Banner Training Image

Data Privacy Policy

This practice generally applies to data when it is collected, used, stored, accessed, transferred, or disclosed. mselect recognises a high level responsibility to guard its candidates' and employees’ privacy by treating such data confidentially and using it only for legitimate business purposes.  In addition, when a limited number of local legal restrictions exist on a company’s use and disclosure of personal information, mselect makes a special effort to go beyond legal requirements and rather fit with international standards and both encourage confidentiality protections and act to specifically protect data to the highest level possible. 

In addition, the privacy of personal data is a significant issue in the international arena, where the approach to data privacy frequently differs from the approach taken in the region. mselect recognises its role and unique responsibility working with international companies and persons of various international backgrounds and privacy practices. 

mselect as a staffing and training agency further recognises the unique nature of human resources data, as to the manner of collection, the reasons underlying collection, the nature of the data collected, the use to which it is put, and the reasons for that use.  More fundamentally, there are significant company-employee relationships as well as company-client company-employee relationship with unique business needs. In this context, it is important to recognise that both Company and Client company will have a number of legitimate business reasons for collecting, using, storing, transferring, and sometimes disclosing personal data regarding its employees.

This policy, its principles and procedures on putting the policy into practices serve as a guide on managing and protecting personal data in the context of legitimate business needs.   

PREAMBLE

mselect (hereinafter referred to as mselect or the Company) recognises and supports the need for reasonable protections regarding the privacy of personal “human resources” data collected by the Company through the employment relationship.  For this reason, the Company has developed and adopted these general guiding Principles. 

All company employees should help to ensure that the personal information the company holds about them is accurate and up to date.  In addition, all company employees whose responsibilities include the collection, processing or storage of personal data are expected to assist in the protection of that data by adherence to all Principles of this Data Privacy Policy.

In following these Principles, the company complies with the applicable laws and regulations protecting the privacy of personal data in the employment relationship in the jurisdictions in which the company operates.

There is currently limited provision in law relating to data protection in Iraq. The Constitution of Iraq passed in October 2005 (the Constitution) addresses personal privacy. Article 17 (1) of the Iraq Constitution states that: “Each individual has the right to personal privacy, as long as it does not infringe on the rights of others or public decency.” There is little available guidance on this constitutional provision. The right to privacy was not defined by legislation prior to the enactment of the Constitution and has not yet been defined in legislation since its enactment. While limited local legislation and guidance exists, mselect recognises the need to follow to the extent possible international standards on data privacy protection.

SCOPE:  The Principles expressed in this policy apply to all personal data about employees and applicants that is collected, maintained or used by mselect as part of an actual or prospective employment relationship.

These Principles apply to all geographical physical locations of mselect as well as to all its works and communications.

Nothing in these Principles is intended to form a contract of employment or otherwise.  The Company may amend these Principles from time to time, should it become necessary to do so.

Personal data collected, maintained or used outside of the employment relationship, such as personal data arising from consumer marketing, is not covered by these Principles.

PRINCIPLES

COLLECTION AND USE 

mselect collects and uses personal data in a reasonable and lawful manner.  The company collects and uses personal data for relevant and appropriate purposes.

NOTICE

mselect informs individuals about whom the company collects personal data of (1) the type of data the company collects, (2) the purposes for which the company collects and discloses personal data, (3) the circumstances under which the company discloses personal data, including the types of potential recipients (4) that the company employs privacy and information safeguards; and (5) the circumstances under which individuals may access and correct their personal data.

TRANSPARENCY

mselect informs employees and others about our privacy principles, policies and procedures.

CONSENT

mselect collects personal data for employment-related business purposes.  Where consent of the employee or a representative of employees for the collection, use, or disclosure of personal data is required by law or contract, the company will comply with the law or contract. In the event that an individual expresses a concern about the collection, use or disclosure of personal data, the company will respond to the employee’s concern consistent with applicable law.

ACCESS AND CORRECTION

Where the company maintains personal data in a structured filing system or database, it provides employees with reasonable opportunity to examine that information that pertains to them and add to or correct the data as appropriate, subject to certain exceptions where access would not be appropriate.

DISCLOSURE

mselect places substantial importance on protecting the confidentiality of personal data and seeks the cooperation of all employees in furthering this goal.

Internal Disclosure:  To the extent feasible, the company restricts access to personal data to those employees, agents, or contractors of the company, its affiliates, or subsidiaries who have a legitimate business need for such access.

External Disclosure:  Disclosure of personal data beyond the employees, agents, or contractors of the company, its affiliates, or subsidiaries may be made pursuant to a labor agreement, for a sound business reason, as required by law or legal process, for another lawful purpose, e.g., cooperation with local law enforcement authorities; to protect the interests of the company’s employees, or, in the absence of any of the above, only with the authorisation of the individual involved.

The company requires agents and contractors to whom the company discloses personal data for servicing to commit to protecting the privacy and security of the data and to refrain from any uses or further disclosures or not authorised by mselect. 

The company will not disclose personal data to unaffiliated third parties for consumer marketing purposes without the employee’s written consent.

An employee’s own request for the onward transfer of data (e.g., confirmation of employment) must be made in writing (or according to other company procedures, such as a verifiable electronic request).

