Privacy Notice
At WorkNest, we are committed to keeping your personal and business information safe, and complying with all applicable data protection legislation. This is our privacy notice for partner organisation and members of our partner organisations, in which we tell you how we use and look after your personal data. This privacy notice explains what personal information we hold about you, how we collect it, and how we use and share information about you during your employment and after it ends.
This privacy notice applies to all individual representatives of partner organisations of WorkNest and members of those partners.
We may update this privacy notice from time to time. We will communicate significant updates to our partners via email. It is the responsibility of our partners to share any information with their membership. If you would like a copy of this privacy notice in another format, email [email protected].
We last updated this privacy notice in September 2025.
We are WorkNest. We deliver first-class Employment Law, HR, and Health & Safety support, backed by hands-on consultancy and advanced technology. WorkNest helps organisations of all sizes and industries confidently manage their employment, safety, and wellbeing challenges, all accessible via our user-friendly portal, myWorkNest.
WorkNest is part of a family of specialist companies in The GRC Group, owned by Inflexion, dedicated to helping businesses thrive by providing expert support across key operational areas. As part of The GRC Group, we bring together the most gifted practitioners in people management, health, safety and wellbeing, employment law, professional training, and business technology. We are proud to offer a broader range of services to help protect and nurture organisations of every size.
WorkNest Ltd is a company registered in England and Wales with company number (CRN 04382739) and whose registered office is at 2nd Floor, 20 Grosvenor Place, London, England, SW1X 7HN.
WorkNest is the data controller of personal information we collect. WorkNest is registered with the Information Commissioner’s Office as a data controller under reference: Z2442783
WorkNest works with partner organisations to provide our services as part of our partners’ membership offerings. Where membership data is shared by partner organisations with WorkNest our partner organisations are the data controller. WorkNest is a data processor acting on the partner organisation’s instructions.
WorkNest has a dedicated Data Protection Officer. For any queries on how WorkNest collects, uses or stores your personal information, you can contact our Data Protection Officer, Bryony Hayter at [email protected]
Or you can write to:
Data Protection Officer
WorkNest
Woodhouse
Church Lane
Aldford
Chester
CH3 6JD
For any queries related to how the partner organisation processes membership data, contact the partner organisation directly.
As a data subject, under UK data protection law you have the right to:
Access: ask for copies of all information we have about you
Rectification: ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete
Erasure: ask us to delete your personal information
Restriction of processing: ask us to limit the processing of your personal information
Objection to processing: say no to the processing of your personal information
Data portability: ask that we transfer the personal information you gave us to another organisation, or to you
Withdraw consent: if WorkNest has asked your consent to use your data for a particular reason, you have the right to take back that consent so that WorkNest cannot use your data like that in the future. However if you choose to withdraw your consent this will not change anything that WorkNest has used your data for in the past with your consent.
You can choose to use any of these rights for free by contacting us at dat[email protected], or writing to us at our address (see ‘Who we are’) with your request.
WorkNest has one calendar month to respond to you from the time we receive your request. We can extend this for up to three months, if needed. WorkNest does not have to agree to your request, but if we do not agree we have to provide an explanation.
If you are a member of a partner organisation, then WorkNest will refer all data subject requests received to the partner organisation to manage and respond.
We take information security seriously at WorkNest. We work hard to make sure that your personal information is looked after securely, and we only process data in the ways that we say we do in this privacy notice. We put in place ways to protect personal data against unauthorised access, alteration, or disclosure.
We are an ISO 27001 and Cyber Essentials certified company and we have in place a robust access control policy which limits access to your personal data to those employees, contractors and other third parties who only have a business need to know.
We have policies and procedures to handle any potential data security breaches and data subjects, third parties and any applicable regulators will be notified where we are legally required to do so. We have ensured that all colleagues have had information security and data protection training and complete refresher training on an annual basis.
Under UK data protection law we must have what is known as a legal basis for collecting and using your information. There are six legal bases, sometimes known as lawful bases:
- Consent: your permission.
- Performance of a contract: when we deliver the services you have requested.
- Legitimate interests: see the next section of our privacy notice.
