Macmillan Publishers International Limited and Macmillan Publishers Ireland Limited

HR Privacy Notice

Who we are

This privacy notice applies to Macmillan Publishers International Limited (company number 02063302 with a registered office at Cromwell Place, Hampshire International Business Park, Lime Tree Way, Basingstoke, Hampshire, RG24 8YJ, UK) and to Macmillan Publishers Ireland Limited (company number 683345 with a registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, Ireland). When this notice refers to “the Company”, “we” “us” or “our” it is referring to the relevant company which you are employed by or otherwise engaged by as identified in your employment contract or other type of contract you have entered into with us. This Company will be the “data controller” of your personal data which means that it is responsible for deciding how your personal data is held and used.

Purpose and scope of this notice

Personal data means information which identifies you or which could identify you. This Privacy Notice describes how we collect and use your personal data during and after your working relationship with us and we are required by the EU General Data Protection Regulation, the UK General Data Protection Regulation and the Data Protection Act 2018 (as amended from time to time) (“Data Protection Laws”) to provide you with the information contained in this notice. Please read this notice carefully to understand how we use your personal data.

This notice applies to current and former employees (both fixed term and permanent), directors, temporary casual workers, agency workers, work experience students/ interns, and individual contractors, freelancers and consultants (together “staff”) and any third parties whose information you provide to us (for example emergency contact information). Where we refer to “employee” or “employment” in this Privacy Notice, we do so for convenience only and this should in no way be interpreted as purporting to confer employment status. This notice does not form part of any contract of employment, or other contract to provide services.

Personal data we collect

We collect, store, and use a range of personal data about our staff. Depending on your contractual status, this may include:

• Personal details: Your name, address, contact details (including email address, home address, telephone number and mobile number), gender, nationality and date of birth.

• Recruitment: Information provided in your CV, cover letter and during your interview, results of any tests or exercises completed as part of the recruitment process, contact details of your referees and references which they provide and correspondence with you relating to your application.

• Right to work documents: Copy of your passport or other documentation confirming your eligibility to work in the UK.

• Position and administrative data: Job title and description (or nature of the service which you are providing to us), copy of employment contract (or other type of contract you have entered into with us), employee identification number, department, reporting manager, location, work schedule (including days of work and working hours), records of business travel undertaken, professional memberships,

retirement status, photographs (such as headshots or photographs taken at Company functions or events), information for employee biographies, signature (including electronic signature), pronouns (where volunteered such as on your email signature)and details of home-working set up.

• Attendance: Details of leave you have taken or have planned, including holiday, sickness absence and any other absence and reasons for the leave.

• Compensation and payroll: National insurance number, bank account details, tax information, student loan repayment status, and details of expenses claims (including nature of claims and amounts claimed). Information about your pay, including salary and bonus information, payroll records, details of additional payments (such as overtime) and for individuals not on the company payroll, hourly/ daily rates, time sheets and invoices.

• Service dates: Hire date, probation period, length of service, performance and salary review dates, retirement eligibility date, termination date, reasons for termination, data collected in any exit interview and work experience feedback information.

• Performance, development and conduct information: Performance and appraisal records, details of training (including e-learning) completed or requested, details of any disciplinary or grievance procedures, whistle-blowing reports, complaints about your conduct at work or performance capability procedures in which you have been involved and related correspondence.

• Benefits information: For employees, information relating to entitlement to benefits and benefit participation (including completed benefits application forms and supporting information).

• Family and personal information: Information about your marital status (including documentation provided in the event that you change your name), emergency contact information, nominated beneficiaries for the purpose of the Company life assurance benefit, information provided about your dependents and details of any conflict of interest which you disclose to us or gifts which you register as having received in the course of your employment or engagement.

• Information collected in response to employee demographic surveys: Including your gender, pronouns, gender identity, caring responsibilities, region where you spent the majority of your childhood, information which is designed to measure social mobility as well as other information which is designed to measure how representative our workforce is of society as a whole. In the course of carrying out demographic surveys we may also collect “special categories” of personal data as explained further in the ‘Special categories of personal data’ section below.

