Project Privacy Notice

This Project Privacy Notice (“the Notice”) sets out the information relating to how the Company processes Personal Data relating to you in relation to your work, attendance and other activities concerning the relevant works project site you are based at (“the Site”) and the Project being undertaken by the Company at the Site.

This Notice applies to all Employees, applicants, contractors, and other individuals who attend the Site or whose data is otherwise collected and processed as part of its delivery of the Project.

This Notice is in addition to and supplements for Employees of the Company our Employee Privacy Notice, for other persons our Corporate Privacy Notice, and for all persons (as applicable) the other Company policies relating to data protection, acceptable use, CCTV recording, criminal records (convictions / allegations), meeting recording, drug and alcohol testing and data retention.

Purpose

The Company values your privacy and is committed to protecting the privacy and security of your Personal Data.  This Notice sets out in more detail our practices in relation to the collection and use of your Personal Data.

Business Purpose

means the purposes for which Personal Data may most commonly be used by the Company, e.g. personnel, administrative, financial, regulatory, payroll, security and business development purposes. 

Company

means Balfour Beatty Group Limited and its affiliates

Personal Data

means information relating to a living individual, such as job applicants, current and former employees, agency, contract and other Employees, clients, suppliers and marketing contacts who can be identified from that data or from that data and other information which the Company has or is likely to have. This can include name, address, email address, financial information, CCTV images, MAC and IP addresses, location data, aliases, preferences and profiles, amongst other things

Processing

means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Project

means the relevant construction or infrastructure works, engineering and/or design project at which the Company is carrying out works or activities

Sensitive Personal Data/Special Category Data

means Personal Data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data for the purpose of uniquely identify a person, data concerning physical or mental health or condition, sexual life or sexual orientation, criminal offences/allegations, or related proceedings. Any use of sensitive Personal Data must be strictly controlled in accordance with this notice

Employees

means all directors, employees, interns, volunteers and temporary Employees of the Company

Supervisory Authority

means the independent regulatory body responsible for monitoring the application of data protection law in its jurisdiction. The UK’s Information Commissioner’s Office is the Supervisory Authority for the Company

Your Personal Data may be collected in different ways when you visit or work on the Site.

These include the following:

Information you give to the Company: such as on forms you fill in or copies of documents you provide (for example: during site induction and training related to your work on Site). We also collect information about your next of kin and/or family for the purposes of contacting them in an emergency (such as a serious accident).

Information collected on site: such as CCTV, other security, and Site access systems.

Information given to the Company by others: for example, from sub-contractors or other companies working on the Site, occupational health reports, results of drug and alcohol testing and security and vetting services (where applicable for your job role or if mandated on your Project).

Information created on site: such as rosters, management reports (for example, attendance and payments), information for site management, managing Employees and contractors on Site and health and safety reports.

To collect and use Personal Data we must have a lawful basis.

The legal bases for collecting and using your Personal Data for the Site are:

Consent: the individual has given clear consent for us to process their Personal Data for a specific purpose.

Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract (for example your employment contract if an Employee, or where we contract directly with you to work on the Project as a contractor).

Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations), for example, complying with health and safety obligations, such as health and safety accident recording and complying with immigration law when verifying your Right to Work documentation.

Vital interests: the processing is necessary to protect someone’s life in extreme circumstances (for example in the event of a serious accident).

Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect Personal Data which overrides those legitimate interests.

In limited circumstances, we may also process Sensitive Personal Data about you (including diversity information, criminal records and drugs and alcohol testing). Most often we may process this Sensitive Personal Data where:

  • we need to carry out our legal obligations or exercise rights in connection with employment;
  • we need to establish, exercise, or defend a legal claim;
  • where the processing is necessary for the assessment of your working capacity, occupational health, obtaining a medical diagnosis (including fitness for work general practitioner doctor notes and sickness notes) or where it is needed in the public interest (such as equal opportunities monitoring);
  • in limited circumstances we will process sensitive personal information for other purposes, where we have established it is legal, proportionate and that sufficient protections are in place; or
  • in exceptional circumstances we may process this data with your explicit consent.