- Vital interest: to save a life.
- Legal requirement: when we comply with UK law.
- Public interest: when data processing is beneficial for public good.
We collect and use the following information throughout the duration of the partnership:
Type of data | Purpose | Legal basis |
For Partners: Names and contact information (e.g. email address, telephone number) | Cultivate the relationship with prospective partner organisations. | Legitimate interest |
For Partners: Names and contact information (e.g. email address, telephone number) | Enable WorkNest to engage and support the partner as part of the partnership agreement. | Contract |
For Partners: Position, organisation, industry | Enable WorkNest to engage and support the partner as part of the partnership agreement. Provide a tailored approach and support appropriate to partner. | Contract |
For Partners: Names and contact information (e.g. email address, telephone number) | Make suggestions and recommendations to you about goods or services that may be of interest to you. | Legitimate interest |
For Members: Names and contact information (e.g. email address, telephone number) | Deliver professional services to authorised members of the partner organisation in line with the contractual agreement. | Contract |
For Members: Position, organisation, industry | Provide tailored support to the members of partner organisations. | Contract |
For Members: Names and contact information (e.g. email address, telephone number) | Make suggestions and recommendations to you about goods or services that may be of interest to you. | Legitimate interest |
For Members: date of birth, job title, job description, employment contract, grievances and disciplinaries, disability, health, ethnicity, maternity status, right to work, work pattern and shifts, legal advice provided. | Deliver employment law advice to members. | Contract |
Sometimes, we use your personal information using the legal basis of legitimate interest. This means that the reason that we are processing information is because it is beneficial to us and not harmful to you.
We can only use legitimate interest as a lawful basis if we first do a ‘legitimate interest assessment’. This assessment helps us to balance the benefits of what we want to use your personal information for with the impact it can have on you. We only approve this assessment if we are confident that what we want to do with your personal information does not cause harm to you.
We may collect this information from:
- You: via registration forms for events and services.
- Partner organisations: as part of our agreement partner organisations may share name, contact information, position and member organisation with us so that we can verify your right to access delivered services.
- Third parties or publicly available sources: we may source personal data about you from various third parties and public sources as set out below:
- Identity and contact data from publicly available sources such as Companies House, social media websites and other online publicly available information.
- Identity and contact data from publishers of business information.
We store your information in PartnerNest. PartnerNest is our digital platform providing access to marketing material which allows partners to co-brand WorkNest educative collateral across Employment Law/HR and Health & Safety (including white papers, guidance, checklists, blogs and other information) for wider member dissemination. WorkNest also uses PartnerNest to log leads and track their own pipeline to progress opportunities.
PartnerNest is provided by a third party supplier, Channelscaler. You can find more information about Channelscaler here.
Data is stored throughout the duration of the agreement with the partner organisation. Following the cessation of the agreement, all personal data (including data belonging to partner organisations and partner members) will be deleted from PartnerNest within 30 days. Where there is no agreement in place, such as when a relationship is being cultivated, we will conduct an annual review and remove your data if there has been no engagement for 2 years.
WorkNest also stores data on Salesforce, our customer relationship management system. Following the cessation of the agreement, all personal data belonging to partner organisations will be stored on Salesforce for 7 years to meet our audit and reporting obligations. Where there is no agreement in place, such as when a relationship is being cultivated, we will conduct an annual review and remove your data if there has been no engagement for 2 years.
Following the cessation of an agreement with a partner organisation, all personal data belonging to members of the partner organisation will be deleted from Salesforce within 30 days. If the member has engaged independently with WorkNest, data will be stored in line with our data retention schedule for prospects, leads and clients. If the member has received any employment law advice, we will store member data for 7 years on Salesforce.
If a partner organisation or member receives employment law advice, we will store data on our bespoke case management system, CaseNest. CaseNest is hosted on Microsoft Azure servers in the UK. Data is stored on CaseNest for 7 years following the termination of agreement.
Where we need to collect personal data by law or in order to process your instructions or perform a contract we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement or contract you have with us, or make a decision based on the information we do have, but we will notify you if this is the case at the time.