• Company property, system and application access information: Details of company property issued to you (e.g. laptops, tablets, mobile phones), work phone numbers and email address, information required to access company systems and applications (such as network ID, passwords, security level and access rights), information about your use of Company electronic devices and systems and content produced by you using Company systems (including recordings of video calls you have attended where such recordings are made).

• Feedback and opinions: Responses to surveys and other staff feedback including complaints and whistle-blowing reports made by you (unless anonymised).
• Entitlement to drive information: For employees who are required to drive on company business, or who are entitled to a company car, copy of driving licence and other data relating to entitlement to dive (including information about licence endorsements).

• Other information collected by electronic or other means: CCTV footage, meetings attended (where recorded by room bookings software), building access records including dates and times of access to premises, desk bookings and location information and in the case of staff working in the MDL warehouse, time and attendance records, task related performance data and data relating to the dates, times and usage of warehouse equipment.

Special categories of personal data

Data Protection Laws recognise that certain categories of personal data are more sensitive, which are known as “special categories” of personal data. We may collect, store and use the following “special categories” of personal data about our staff:

• Information about your health, including details of any medical condition, illness or clinical vulnerability disclosed to us (including food allergies), sickness records (including doctor’s notes, medical certificates and return to work forms), occupational health reports, accident reports, ergonomic requirements (both at home and in the office) and records of time spent on statutory parental leave and sick leave.

• Results of drug and alcohol tests collected in accordance with Company drug and alcohol testing policies.

• Information about whether or not you have a disability for which we need to make reasonable adjustments for.

• Information about unspent criminal convictions disclosed to us as part of the recruitment process or which you notify us of in the course of your role.

• Information about your race and ethnicity provided on joining the Company.

• Special categories of personal data collected in response to employee demographic surveys including information relating to race and ethnicity, disability and neurodiversity, religious and philosophical beliefs and sexual orientation.

• If you provide the Company with authenticity reader services we may need to process details relating to your ethnicity, religious or philosophical beliefs, health, gender identity or sexual orientation to decide whether to appoint you to provide those services.

Where we are provided with special categories of personal data we will treat the information with extra care and confidentiality and always in accordance with Data Protection Laws and this Privacy Notice.

How we collect your personal data and where we store it

We collect personal data about staff members through our application, recruitment and on-boarding processes and in the course of job-related activities.

We collect your personal data either directly from you or sometimes from employment agencies and we will collect reference information from your named referees. We will also

collect additional personal data if you subsequently register for particular benefits and may be provided with this information from you directly or from third party benefits providers.

We store personal data in a range of different places, including in hard copy personnel files, in our human resources information system and absence management system and in other IT and business systems (including emails).

How we use your personal data

We will use the personal data we collect about you for the following purposes:

• Recruitment: Making a decision about your recruitment or appointment, determining the terms on which you work for us, carrying out reference checks, communicating with you about the recruitment process, record keeping and checking you are legally entitled to work in the UK.

• Managing our workforce: Conducting performance reviews, making decisions about salary reviews, bonus payments and promotions, assessing capability and qualifications for particular tasks, assessing productivity, allocating resources, analysing and planning the use of office spaces, succession planning and planning training, career development activities and monitoring and improving equality of opportunity and treatment within our workforce.

• Staff relations: Operating, gathering evidence for and keeping a record of disciplinary and grievance processes, dealing with complaints, legal disputes, or breaches of our Code of Conduct involving you or other staff members, making decisions about your employment or continued employment, complying with health and safety obligations, providing references on request, performing staff surveys and evaluating and improving staff satisfaction.

• Payments and benefits: Paying you and, if you are an employee, deducting tax and National Insurance contributions, providing benefits to which you are entitled, making business travel arrangements, managing expenses claims and benchmarking.

• Business operations: Business administration, management and planning, (including accounting and auditing), product and service development, operating and managing our IT and communications systems, maintaining an historic archive about our backlist and publishing history and for the purpose of any potential sale, transfer or merger of our business or assets.

