Employee privacy notice

This Privacy Notice will help you understand the following, as an employee of RSA:

  • Who are we?
  • Why do we collect and use your personal information?
  • Collecting information for recruitment purposes
  • Training, learning and performance
  • Benefits, pension, share scheme and recognition
  • Health professionals
  • Secondment arrangements
  • Security and monitoring practices
  • Where does the personal data about me come from?
  • Who can access my personal data?
  • Will my personal data be passed to other companies within the RSA Group?
  • Will my personal data be transferred outside of the UK?
  • Will personal data be processed about my family and / or other dependents?
  • How long is Personal Data retained?
  • Can I have access to my Personal Data?
  • Will you use any automated processing or profiling to make decisions about me?
  • What other rights do I have in relation to my Personal Data?
  • Contact HR
  • Changes to the privacy policy


Who are we?

We are Royal & Sun Alliance (RSA) Insurance plc and we provide employment opportunities which can be sought directly with us or through an employment agency, acting on your behalf.


Why do we collect and use your personal information?

Data protection laws require us to meet certain conditions before we are allowed to use your personal information in the manner described in this Privacy Notice.  To use your personal information, we will rely on one or more of the following grounds:

  • Performance of contract: As an employer, we process your personal information where it is necessary for the performance of the contract of employment, to take steps prior to entering into such a contract or when it is necessary for compliance with a legal obligation in the field of employment.
  • Consent: In certain circumstances, we may need your consent unless authorised by law in order to use personal information about you which is classed as "special categories of personal data".
  • Necessity to establish, exercise or defend legal claim: If you, or we, bring a legal claim (e.g. a court action) against the other, we may use your information in either establishing our position, or defending ourselves in relation to that legal claim.  
  • Compliance with a legal obligation: Where laws or regulations may require us to use your personal information in certain ways.
  • Legitimate Interests: We will also process your personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using your personal information (for example, preparing and setting up your employee benefits) against the interests you have as a citizen and the rights you have under data protection laws.  The outcome of this balancing test will determine whether we can use your personal information in the ways described in this Privacy Notice.  We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.


Collecting information for recruitment purposes

We need your personal information in order to contact you, evaluate your suitability for roles offered by us, provide you with employee benefits once employed with us, (e.g. pensions) and send you documents following the end of your employment (e.g. P45 tax documents).

Prior to becoming employed by us, you will need to progress through our candidate screening and evaluation process. During this process we will need your name, address, telephone number and email address in order to stay in contact with you. To assess if your skills and experience meet the job requirements for the applied role, we will collect personal information about you, such as your current role title and your academic history.

To enable you to apply for roles and update your personal information, we have provided an online application portal. To use this service, we will need to collect additional information (e.g. password) and other information may be required to be uploaded to the portal, such as your CV and/or references.

As part of the final stages of candidate selection, we need to collect additional information (e.g. national insurance number, proof of address, bank account details) and on occasion special categories of personal information (e.g. criminal offences, history of illness) to perform various checks that validate the information provided to us.


Training, learning and performance

As an employer, RSA will process your personal information for the purposes of training and learning and may share this information with relevant suppliers in this field.

Your personal information will also be used for the purpose of evaluating you performance and in doing so will use the Horizon platform to maintain your performance records.


Benefits, pension, share scheme and recognition

We may need to collect additional information related to you and members of your family in order to provide you with certain employee benefits. This can include both personal and special categories of personal data (e.g. your health information to process your sick pay or parental leave).

This information will be processed by RSA and shared with the providers of the benefits you choose to receive such as your RSA pension, the RSA share scheme and other recognition programs.

You can contact HR at any time for more information about these benefits.  


Health professionals

Where RSA conducts medical screening or you visit occupational health, your Special Categories of Personal Data may be passed to health professionals.  However, you will be advised of this as and when it is necessary to make such a transfer.  If we require the health professional to share your Special Categories of Personal Data with us, we will seek your explicit consent at the time.


Secondment arrangements

Where RSA selects you to work for another RSA group company or an external client or supplier, we will be required to pass your personal data to that third party.  However, you will be advised of this as and when it is necessary to make such a transfer.


Security and monitoring practices

As an employer RSA may, from time to time, monitor email, telephone traffic and use of social media, if it’s in the best interests of RSA to do so, and this includes personal phone calls, emails and use of social media. We will do this only where we think it is necessary, including where required for disciplinary purposes.

Any monitoring of emails will be in accordance with the 'Acceptable Use Policy for RSA Systems & Services' page on the MyThread intranet. All employees have a responsibility to familiarise and read this policy and it will be deemed that you have accepted that this applies to you.

CCTV, electronic building entry/exit and security pass records may also be monitored, , together with flex-time records or any other evidence of attendance, including any paper records of persons entering or leaving RSA occupied premises. All such records may be used, for example, in evidence in RSA disciplinary procedures where the attendance of individuals at the work place needs to be confirmed.


Where does the personal data about me come from?

