Honeydew Engage Fair Processing Notice
In this fair processing notice, “The client” or “the controller” means employer organisations, who contract Honeydew services. “Personal information” means information about the employees of the client, and from which the employee could be identified, including information which may be protected under the privacy or current data protection laws.
Honeydew as a data processor
It is Honeydew’s policy to:
- Process personal information fairly and in accordance with applicable laws;
- Keep your personal information secure, and limit the people who can access it;
- Only act on the written instructions of the controller;
- Ensure that people processing the data are subject to a duty of confidence;
- Take appropriate measures to ensure the security of processing;
- Only engage sub-processors with the prior consent of the controller and under a written contract in similar terms;
- Assist the controller in providing subject access and allowing data subjects to exercise their rights under data protection legislation;
- Assist the controller in meeting its data protection legislation obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- Delete or return all personal data to the controller as requested at the end of the contract; and
- Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing data protection legislation.
More information about Honeydew’s approach to privacy and data protection is outlined in our Information Security Policy.
What personal information does Honeydew process?
Data fields – Employee personal information:
- Employee ID
- First name
- middle name
- surname
- sex
- date of birth
- home telephone
- business telephone
- mobile
- job title
- absence cost per day
- first manager id
- second manager id
- current employee role id
Data fields – Absence data:
- start date
- expected end date
- confirmed return date
- taking medication
- medical appointment arranged
- medical appointment date
- absence cause notes
Absence management tasks and meeting record forms:
- Return to work interviews
- Review meetings
- Consider OH referral (yes/no)
- Sick pay decisions
- Welfare calls
And any uploaded documents such as sick or fit notes.
How do we protect your data?
We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your personal information. Our employees and subcontractors are required to help with this by ensuring that all personal information is kept secure.
We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any personal information we hold on computer systems is not accessed by anyone it shouldn’t be. Information about the IT Security standards we use to protect your personal information can be found in our Information Security Policy.
Application hosting
All data is stored in the UK.
Honeydew servers are hosted in state-of-the-art data centres with all industry standard security methods in place, including firewalls. Honeydew backup servers are hosted at a geographically separate data centre from the main application.
Data transfers
Electronic data transfers take place over secure socket layer (SSL) connections, which is the industry standard. All changes made to data in the Engage databases are recorded, as are the time of change and user making the change. Access to the software platforms is authenticated by username and user-defined password. All passwords are stored in an encrypted format in the Engage database.
Contact centre
Honeydew contracts Ventrica contact centre to handle employee’s calls and input data to the Engage database. Ventrica’s administrators have write-only access to the absence database and as such cannot obtain or send data off-site. Their access to applications other than those required for their role is restricted so no data can in any eventuality be sent off-site via email etc.
Access controls for end users
Users of Engage have specified user profiles defining their level of access. Each user only has access to data or records that fall within their pre-defined management area. This can be specified by individual records or by organisation hierarchy / departments. Client-side administrators authorised by the data controller manage the access permissions.
Absence notifications
As a part of Honeydew service, instant absence alerts can be delivered via email and/or SMS to nominated users. The alerts include the following personal information:
| Content of email alerts | Content of SMS alerts |
| Name of employee | Name of employee |
| Employee ID | Employee ID |
| Company | Department |
| Department | Start date of absence |
| Contact number | Expected return date |
| Start date of absence | Confirmed return date |
| Expected return date | Cause of absence (optional) |
| Confirmed return date (where available) | Contact number (optional) |
| Cause of absence (optional) | |
| Employee answers to custom questions (optional) | |
| Additional notes (optional) |
The controller specifies in their settings who receives what level of information and how the alerts are delivered.
How long will we keep your data?
Honeydew will keep the client data until otherwise instructed by the data controller.
It is recommended that employee absence records are kept for as long as the employee is employed by the company. After the employment comes to an end, the employee personal information should be kept as long as necessary for purposes of defending possible tribunal and court claims. Any data related to sick pay records must be kept for a minimum of 3 years from the end of the tax year they relate to, in accordance with HMRC regulations.
Subject access
Right to request access
Employees have the right to request access to the personal information that is held about them. The data must be made available to the data subject in a portable format.
Requests for access to personal records must be submitted in writing by the data controller. You should include the following details:
- employee full name
- email address accessible by the employee
Honeydew will process the requests within 30 days.
Right to rectification, to erasure, to request restriction and to object to processing
Employees have the right to request that inaccuracies in the data we hold are rectified.
Employees have the right to request their personal data to be erased, where there is no conflicting legal requirement for the data controller to maintain the personal information.
Employees have a right to request restriction of processing or to object to their personal information being processed.
Any employee requests should be verified by the data controller and submitted in writing to Honeydew. The requests will be processed within 30 days.
Right to lodge a complaint with the supervisory authority
Employees have a right to lodge a complaint with The Information Commissioner if not satisfied with the way we process personal data or our response to a request submitted under the rights outlined here.
End of contract
Should the service agreement between Honeydew and the data controller come to an end, Honeydew will return or delete all records relating to the client.
The notice to terminate the service agreement should be submitted in writing in accordance with the terms of the contract including instructions about whether the data should be deleted or returned to the client.
In the event that the data controller fails to instruct Honeydew on how to process the data at the end of the contract, Honeydew shall maintain the records for 6 months and then destroy them.