• Compliance: Complying with legal and other regulatory requirements, to carry out sanctions screening, to facilitate anonymous whistle-blowing, to enforce our legal rights and processing any claims, to mitigate conflicts of interest and to ensure network and information security.

• Emergencies, disasters, pandemics and other unforeseen events: Facilitating communication with you directly or with your nominated contacts and facilitating the response to and contingency planning for an emergency, pandemic, disaster or unforeseen event affecting the country, the Company or Company premises.

Where we collect special categories of personal data we use these in the following ways:

• We use information relating to absence, which may include sickness absence, to monitor and manage absences, administer sick pay, determine your fitness to work and comply with employment, health & safety and other laws.
• We may use information about your physical or mental health or disability to administer benefits, assess your fitness to work, provide appropriate workplace adjustments and comply with health and safety legislation.

• We use demographic information including information about race and ethnicity, disability and neurodiversity, religious and philosophical beliefs and sexual orientation to monitor and improve equality of opportunity and treatment within our workforce.

• We use information about unspent criminal convictions disclosed to us to assess your suitability for employment or continued employment and in order to comply with legal requirements and obligations to third parties.

• We use the results of drug and alcohol tests where necessary to confirm reasonable suspicions that an individual is under the influence of alcohol or drugs in the workplace and in the case of staff working in the MDL warehouse we will use the results of randomised drug and alcohol testing to ensure health and safety.

• In the context of a pandemic we may use information about symptoms, confirmed cases and, where relevant, test results to respond to the pandemic, ensure a safe working environment for staff and in the interests of public health.

• In the case of authenticity readers, we use special categories of personal data to decide whether to appoint you to provide authenticity reader services. For example, if the services involve you providing commentary on whether a book provides an authentic portrayal of a character from a particular ethnic group we must ensure that you have personal experience of the issues relevant to that ethnic group and we will share your data with relevant staff members for the purpose of making that assessment. We will only process special categories of personal data for these purposes on the basis of your consent which can be withdrawn at any time, although if you withdraw your consent you will no longer be able to provide authenticity reader services to the Company.

• We may also use special categories of personal data where required to comply with legal and other regulatory requirements (including but not limited to equality legislation), to facilitate anonymous whistle-blowing, to enforce our legal rights and process any claims as well as to mitigate conflicts of interest.

Legal grounds for using your personal data

When we collect and use your personal data we only do so in accordance of the legal grounds available to us under Data Protection Laws. The legal grounds for which we process your personal data are set out below (although sometimes more than one legal reason applies to the processing of the same piece of personal data):

• Performance of contract: A large amount of the personal data which we process about our staff is processed because this is necessary for us to perform your contract of employment or other type of contract we have entered into with you. For example, we need to process your data to pay you in accordance with your contract, evaluate your performance and to administer certain benefit entitlements to you.

• Compliance with a legal obligation: We also process your personal data where this is necessary for compliance with a legal obligation which we are subject to, for example if we are ordered by a court or regulatory authority to disclose your personal data or where we need to collect your personal data to comply with health and safety legislation, such as in the context of recording accidents and carrying out

drug testing and collecting information from you in response to pandemics. For employees we will also process your personal data to comply with a legal obligation when we process your data to check your entitlement to work in the UK, to carry out gender pay gap reporting, to deduct taxes and to enable you to take periods of leave to which you are entitled.

• Legitimate interests: We also process personal data where this is necessary in our legitimate interests or the legitimate interests of a third party. This broadly means that we can use your personal data if we have a genuine legitimate reason and we are not harming your rights and interests in doing so. Some examples of the legitimate interests we rely on when processing staff personal data include: Ensuring efficient staff administration; ensuring network and information security and the security of our premises; evaluating and improving staff satisfaction, incentivising staff and encouraging productivity, ensuing that we are able to operate our business with integrity, monitoring and improving equality of opportunity and treatment within our workforce. and contributing to public health efforts in the event of a pandemic. Whenever we process your personal data based on our “legitimate interests” we make sure that we take into account your rights and interests and will not process your personal data if we feel that there is an imbalance between your rights and interests and ours.