Personal data is collected from a number of different sources. A few examples are:

  • You – personal details, financial details, contact information, CV etc.
  • Your Leader and other appropriate RSA personnel, e.g. HR, Finance etc.
  • RSA Group of Companies and their carefully selected suppliers, e.g. pensions, sharesave scheme, benefit providers
  • Previous employers
  • Medical professionals
  • Legal bodies/agencies, eg Her Majesty's Revenue and Customs
  • Educational/training institutions


Who can access my personal data?

Personal Data may only be accessed, within RSA, by appropriate RSA personnel, such as HR, the Finance team or your leader. Personal data may be provided to recruiting Leaders when applications are being processed.  

We make disclosures to third parties such as recruitment agencies, recruitment outsource providers, payroll suppliers, background (including education, employment, financial and address history) and criminal check providers, benefit providers, pension providers, IT providers, learning & training companies, fraud agencies, external consultants and appointed auditors and occupational health providers.

However, your personal data will only be disclosed externally with your authority or where we are legally permitted to do so, such as disclosures to our legal advisers or where the disclosure is required by law.

Some personal data is automatically exchanged between various in-house systems to maintain helpdesk facilities e.g. Property Services and Expenses.


Will my personal data be passed to other companies within the RSA Group?

Yes, in order to effectively manage and administer our working relationship with employees across the RSA Group, we will share information (including personal data) between group companies on a 'need to know' basis, and may include sharing your personal data with functions such as compliance, HR, IT, legal, accounting and internal audit.

We may also allow other employees to access your personal data; however, this will be restricted to business contact information such as name, position, business telephone number, addresses and email addresses.

Further, as part of honouring RSA's objectives and statutory obligations, RSA carries out statistical analysis of your personal data (including Special Categories of Personal Data) to monitor the existence or absence of equality of opportunity or treatment for all of RSA's employees regardless of sex, ethnic or racial origin, religious or philosophical beliefs, sexuality or disability with a view to enabling such equality to be promoted or maintained.  The results of the diversity monitoring will be shared on a global level to ensure compliance across the group.

RSA may also share personal data (including Special Categories of personal data) with other group companies to conduct statistical analysis of matters, such as performance and retention across the RSA group.  When conducting this statistical analysis, RSA will seek to anonymise your personal data as far as possible and the results of any such analysis will be shared between the RSA group companies in statistical / aggregated form, although it may not always be possible to anonymise it completely.


Will my personal data be transferred outside of the UK?

Sometimes your personal information may be sent to other parties outside of the European Economic Area (EEA) in connection with the purposes set out above.   We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the EU-US Privacy Shield, and the standard contractual clauses approved by the European Commission.

We will impose upon RSA's own group companies and our third party supplier’s legal requirements to take the appropriate technical and organisational measures to protect personal data consistent with the applicable privacy and data security laws in the UK, and to generally protect the confidentiality and security of the personal data.


Will personal data be processed about my family and / or other dependents?

Where you have provided (or will provide) to RSA personal data about your family and / or other dependents, we ask that you obtain their consent to the use (including transfer to third parties as explained above) of that personal data and, for any individuals not legally competent to give consent, you consent on their behalf (and confirm that you have the authority to do so).


How long is personal data retained?

Personal data is retained for differing periods of time, depending on the nature and content, and in some cases legislative requirements, for example, for HMRC in respect of tax issues. Again, personal data will not be retained for any longer than is necessary. For more information on data retention please refer to the Personal Data Retention Schedule or speak to your Recruiter.


Can I have access to my personal data?

Yes, you can see personal data held in your employment record. You should get in touch with HR Services for a copy. Whole files cannot be taken away or copied, although specific items can be copied for you to retain.


Will you use any automated processing or profiling to make decisions about me?

We may from time to time process your personal data in an automated way where this is necessary in relation to your employment and so that the activities to be performed by the suppliers referred to above can be properly completed.

If you do not agree with the result, you have the right to request that we perform a manual reassessment using the same information that you originally provided. If you wish to do so please contact HR Services.


What other rights do I have in relation to my personal data?

  • You can request rectification to any of your personal data held by RSA in the event that there are any inaccuracies;
  • You may also request deletion of any of your personal data held by RSA where RSA no longer requires to retain that personal data; and
  • Unless the processing is necessary for your employment relationship with RSA, you are able to object to any processing of your personal data by RSA.

If you have any concerns about the way in which your personal data is being processed by RSA please contact HR Services.


Contact HR

If you have any questions or queries in relation to this privacy policy, please contact HR Services.

Our Data Protection Officer is contactable by email at: dataprotectionofficer@uk.rsagroup.com

If you are not satisfied, you also have the right to lodge a formal complaint in relation to the collection and processing of your Personal Data to the UK Information Commissioner's Office.

Full details may be accessed on the complaints section of the ICO's website and the contact details for submission of a complaint are as follows:

Addressee: First Contact Team

Address: Information Commissioner's Office

Wycliffe House

Water Lane



E-mail: casework@ico.gsi.gov.uk

Helpline: 0303 123 1113


Changes to the privacy policy

Any changes RSA may make to this privacy policy in the future will be published on the ‘Your Best U’ HR people portal, on the MyThread intranet.