Privacy Policy

The companies within TMG, which includes the companies listed below (collectively referred to as “us”, “we”, “our” or “the Group”) are committed to protecting the privacy and security of your personal information.

• All About Money Limited (trading as think2claim)
• CredAbility Limited
• Financial Wellness Group Limited
• Freeman Jones Limited
• Gregory Pennington Limited
• Ideal Finance Limited
• Intelligent Lending Limited (trading as Ocean and Ocean Finance)
• Think Insure Limited
• Think Money Limited
• TMG Limited
• Wilson Andrews Limited

This privacy policy describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the data privacy laws and regulations.

This privacy policy applies to potential, current and former employees, workers and contractors. This notice does not form any part of any contract of employment or other contract to provide services.

If you have any questions about how we may use your personal information you can contact us using the details below or speak to your manager.

HR Manager
TMG
Think Park
Mosley Road
Trafford Park
Manchester
M17 1FQ

Email: careers@tmg.co.uk

It is important that you read and retain this privacy policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data privacy laws and regulations.

Date last updated: 27/11/2019

We will collect, store, and use the following categories of personal information about you:

• Personal contact details such as name, title, address, telephone numbers and personal email addresses
• Date of birth
• Gender
• Marital Status and dependants
• Next of kin and emergency contact information
• National Insurance number
• Bank account details, payroll records and tax status information
• Salary, annual leave, pension and benefits information
• Start date and, if different, the date of your continuous employment
• Leaving date and your reason for leaving
• Location of employment or workplace
• Copy of your driving licence (for ID purposes or if your role requires this)
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
• Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
• Compensation history
• Performance information
• Disciplinary and grievance information
• CCTV footage and other information obtained through electronic means such as swipe card records
• Information about your use of our information and communications systems
• Photographs
• Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied
• Information from fraud prevention agencies

We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
• Trade union membership
• Information about your health, including any medical condition, health and sickness records, including:
  • records relating to the decision to leave employment, where the reason for leaving is determined to be ill-health and where the records are also needed for pensions and permanent health insurance purposes;
  • details of any absences (other than holidays) from work including time on statutory maternity or parental leave and sick leave; and
  • occupational health records or where reasonable adjustments may be required.
• Genetic information and biometric data
• Information about criminal convictions and offences

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out obligations and provided we do so in line with our data protection policy.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.

We are allowed to use your personal information in this way to carry out our legal obligations for employee vetting requirements. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

We can only use your personal information where it falls into one or more of the following categories:

• it is necessary to fulfil a contract we have with you;
• you have provided your consent;
• we have a legal or regulatory obligation to do so;
• it is necessary to carry out a task which is in the public interest;
• it is necessary to protect your vital interests; or
• it is in our legitimate interest to do so and it is not against your rights.

The table below sets out how we will use your personal information and under what lawful basis.

Reason for processing personal information

Lawful basis

• Making a decision about your recruitment or appointment
• Determining the terms on which you work for us
• Checking you are legally entitled to work in the UK
• Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs)
• Providing you with relevant benefits offered during the course of employment
• Administering the contract we have entered into with you
• Business management and planning, including accounting and auditing
• Conducting performance reviews, managing performance and determining performance requirements
• Making decisions about salary reviews and compensation
• Gathering evidence for a possible grievance or disciplinary hearing
• Making decisions about your continued employment or engagement
• Making arrangements for the termination of our working relationship
• Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
• Ascertaining your fitness to work
• Managing sickness absence
• Complying with health and safety obligations
• To prevent and detect fraud
• To monitor your use of our information and communication systems to ensure compliance with our IT policies
• Equal opportunities monitoring

This processing is required to enable you and us to enter into an employment or service contract and to fulfil the contractual obligations.

We also have a legal and regulatory obligation to carry out certain vetting checks prior to an employment position being offered and during the course of your employment.

To allow us to comply with a legal or regulatory obligation.

• Enrolling you in a pension arrangement
• Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of employee benefits

We have a legal obligation to meet our statutory automatic enrolment duties and for any other pension administration requirements.

• Education, training and development requirements
• To conduct data analytics studies to review and better understand employee retention and attrition rates

Training will be provided to meet certain legal and regulatory obligations.

Training, development and analysis is also required to pursue our legitimate interest in developing our staff and business.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees).

We will use special categories of personal information in the following ways:

• We will use information relating to leaves of absence, which may include sickness absence or family related absences, to comply with employment and other laws.
• We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance.

Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest or legal obligation to do so. This may include the following types of organisations:

• IT Service Providers who provide technology platforms or other IT services.
• Banks and finance companies and insurers that process payroll, pension contributions and any other payments or deductions made before, during or after the termination of employment
• HMRC for tax purposes
• Child Support Agency, where required to do so for any investigations or Attachment of Earnings Orders
• Communication providers (e.g. telephone line providers and email and text service providers).
• Printers who print the letters and information packs which we may send to you.
• Third parties who print the letters and information packs which we may send to you.
• Benefit Scheme providers who provide our employees with benefits during the course of their employment.
• Credit Reference Agencies
• Regulators
• Police, where there may be a criminal investigation or other police matter where it may be necessary to share your personal information.

These organisations help us to provide our services to you and to assist us an employer. We will have a contract in place with any provider who directly provides us with such services to ensure that they comply with their data protection obligations and ensure that they have appropriate security measures in place.