Where we collect “special categories” of more sensitive personal data from staff, we do so only where necessary for the purpose of carrying out our obligations and exercising our rights under employment law, for the assessment of your working capacity or where it is necessary in the public interest. Less commonly, we may use this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests).

Do we need your consent?

Processing your data in connection with your employment or engagement is not generally conditional on your consent, although in limited cases, where we consider it appropriate, we may approach you for your written consent to a specific data processing activity, such as in the case of the provision of authenticity reader services referenced above. Where this is the case, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

What if you do not provide personal data that we request

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our staff).

Sharing your personal data

Sharing within the Company

Your information will be shared internally within the Company including with members of the HR team, your line manager and with other managers where appropriate. Other nominated staff members may have access to specific items of data if it is necessary for the performance of their roles. For example, in the finance team some staff have access to your bank information and details of your expenses claims in order to pay expenses to your bank account; in the IT team staff will have access to information regarding your name, job title, start and end dates for network security, systems access and email account management; and in facilities team staff with have access to your data for administrative purposes such as

for the purpose of organising taxis and couriers and completing and storing accident reports.

If you suffer from a condition what may require first aid assistance at work, first aiders may be provided with details of your condition where this is appropriate and in the interests of your health and safety at work, although any such disclosures will be treated confidentially.

Sharing outside of the Company

We may share your personal data with third parties where required by law, where it is necessary to administer our working relationship with you or where we have another legitimate interest in doing so. It is likely that the exact identity of the third parties with whom we share your personal data will change during your working relationship with us. Depending on that relationship, it is anticipated that your personal data will be disclosed to the following categories of third parties:

• Third parties who provide data processing and IT services to us including, data back-up, security and storage providers, email and text communication service providers and cloud-based software providers.

• Other companies which are related to us through common ownership who provide HR administration services, IT services, automated assistance tools, legal and compliance services and which undertake group level reporting.

• Other third party service providers which assist in staff administration activities such as our payroll provider, expenses management provider, training and e- learning providers, travel providers, providers of occupational health services, providers of drug and alcohol testing services, providers of disaster recovery services, survey and benchmarking service providers, trade bodies and associations and insurance brokers.

• Benefits providers, including pension providers and providers of private medical, income and life insurance.

• HMRC for the purpose of tax administration.

• Mortgage providers and rental companies to facilitate your mortgage or rental application, although we will only share your information with these companies with your permission.

• Third parties with whom we may choose to sell, transfer or merge parts of our business or our assets.

• Professional advisors such as external lawyers, external auditors, insurance or tax consultants and claims handlers.

• Any other third parties (including regulatory authorities, the police, courts and government agencies) where necessary to enable us to enforce or protect our legal rights, or where such disclosure may be permitted or required by law.

• In the context of pandemics and in the interests of public health, where requested we may share names and contact details of staff members with the NHS Test and Trace service and other public health authorities and will use building access and HR records for this purpose.

Transfers of personal data outside of the UK and the EEA

We are part of a global publishing group and we also use third party service providers located in other countries to help us run our business. As a result of this if you are located within the UK we may transfer your personal data outside of the UK and if you are located within the European Economic Area (the European Economic Area being the European Union and Iceland, Liechtenstein and Norway, which is also referred to as the “EEA”) then we may transfer your personal data outside of the EEA for the purposes described above.

Countries outside of the UK and the EEA may not have data protection laws that provide the same level of protection as those within the UK and the EEA and so whenever we transfer your personal data outside the UK or the EEA, we take steps to ensure that all personal data is protected with adequate safeguards.

In particular, personal data held on the Company human resources information system is stored on servers hosted in the United States. The Company has ensured that this data is protected using approved standard contractual clauses.

You can obtain further information concerning the safeguards which the Company uses when transferring personal data outside of the UK and the EEA by contacting us using the details provided below.

How we keep your personal data safe

We take looking after staff personal data very seriously. We have implemented appropriate physical, technical and organisational measures to protect the personal data we have under our control, both on and off-line, to protect it from improper access, use, disclosure, alteration, destruction and loss.