Aggregation:  Where appropriate under the circumstances, mselect will anonymise or aggregate data to eliminate individual identifiers.

ACCURACY

The company employs reasonable means to keep personal data accurate, complete and up-to-date, and all employees have a responsibility to assist the company in keeping the information the company maintains about them accurate, complete and current.

RETENTION

Personal data is kept in active files or systems only as long as needed to meet the purposes for which it was collected or as required by contractual agreement, by law or regulation, or, where applicable, for the appropriate statute of limitations period. The limitation period on data collected for human resources files from employees is 7 years.

SECURITY

mselect uses appropriate administrative, technical, personnel and physical measures to safeguard personal data against loss, theft, and unauthorised uses or modifications.

The company may assign different types of data different security levels, with appropriate corresponding security precautions.

COMPLIANCE

mselect maintains an active program to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personal data. A senior official of the company is responsible for implementing and overseeing the administration of these Principles.

All MSELECT employees whose responsibilities include the collection, processing or storage of personal data are required to adhere to these Principles and implementing policy.  Failure to do so may be grounds for discipline up to and including termination.

COMPLAINT RESOLUTION

Any employee who has a concern about the collection, use or disclosure of the individual’s personal data is encouraged to use the HR mechanism for reporting complaints to MSELECT.


Procedures

All personal data relating to mselect Personnel data shall be:

  1. obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the employee concerned;

  2. processed within the strict terms of the law and best practice principles;

  3. relevant for the purposes for which it is to be used;

  4. accurate, complete and up to date;

  5. kept for no longer that is necessary for its declared purpose;

  6. held in the full knowledge of the individual employee;

  7. protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data;

Principal Purposes of Holding Data on Personnel Files

The principal purposes for holding data relating to Personnel on personnel files include but are not limited to:

  1. recruitment, promotion, training, redeployment and/or career development;

  2. the calculation of payroll data and the transfer of such data for use by Finance staff and independent auditors (including but not limited to details of bank/building society wage transfers and the payment of authorised expenses);

  3. the determination and calculation of certain benefits;

  4. for contacting next of kin and arranging medical attention in connection with death, illness or injury of an employee whilst at work;

  5. compliance with statutory requests from the relevant public authorities/ agencies;

  6. disciplinary purposes arising from an employee's conduct or capability to perform their job requirements;

  7. for occupational health and sickness monitoring purposes;

  8. the provision of references/reports to financial institutions, qualified legal representatives, appropriate bodies in connection with the holding of public office, facilitate entry onto educational courses, permit participation on reserve military/civil protection services, assist qualified medical practitioners and potential future employers.

In all those cases cited in point (h) above, the relevant information will only be disclosed following a written request from the employee/former employee concerned instructing the Data Controller, and giving consent to the Data Controller to make such disclosure.

Storage of Personnel Data

Storage of Personnel Data is inside the mselect Office, Human Resources Department in locked filing cabinets. The HR Department restricts access to its office(s) to internal staff members. 

MSELECT may place all or part of its files onto a secure computer network and with restricted access to personnel data.

Restriction of Access to Personnel Data

Access to individual employee data will only be granted to the following data users within the company for specific and legitimate purposes:

  1. Staff employed in the Human Resources Department;

  2. A member of staff’s Head of Department/Executive Dean/line manager;

  3. Staff employed in the payroll section of the Finance Department;

  4. Corporate medical staff;

  5. Staff Development staff;

Access to Personnel Files by Employees

All employees shall have reasonable access to their own personnel files together with any medical reports and health records held by MSELECT, where they have requested this. No charge shall be made to the employee for the provision of this information. Employees who wish to gain access to these reports/records should write to the Head of Human Resources requesting this. 

The provision of personnel data relating to an individual employee shall be satisfied within 7 working days from receipt of a written request from that employee.

All manual files must be examined under supervision within the Human Resources Department and this will be arranged by the Head of Human Resources or a senior member of Human Resources staff.  Appropriate clarification/guidance concerning the files will be given, on request, by specialist personnel staff. No record may be altered or removed without the express permission of the Head of Human Resources.

The data supplied will, whenever practicable, relate to the date when the request was first received.

Employees have the right to make any reasonable request for the amendment of their own personnel records provided that:

  1. they can readily demonstrate the existence of an identifiable error, necessary update, relevant omission, superfluous fact, or

  2. it is unlawful to maintain such a record.

Retention

Application forms, interview records and references for unsuccessful internal and external candidates should be kept for a period of twelve months following the interview.  Retention beyond this period would require demonstration of a clear business need by the Company and consent obtained from the individual.  This applies to all manual files including any notes taken by anyone at interviews as well as computerised files.  Care should be taken by anyone at an interview panel as all their notes/scribbles become part of the file and must be produced within forty days of a written request being received by the Head of Human Resources.

All employee data other than the name, job title, department and period of employment with MSELECT should be deleted seven years after employment has ended.  Data relating to disciplinary and grievance records of current employees are removed from personal files and deleted three years from the date issued.  Where disciplinary or grievance cases have involved concerns of sufficient severity or gravity data will be deleted five years from the date issued.

Once an employee has left mselect any data relating to them within their department or division should be sent to Human Resources.