The Company will only process criminal conviction/allegations and data in accordance with its Criminal Record Processing Policy (available on request and on our internal intranet BMS site) and where necessary for:

  • performance of an employment contract;
  • carrying out obligations and exercising rights under employment and social security law;
  • compliance with a legal obligation; establishment, exercise or defence of legal claims; or compliance with a regulatory requirement to establish whether an employer or applicant has committed an unlawful act or been involved in dishonesty, malpractice, or improper conduct if consent cannot reasonably be relied on.

The Company will only use your Personal Data where we have a legal basis to do so.

For further information concerning the types of Personal Data we process and our lawful basis please see Appendix 1 of this Notice.

We need to collect and use your Personal Data for various purposes, linked to the legal basis:

Employee Management: We use Personal Data and Special Category Data to enter into an employment contract and to manage your employment relationship while working on the site (for matters relating to HR and benefits, this data will be processed in line with our Employee Privacy Notice, if you are a Balfour Beatty Employee.

Site Management: We use Personal Data for our legitimate interests for the effective management and operation of the site, including in line with the agreed contracts (with our client and sub-contractors). For example, site attendance logs, site jobs, management reporting etc.

Managing the Project: We use Personal Data and, if applicable, Special Category Data to manage the contracts for Project with our client(s), our partners, sub-contractors, and suppliers.

Health and Safety: We use Personal Data and Special Category Data where we are required or have an obligation by law or in our legitimate interest to ensure we comply with our duty of care for the safe operation of our site and the health and safety of those who visit and work on the site.

Security: We use your Personal Data for our legitimate interests to ensure the security and integrity of the site.
Legal obligations: We use your Personal Data and Special Category Data where we are required or have an obligation by law.

Sustainability: We use your Personal Data for statutory and/or contractual reporting requirements on (i) sustainability and estimated CFC emissions re: parties travelling to and from Balfour Beatty sites for Balfour Beatty customers and/or public authorities and (ii) apprenticeship demographics data for statistical and reporting purposes.

Diversity and Inclusion: We use Sensitive Personal Data for reporting and analytics purposes, to ensure that we meet Balfour Beatty’s commitment to Diversity and Inclusion in the workplace.

Further Processing: We may use your Personal Data and Sensitive Personal Data for other legitimate interest reasons, such as obtaining professional advice, internal/external auditing (such as client project cost/compliance audit requests), internal management reporting, engaging with regulators, legal proceedings, detecting and preventing unlawful acts, sale/purchase of business, exit management of project etc.

Unless otherwise specified under a separate privacy notice, we don’t use solely automated decision-making or profiling using your Personal Data. If you suspect that your Personal Data has been subject to automated decision-making, please contact dataprivacy@balfourbeatty.com.

Some Personal Data that we collect from you is held securely on Site. Personal Data may be shared between:

  • The Company and other companies within the Company's group and which may involve the sharing of your Personal Data outside of the UK/ European Economic Area (EEA);
  • third party suppliers who provide IT or other services to the Company and which may involve the sharing of your Personal Data outside of the UK/ European Economic Area (EEA); and
  • other third parties, for example our clients, sub-contractors, insurers, legal advisors, medical advisors, professional advisors, Regulators, the Police, law enforcement authorities, the Courts, or other public bodies and which may involve the sharing of your Personal Data outside of the UK/ European Economic Area (EEA).

The Company is able to share your Personal Data as set out above as it:

  • has an agreement in place between the Company and its group companies on terms which protect the data and allow it to be shared outside of the UK/EEA with such parties;
  • has an agreement in place between the Company and the relevant third-party on terms which protect such data and allow it to be shared outside of the UK/EEA with such parties; and
  • is required to share the Personal Data by law. This may, in some circumstances, involve Special Categories of Personal Data where relevant.

We may also share your Personal Data with other third parties at your request. We share Personal Data with:

  • regulatory, enforcement authorities (such as the police) or the courts when requested or are required to by law;
  • the client, sub-contractors, or suppliers under the terms of the contracts for the Project (or with Balfour Beatty) for the effective management of the site and the project;
  • our professional or medical advisors to obtain legal, financial, medical, regulatory or other advice; or
  • our security contractors where security of the Site (including CCTV, where deployed) may be contracted to another company.