Manual personal data, such as hard copy personnel files are stored in locked filing cabinets. Personal data held on Company IT systems is stored confidentially by means of password protection and network security measures and the Company has a network of back-up procedures to ensure that data on computers cannot be accidentally lost or destroyed.

We have also put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long we hold your personal data

We will retain your personal data for as long as is necessary for each purpose which we use it for. We take a number of factors into account when determining the appropriate retention period for staff personal data, including the nature of the data, the business purposes for which it was collected, any legal or contractual obligations which require us to retain it and whether retention is necessary for the purpose of exercising or defending our legal rights.

For employees and temporary casual workers, we will normally keep your personnel file throughout the time that you work for us and for six years after you leave the Company, after which time it will be destroyed unless there is a good reason to keep it (or any part of it) for longer.

For individual freelancers, contractors and consultants we will generally keep your contract of engagement for six years following the end of your engagement.

We operate a Personal Data Retention and Disposal Policy which includes detailed information about the length of time for which we keep different categories of staff records. If you would like details of the retention periods for specific aspects of your personal data,

please consult this policy which is available on the Company intranet or request a copy from your local HR team.

Staff monitoring

The Company carries out monitoring of staff use of the Company’s electronic devices and systems, as further described in the Electronic Devices and Systems Policy. Please refer to the Electronic Devices and Systems Policy which is available on the Company intranet or from your local HR team for further details about this monitoring and information about the specific purposes for which it is undertaken.

Automated decision making

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you if this position changes.

Your obligations

It is important that the personal data we hold about you is accurate and current. If your personal information changes, please inform your Line Manager or the HR department so Company records can be updated.

You should also inform any third parties whose data you provide to us in connection with your employment or engagement (such as emergency contacts) about the content of this notice and provide them with a copy of this notice.

Your legal rights

You have various rights in law in respect of the personal data we hold about you which are set out in more detail below:

• Access: You have the right to request confirmation that we are holding your personal data and to access a copy of the personal data that we hold about you. This is commonly known as a “data subject access request” and enables you to check that we are handling your personal data lawfully.

• Correction: You can ask us to change or complete any inaccurate or incomplete personal data held about you.

• Erasure: You can ask us to delete or remove your personal data where it is no longer necessary for us to use it, or where we have no lawful reason for keeping it.

• Objection: You can object to our processing of your personal data where we are relying on a legitimate interest if there is something about your particular situation which makes you believe it impacts on your fundamental rights and freedoms.

• Transfer: You can ask us to provide the personal data which you have given to us in a structured, commonly used, electronic form, so it can be easily transferred.

• Restriction: You can ask us to suspend the processing of your personal data, for example if you want to establish its accuracy or where you have objected to our use of it.

If you wish to exercise any of your rights, please make a request in writing using the contact details provided below.

Please note that these rights may not be exercised in certain circumstances, and certain types of personal data may be exempt from such requests. If this is the case you will be notified of this at the time of your request.

If you make a request we may require specific information from you to help us confirm your identity. This is to ensure that personal data is not disclosed to anyone who does not have the right to receive it.

Complaints

We hope that you won’t ever need to, but if you would like to complain about our use of your personal data, please contact us using the contact details set out below. We will look into and respond to any complaints we receive.

You also have the right to lodge a complaint with the competent data protection authority. If you are located in the UK the competent data protection authority is the Information Commissioner's Office (“ICO”). For further information on your rights and how to complain to the ICO, please refer to the ICO website (https://ico.org.uk/).

How to contact us

For further information about our privacy practices, to request to exercise any of your privacy rights described in this Privacy Notice or to make a complaint please use the postal address below or email your local HR team:

Macmillan Publishers International Limited Cromwell Place,

Hampshire International Business Park, Lime Tree Way,

Basingstoke, Hampshire, RG24 8YJ

FAO: The HR Department

Updates to this privacy notice

We may make changes to this Privacy Notice from time to time. We will post any changes on the Company intranet, or notify you of any material changes directly. We may also notify you in other ways from time to time about the processing of your personal data.

This Privacy Notice was last updated in January 2025. (Version 4)