Employee Privacy Notice

Last updated 10 December 2020

Introduction.

Orchard Therapeutics (Europe) Limited and its group of companies (“Orchard,” “we,” “us” and “our”) takes your privacy seriously. We want you to understand how we handle your personal data during and after the recruitment process.

This privacy notice explains how we do this.

We may change this privacy notice from time to time and we advise you to review this privacy notice periodically to see the latest version.

What personal information do we collect?

The personal information we may collect includes:

Identification data such as: your name, title, addresses, telephone numbers, personal email addresses; date of birth; gender; marital status and dependants; next of kin and emergency contact information; National Insurance number; bank account details; payroll records; tax status information; salary; annual leave; pension and benefits information; start date and, if different, the date of your continuous employment; leaving date and your reason for leaving; location of employment or workplace; copy of driving licence; recruitment information (including: copies of right to work documentation, references and other information included in a CV, cover letter or as part of the application process); employment records (including: job titles, work history, working hours, holidays, training records and professional memberships); compensation history; performance information; disciplinary and grievance information; CCTV footage and other information obtained through electronic means such as swipe card records; information about your use of our information and communications systems; photographs; results of HMRC employment status check.

We may also collect, store and use the following more sensitive types of personal information such as:

Information about your race or ethnicity; religious beliefs; sexual orientation; political opinions; Trade Union membership; information about your health including: any medical condition, health and sickness records, including where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision; details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; any health information in relation to a claim made under the permanent health insurance scheme; where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes; genetic information and biometric data; information about criminal convictions and offences.

How do we use your personal information?

We will only use your personal information when the law allows us to:

• Where we need to perform the contract we have entered into with you;
• Where we need to comply with a legal obligation;
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests;
• Where we need to protect your interests (or someone else’s interests); and
• Where it is needed in the public interest or for official purposes.

Situations in which we will use your personal information.

The situations in which we will process your personal information are listed below:

• Making a decision about your recruitment or appointment;
• Determining the terms on which you work for us;
• Determining whether your engagement is deemed employment for the purposes of Chapter 10 of Part 2 of the Income Tax (Earnings and Pensions) Act 2003 (ITEPA 2003) and providing you with a status determination statement in accordance with the applicable provisions of ITEPA 2003;
• Checking you are legally entitled to work in the UK;
• Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs);
• Providing the following benefits to you;
• Inviting you to participate in any share plans operated by a group company;
• Granting awards under any share plans operated by a group company;
• Administering your participation in any share plans operated by a group company, including communicating with you about your participation and collecting any tax and NICs due on any share awards;
• Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties;
• Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of employee benefits;
• Administering the contract we have entered into with you;
• Business management and planning, including accounting and auditing;
• Conducting performance reviews, managing performance and determining performance requirements;
• Making decisions about salary reviews and compensation;
• Assessing qualifications for a particular job or task, including decisions about promotions;
• Gathering evidence for possible grievance or disciplinary hearings;
• Making decisions about your continued employment or engagement;
• Making arrangements for the termination of our working relationship;
• Education, training and development requirements;
• Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work;
• Ascertaining your fitness to work;
• Managing sickness absence;
• Complying with health and safety obligations;.
• To prevent fraud;
• To monitor your use of our information and communication systems to ensure compliance with our IT policies;
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
• To conduct data analytics studies to review and better understand employee retention and attrition rates; and
• Equal opportunities monitoring.

How long will we keep your personal information?

We keep your personal information for no longer than is necessary for the purpose for which the information is collected and to manage our relationship with you. Where personal information is kept, that period will be determined based on applicable local law.

Do we need your consent?

We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.

Sharing your personal information with third parties.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

We may share your personal information with:

• members of the Orchard group of companies; and
• certain trusted third parties, including our agents and suppliers, including those who provide us with technology services such as data analytics, hosting and technical support; our professional advisors, auditors and business partners; regulators, governments and law enforcement authorities; and other third parties in connection with re-organizing all or any part of our business.

Your personal information may be processed by Orchard, its affiliated companies and Orchard’s trusted third-party suppliers outside of your home country. Data privacy laws in the countries to which your personal information is transferred may not be equivalent to, or as protective as, the laws in your home country.

We will implement appropriate organisational and technical measures to ensure that your personal information remains protected and secure when it is transferred outside of your home country, in accordance with applicable data protection and privacy laws.

We do not sell or rent the personal information we collect from you.

Protecting your personal information.

We use a variety of security measures and technologies to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction in line with applicable data protection and privacy laws. For example, when we share your personal information with external suppliers, we may put in place a written agreement which commits the suppliers to keep your information confidential, and to put in place appropriate security measures to keep your information secure.

The transmission to us of information via the internet or a mobile phone network connection may not be completely secure and any transmission is at your own risk.

Your rights regarding your personal information.

We set out below the rights that you may have in relation to personal data.

You may be entitled to:

• ask Orchard for access to the personal information Orchard holds about you;
• request the correction and/or deletion of your personal information;
• request the restriction of the processing of your personal information, or object to that processing;
• withdraw your consent to the processing of your personal information (where Orchard is processing your personal information based on your consent);
• request for the receipt or the transfer to another organization of the personal information that you have provided to Orchard; and
• complain to your local data protection authority if your privacy rights are violated, or if you have suffered as a result of unlawful processing of your personal information.

If you would like to exercise your rights, please let us know by getting in touch with us as set out in the “Contact us” section below.

What if you do not want to provide us with your personal information?

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Contact us.

If you have questions or requests regarding this privacy notice, or if you are unhappy with the way in which your personal data is managed by us or would like to exercise your rights, please contact Orchard by emailing: sar@thedpo.co.uk

You may also make a complaint to the Supervisory Authority.

The Supervisory Authority in the United Kingdom is the Information Commissioner’s Office (ICO), https://ico.org.uk/concerns/handling/, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

• Telephone +44 (0) 303 123-1113
• email casework@ico.org.uk.

Data Controller.

Orchard Therapeutics (Europe) Limited is the controller of your personal information.

Data Protection Officer.

Our Data Protection Officer is Dr Phil Griffiths, The DPO Ltd, Capital Tower, Greyfriars Road Cardiff CF10 3AZ (sar@thedpo.co.uk)