We may also share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to our regulators such as the Financial Conduct authority or the Information Commissioner’s Office, assisting the police with any criminal investigations or other police matters, and disclosures to shareholders such as directors’ remuneration reporting requirements.

An automated decision is one which we rely on a computer or system to assess the information you provide to us to make a decision about you. This may include:

• detecting any fraudulent activity which may be taking place, or there is a risk that it could take place
• checking identity and residency statuses

You will not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless we have a lawful basis for doing so and we have notified you.

When you apply for a roles with the Group, and during the course of your employment we carry out identity checks, and for some roles within the Group we also carry out credit checks. We will share your personal information with Credit Reference Agencies (CRAs) and they will give us information about you. The data we may exchange can include:

• Name, address (including previous addresses) and date of birth
• Credit applications and details of any shared credit
• Financial situation and history
• Fraud prevention information
• Public information, from sources such as the Electoral Register and Companies House

This information will be used to verify your identity and assess your suitability for the role.

For further information on how CRAs may use your personal information you can view the Credit Reference Agency Information Notice here or from the three main CRAs – TransUnion UK (formally Callcredit); Equifax; and Experian.

General

• We will check your details against the Cifas databases established for the purposes of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff. “Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.
• The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other Relevant Conduct and to verify your identity.
• Details of the personal information that will be processed include: name, address, date of birth, and maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.
• We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.
• We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us.
• Cifas will hold your personal information for up to six years if you are considered to pose a fraud or Relevant Conduct risk.

Consequences of Processing

• Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your engagement with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).

Data Transfers

• A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact us.
• Should Cifas decide to transfer your personal data outside of the European Economic Area, they will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

Your Rights

• Your personal data is protected by legal rights. Further information on your rights can be found in Section 11
• You also have the right to complain to the Information Commissioner’s Office which regulates the processing of personal data. Further information can be found in Section 14

We will only share your personal information outside the UK or the European Economic Area (EEA), where we have your consent; to comply with a legal obligation; or where we work with a business partner who provides services to us, and they process information outside of the UK or the EEA.

If we do share your information outside of the UK or the EEA, we will make sure that it is protected in the same way as if it was being used within the UK or in the EEA to ensure appropriate safeguards are in place. This may include putting in place a contract with the business partner that means they must protect the personal data to the same standards as it would within the UK or the EEA (this may include defined model clauses), or only share the data to a business partner outside the UK or in a non-EEA country where the privacy laws provide the same protection as within the UK or the EEA or where they are part of a Privacy Shield.

More information on this can be found on the European Commission Justice Website or the Information Commissioner’s website.

We take the protection of personal information very seriously, and we will maintain appropriate measures to maintain the confidentiality, integrity and availability of the information you have provided. Such measures include:

• Company security policies and standards.
• Staff security awareness.
• Role-based access controls to prevent unauthorised access to the information.
• Encryption and anonymisation technology.
• Anti-malware technologies.
• Security monitoring.
• Security testing.
• Secure archiving and deletion.
• Compliance with industry regulation and legislation.

Access to your personal information

You have the right to request from us a copy of the personal information that we may hold about you. This is often called a “Data Subject Access Request”. You can request this information by contacting us as set out below.

Before providing this information to you or to another person or company where you have requested this personal information to be sent to, we may ask for proof of identity or ask sufficient questions to enable us to locate the information and ensure that we’re only providing it where you have given your agreement.

Right to have your personal information corrected

If the personal information we hold about you is incorrect, you have the right to request that we correct this.

Right to stop or limit the processing of the information we carry out

You may request that we stop processing the information if we’re no longer entitled to process it. There may be occasions where we are unable to delete the information due to our legal or regulatory obligations. We will, however, discuss this with you if you request for your information to be deleted.

Right to object to processing

You have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Right to request your personal information be deleted

In some circumstances you may request for us to delete or remove personal information where there is no good reason for us to continue to process it, for example, we have no legal or regulatory requirement to keep the information.

Right to transfer your personal information

In some cases, you may be able to request for your information to be provided to yourself or another party in a format that can be processed electronically by yourself or the other party. If you want to request this, you’ll need to contact us.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

If you apply for a role within the Group but were either unsuccessful or decided not to take the position, in most cases your personal information will be retained for at least six months from when the application was made, unless you agree for us to keep this information for longer.

If you become an employee, worker or contractor of the Group your personal information will be retained for at least six years, starting from the date your employment ceases. You can find more information on the retention and deletion of personal data in our Data Retention Standards which is available on the Group Intranet.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

We will record any telephone calls made to or from the Group, which may include calls you make in the course of your employment. This is for training, monitoring and quality purposes and to meet our legal and regulatory obligations. Some telephone calls may be observed by staff for training and development purposes.

We may keep a copy of the telephone calls for at least six years from the date the telephone call was made.

If you have any questions or queries about how we use your personal information you can contact us or our Data Protection Officer using the address or email below:

Data Protection Officer
Think Park
Mosley Road
Trafford Park
Manchester
M17 1FQ

Email: legal@tmg.co.uk

If you are not happy with how we process your personal information you should contact us. If you’re not happy with how we have dealt with your complaint, you have the right to make a complaint with the Information Commissioner’s Office. You can find their details on their website at https://ico.org.uk/.

Any updates to this privacy policy will be found on this page. If we make any important or significant changes to the way we may collect and use your personal information we will endeavour to notify you of this change as soon as reasonably practical.