Disclosure of your Personal Data will be limited to what is reasonably necessary in the circumstances and, where feasible, confidentiality and security measures will be put in place.

Where possible we will inform you if third parties have their own privacy notices.

To help protect the privacy and confidentiality of your Personal Data, we maintain physical, technical and administrative safeguards.

We restrict access to your Personal Data to those Employees, partners, and contractors who need to know that information for managing the Project and Site Management, HR/benefits or for providing services to the Project.

In addition, we train our Employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our Employees' privacy responsibilities.

Unless specified otherwise in our Records Management Policy, Personal Data we collect will generally be stored for the:

  • Duration of your visit (visitors)
  • Duration of the Project (contractors) or your employment (Employees) plus 7 years

CCTV images are held in line with our CCTV Policy – usually 30 days or longer, if required by law, by regulatory authorities or if there are legal proceedings.

A full copy of our Records Management Policy can be found here: https://www.balfourbeatty.com/recordsmanagement

Under the Data Protection Laws you have the following rights:

  • the right to be informed if Personal Data about you is processed;
  • the right of access to your Personal Data;
  • the right to rectification of your Personal Data, in some circumstances;
  • the right to erasure of your Personal Data, in some circumstances;
  • the right to restrict processing of your Personal Data, in some circumstances;
  • the right to data portability, in some circumstances;
  • the right to object to the processing of your Personal Data, in some circumstances;
  • the right to withdraw consent to the processing of your Personal Data, where applicable.

If you wish to exercise your rights, please see our online Data Subject Request (“DSR”) portal here. Alternatively, you can email your request to DSR@balfourbeatty.com. Your request will be dealt with promptly and the information to which you are entitled will be provided to you no later than one month (except in extenuating circumstances) from when we receive your request, subject to the requirements and exemptions if data protection laws. If such extenuating circumstances mean we are unable to comply with your request within one month, we will tell you as soon as possible about this delay.

If you have a complaint or concern around the use of your Personal Data in the context of your employment or work on Site, please discuss this with your line manager or HR in the first instance.

You may also put your complaint or concern in writing to the Group Data Protection Officer - dataprivacy@balfourbeatty.com. We will try to assist you and resolve any concerns or complaints.

In the event you are dissatisfied with the response of the Group Data Protection Officer, you have the right to complain to the Supervisory Authority. You can find out more using the Information Commissioner’s Office website (www.ico.org.uk) or you can write to them at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Procedural requirements 

The controller of your Personal Data is the Company, being the operator of the Site. The person with ultimate responsibility for maintaining and reviewing this notice is the Company’s Group Data Protection Officer.

In the event that arrangements or purposes for the processing of your Personal Data are to be materially revised, the Company shall issue an updated version of this Notice, or a supplement to it, to inform you of the proposed changes.

Your Personal Data will only be processed in accordance with Data Protection Law and for the purposes set out in this Notice and the Company will not process your Personal Data in any manner incompatible with those purposes unless we are required by law to do so.

Changes to this Privacy Notice
This Notice will be located on in multiple locations including, but not limited to; the Balfour Beatty website, the Balfour Beatty Business Management System, and Site notice boards. We will take reasonable measures necessary to inform you of changes to this Notice.

This Notice was last updated on 8th of September 2021

Appendix 1: Details of the Personal Data we collect and use
As set out above under "Lawful basis for collecting and using your data" and “Why we need your data"
We use the following types of information:

Personal data

 

Summary of data use

 

CVs, applications and qualifications

Entering employment contracts.

Legal Obligations (such as ensuring qualifications for trade roles on site)

We also use this information for employees and contractors for various reasons including:

  • Site Management
  • Resourcing and/or recruitment
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing

 

 

Managing employment contracts/employment relationship

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Security
  • Client audit requests
  • Further Processing

Contact details (address, email, phone number)

Managing employment contracts/employment relationship

We also use this information for employeescontractors and visitors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Security
  • Client audit requests
  • Further Processing

Passport/Driving Licence

Entering and Managing employment contracts/employment relationship

Legal Obligations (such as the right to work)

We also use this information for employeescontractors and visitors for various legitimate business reasons including:

