapern HR Ltd to lawfully process special category data, we must identify both a lawful basis under UK GDPR Article 6 (see above) and a separate condition for processing under UK GDPR Article 9 (see below). Some conditions in UK GDPR Article 9 require an associated condition from Schedule 1, Part 1 of the Data Protection Act (2018). These do not have to be linked. Sapern HR Ltd may be required to process the following special categories of personal data (in brackets we have detailed either the UK GDPR Article 9 condition or the Data Protection Act 2018 Schedule 1, Part 1 condition as required by law):
• Racial or ethnic origin (Employment, social security, and social protection if authorised by law  – e.g. where relevant to supporting Client queries, conducting HR matters on their behalf where instructed)
• Religious beliefs (Employment, social security, and social protection if authorised by law – e.g. where relevant to supporting Client queries, conducting HR matters on their behalf where instructed)
• Trade union membership (Employment, social security, and social protection if authorised by law) yes
• Data concerning health (Health or social care with a basis in law)


Each individual data subject and their relevant special (sensitive) category data will be assessed, regards processing, to ensure it is necessary for the processing to take place. Data subjects will be informed.
Sapern HR Ltd has identified a UK GDPR Article 9 condition & Data Protection Act (2018) associated condition as set out in Schedule 1, Part 1 for the above processing of special category data. Further details are provided here:
• Explicit Consent – the data subject has given explicit consent to the processing of their personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to may not be lifted by the data subject.
• Employment, social security, and social protection (if authorised by law) – This condition is met if:
(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security, or social protection, and
(b) when the processing is carried out, the controller has an appropriate policy document in place (e.g., employment contract, etc.).
• Health or social care with a basis in law – This condition is met if the processing is necessary for health or social care purposes. In this condition health or social care purposes’ means the purposes of:
(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee.

How we use your personal information
Sapern HR Ltd uses your personal information:
• To pre-qualify which of our services are suitable for your requirements (e.g., responding to website contact forms, written correspondence, email requests for our services, telephone calls, referrals).
• To provide our services (e.g., providing advice to a client on an employee relations case in relation to one of their employees or patients, writing letters on behalf of clients, such as communicating the outcome to a disciplinary hearing, grievance hearing or complaint).
• To communicate with you, via official Sapern HR Ltd communication channels such as email or phone (e.g. to fulfil the objectives as outlined in the agreements and contracts).
• To facilitate client and prospect meetings (e.g., to set-up and confirm meetings, either electronically via video call, such as Microsoft Teams or Zoom or to arrange site meetings at nominated premises. Additionally Sapern HR Ltd will also conduct meetings on alongside or on behalf of their clients, such as long-term absence meetings with employees).
• To provide client aftercare and client support (e.g., obtaining feedback, contract renewal).
• To keep you informed of any Sapern HR Ltd company updates (e.g., changes to this privacy notice, other important company updates).
• To produce invoices and receipts for our various services (HR, Training, DPO).
• To provide compliance with all the Legal requirements of England and Wales.

Who we share your personal information with?
Sapern HR does not share data with or use 3rd party software or services for the routine provision of our services. Onward sharing of personal data is only conducted from Sapern HR when instructed to do so by a Client. Where relevant, given the nature of the services provided to you by Sapern HR Ltd, we may also share your personal data with the following categories of third parties:
• Fraud prevention agencies, money laundering agencies and associations.
• Regulators and law enforcement agencies, including the police, HM Revenue and Customs or any other relevant authority who may have jurisdiction.
We would always inform you ahead of acting on any instructions to proceed with any of our services, should this be the case.
This data sharing enables Sapern HR Ltd to supply the above services to you in a professional and timely manner, whilst undertaking quality control & regulatory compliance procedures.

Whether information must be provided by you, and if so, why?
The provision of certain personal data including (but not limited to) contact name, email address & telephone number is required from you. This enables Sapern HR Ltd to provide our HR consultancy, training and DPO services to you.
It may also be a legal requirement to obtain proof of identity from time to time. If this is required, we will explain why, what identification is required, how long the personal data will be kept on file and the necessity for the processing.
We will inform you at the point of collecting information from you, whether you are required to provide this and any other additional information to us.

International Data Transfers
Sapern HR Ltd does not control, process, or transfer personal data outside of the UK.
Should this situation change, Sapern HR Ltd would issue a company update via our official communication channels to all affected parties. This Privacy Notice would also be updated.
Further information on International Data Transfers both within the EU and Internationally is provided by the Information Commissioners Office.

How long your personal information will be kept?
• We will retain your personal information for several purposes, as is necessary to allow us to carry out our business in accordance with our contract, legal obligation, or legitimate interests.
• Any retention of personal data will be carried out in compliance with legal and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation or regulations.
• Your information will be kept for the relevant statutory retention period after the completion of the contract on our main systems, after which time it will be archived, deleted, or anonymised depending on the content of the material and whether there is any continuing legal need or  legitimate interest for it to be retained.
• We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any HR, legal, accounting, reporting requirements and retention periods applicable to the services we provide.
• To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
• Any personal data held in hard document copy is stored securely. If a retention period has passed and no further purpose for retention established, we ensure that these hard copies are securely destroyed, with written confirmation provided where required.

Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator (e.g., ICO) of a suspected data security breach where we are legally required to do so.

Cookies
We use cookies to collect, store and share bits of information about your activities when you use our website.
Cookies do different things, like letting you navigate between pages quickly and generally improving your experience of a website. If a website does not use cookies, it will think you are a new visitor every time you move to a new page on the website – for example, when you enter your login details and move to another page it will not recognise you and it will not be able to keep you logged in.
Sapern HR Ltd only use non-personal data essential cookies on this website to track the performance of the website via Google Analytics. This non-personal data helps us to understand how to improve the website content for the benefit of all users. You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience. You can also visit www.aboutcookies.org for further guidance.

Your rights
Under the UK GDPR you have several important rights free of charge. At any point while we are in possession of or processing your personal data, you, the data subject (living person), have the following rights:
• Right to be informed – you have the right to know why we are collecting and processing personal data and this right is met by the provision of this privacy notice and any subsequent updates.
• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the Information Commissioner’s Office (ICO) on individuals rights under the UK GDPR.
If you would like to exercise any of those rights, please:
• call, email, or write to us in the first instance.
• let us have enough information to identify you,
• let us have proof of your identity and address (a copy of your driving licence or passport
and a recent utility or credit card bill), and
• let us know the information to which your request relates?

Changes to this privacy notice
This privacy notice was last reviewed and published on 27th October 2024.
We may change this privacy notice from time to time; we will inform you via our
company communication channels and company website of any updates or significant changes.

How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data.
The UK General Data Protection Regulation also gives you right to lodge a complaint with a
supervisory authority.
The supervisory authority in the UK is the Information Commissioners Office (ICO) who may be contacted here or by telephone on 0303 123 1113.

How to contact us
Please contact us if you have any questions about this privacy notice or the information, we hold about you.
The data protection lead is Liberty Apted of Sapern HR Ltd.
Sapern HR Ltd can be contacted via email on liberty@sapernhr.co.uk or via phone on 0117 4715047