Depending on the services provided to partner organisation and their members, we may use artificial intelligence tools to enhance client experience. For further information on our use of AI tools to provide the optimum service, please see our Artificial Intelligence Privacy Notice.
We need to share your personal information with other organisations to help us perform our day-to-day activities.
We may share your personal information with the partner organisation. We share member usage activity reports with the partner organisations so that they can understand services usage and monitor key issues experienced by their members. Activity reports do not typically contain personal data of members. If a partner organisation requests personal data to be included in usage activity reports, as data processor we will comply with this request unless we believe that the request is unlawful. The partner organisation has a responsibility as data controller to decide the lawful basis for this data sharing, and inform the member of the data sharing. For more information about activity reports contact [email protected].
In some exceptional circumstances, we may need to share your personal information without your knowledge or permission to protect you or someone else. We will share as little information as is needed, and we will share it in a responsible way.
Here are the reasons we may need to share your personal information under this circumstance:
- We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies.
- You are at risk of serious harm, neglect, death or threat to personal safety.
- You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety.
- We believe a crime is happening or may happen if nothing is done to stop it. This includes financial fraud.
Yes. Salesforce processes and stores your information in Sweden. PartnerNest processes and stores your information in Ireland. Both Sweden and Ireland are subject to General Data Protection Regulation. When we transfer your data outside of the UK, we make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK.
Some of our businesses have offices outside the UK so there is the possibility that employee data may be transferred outside the UK to colleagues working in those offices. We don’t routinely transfer staff personal data overseas but when we do any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the UK Data Protection laws.
We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading, or inappropriate, or have any other concern about our data processing, please raise this with WorkNest in the first instance.
To make a complaint, contact the WorkNest Data Protection Officer at:
Email: [email protected]
Phone: 01244 434 588
Post:
FAO Data Protection Officer
WorkNest Ltd Woodhouse
Aldford
Chester
CH3 6JD
If the WorkNest Data Protection Officer cannot help you, or you are not happy with their response to any concerns about how WorkNest uses and looks after your data, you can contact the ICO:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO helpline number: 0303 123 1113
ICO website: ico.org.uk
Definitions
Anonymise: to change data so that it cannot be linked to an individual person.
Cookie: a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience.
Consent: permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under data protection law.
Contractual performance: the data processing needed to carry out an agreement with an individual. One of the ways that processing data can be justified under data protection law.
Data Controller: an organisation (or person) that makes decisions about how and why data is processed.
Data minimisation: collecting the smallest amount of personal data that you need.
Data Processor(s): an organisation (or a person) that carries out the instructions of the Data Controller and processes data on behalf of the Data Controller.
Data Protection Officer: a person who is an expert in data protection and looks after the interests of the data subject.
Data subject: the individual whose personal data is being processed.
Encrypted: encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
Generative artificial intelligence (also generative AI or GenAI): is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.
Information Commissioner’s Office (ICO): the UK’s independent body set up to uphold information rights. The ICO has the power to investigate organisations which do not obey Data Protection laws.
Joint Controllers: two or more Data Controllers who together decide how and why data is processed.
Legal/lawful basis/bases: six reasons recognised by UK GDPR for processing personal information.
Legitimate interests: a strong reason (or reasons) for a Data Controller to process data for no other reason than that it is beneficial to the Data Controller if it does not have an adverse effect on the data subject. This is one of the ways that processing data can be justified under GDPR law, although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.
Personal information: any information about a real, living individual. For example, name, telephone number, address, health conditions, or qualifications. Information about organisations, such as annual turnover, is not personal information. Information about individuals working at organisations – for example, a business email address, or a job title – is personal information.
Privacy notice: a publicly displayed explanation of how organisations process data.
Purpose limitation: one of the principles of GDPR – personal data should only be used for the reasons it was collected.
Public interest: beneficial for the public. One of the ways that processing data can be justified under GDPR law.
Retention schedule: a table of how long organisations should store data.
UK GDPR: UK General Data Protection Regulation. This is a law designed to protect personal data stored on computers, or in an organised paper filing system. This law is the UK version of a law that is applied across many European countries.