  • Site Management
  • Health and Safety
  • Security
  • Further Processing

Date of Birth

Entering and Managing employment contracts/employment relationship

Legal Obligations (we need to ensure a duty of care for those who work on site – e.g. apprenticeships)

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Site access control
  • Client audit requests
  • Further Processing

NI number

Entering and Managing employment contracts/employment relationship

Legal Obligations (such as PAYE or tax reporting)

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Client audit requests
  • Further Processing

Photograph

We use this information for employeescontractors and visitors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing

Trade qualification and CSCS Card number

Legal Obligations (such as ensuring qualified for trade role on site)

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing

National Security Vetting Levels

Legal Obligations (such as national security requirements)

We use this information for employeescontractors and visitors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Security

Trade Union Membership/Representative

We collect this information from you with your explicit consent

We use this information for: 

  • Site Management (for example: management engagement on worker issues)

Training record

Managing employment contracts/employment relationship

Legal Obligations (such as ensuring legally required training for trade qualifications is up to date)

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • CITB and training levy and accreditation requests
  • Further Processing

Induction information/course

 

Legal Obligations

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing 

Induction date

Legal Obligations

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control
  • Managing the Project
  • Health and Safety
  • Security

Next of kin

We use this information for employees and contractors for various legitimate business reasons including:

  • In the event contact is necessary (for example in a serious accident).
  • Site access control

Mileage to site and mode of transport

Managing employment contracts/employment relationship

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Cost validation
  • Sustainability reporting
  • Further Processing

Vehicle registration number

We use this information for employeescontractors and visitors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing

CCTV images (incl. drones/body worn cameras)

We have a legitimate interest to use CCTV for site security and crime prevention and detection.

In specific circumstances, we also have a legitimate business interest to use CCTV images as evidence in investigations relating to grievance and disciplinary proceedings in line with our CCTV Policy.

Site Rosters

(including absences: holiday and sickness)

Managing employment contracts/employment relationship

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Client audit requests
  • Cost validation
  • Further Processing

Site access and attendance records

Managing employment contracts/employment relationship

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Site access control (entry and exit logs)
  • Managing the Project
  • Health and Safety
  • Security
  • Client audit requests
  • Cost validation
  • Further Processing

Personal Improvement Plans

Managing employment contracts/employment relationship

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Further Processing

Remuneration Information

Managing employment contracts/employment relationship

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Client audit requests
  • Cost validation

Disciplinary investigations and information

Managing employment contracts/employment relationship

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Further Processing

Grievance investigations and information

Managing employment contracts/employment relationship

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Further Processing

Gender

Managing employment contracts/employment relationship

We use this information for employeescontractors for various legitimate business reasons including:

  • Diversity and Inclusion (including requests for diversity and inclusion data from our clients)

 

Special Category Data

Biometrics

 

We use this information with your explicit consent for our access and security systems

Fit to work (physiological data/data relating to health)

Entering and Managing employment contracts/employment relationship

Legal Obligations (such as for considering disability reasonable adjustments)

We also use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Security
  • Further Processing

We process this special category data to fulfil our obligations or rights in as an employer or for reasons of substantial public interest

Capability Information

Managing employment contracts/employment relationship

Legal Obligations (such as employment obligations and considering disability reasonable adjustments)

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Further Processing

We process this special category data to fulfil our obligations or rights in as an employer or for reasons of substantial public interest

Drug and Alcohol Test Results

Legal Obligation

We use this information for employees and contractors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety
  • Further Processing

We process this special category data to fulfil our obligations or rights in as an employer or for reasons of substantial public interest

Thermal imaging/temperature (Covid-19)

We use this information for employees, contractors and visitors for various legitimate business reasons including:

  • Site Management
  • Managing the Project
  • Health and Safety

We process this special category data to fulfil our obligations or rights in as an employer or for reasons of substantial public interest

Equality Information

(Including race, ethnicity, religion, sexual preference)

Managing employment contracts/employment relationship

Legal Obligations

We use this information for employees and contractors for various legitimate business reasons including:

  • Managing the Project
  • Diversity and Inclusion (including requests for diversity and inclusion data from our clients)

We process this special category data to fulfil our obligations or rights in as an employer or for reasons of substantial public interest