top of page



  1. This Data Protection Policy sets out Husshed obligations when it processes personal data. It also sets out what Husshed employees and contractors must do when they handle Husshed personal data.


  1. Personal data is any information about an identifiable living individual. You may see documents which talk about “data subjects”: this is what data protection law calls individuals. An individual is identifiable where:

  2. Husshed holds clear direct identifiers – such as, name or full postal address; and/or

  3. It is reasonably likely that Husshed can identify the individual by other reasonable means. For example, an employee ID number where HR can link this to employee name, or customer reference number, where customer support can link this to name or address.

  4. Online identifiers – such as cookie IDs and device IDs – are also covered by the law, as are, decisions made about individuals and subjective opinions held about people.

  5. Sensitive personal data is any information about health, used to uniquely identify a person.

  6. We may collect personal data in a variety of ways, such as: from recruitment agents, correspondence with employees, with customers or other practicing professionals.


Processing is any use that Husshed makes of personal data. This includes obtaining or creating personal data, amending it, storing it, sharing it, or even accessing, anonymising or deleting it.


Husshed complies with the General Data Protection Regulation (“GDPR”) and  Customer Data Right Act from the ACCC laws such as the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 in Australia. Husshed obligations under these laws are set out in this Policy.


All employees and, where applicable, contractors of Husshed comply with this Data Protection Policy and any additional policies which Husshed introduces. Failure to comply with this Policy may result in disciplinary action. The Annexes to this Policy contain supplemental notes.


Husshed follows these data protection principles when processing personal data:


Lawfulness, Fairness and Transparency

  1. Husshed always processes personal data fairly – in line with individual’s reasonable expectations – and lawfully.

  2. Informing individuals how Husshed will use their personal data

  3. Individuals understand how their personal data will be collected and used. When developing a new product or activity that will involve personal data, Husshed considers how individuals will be informed.

  4. When Husshed collects personal data directly from individuals, it provides notice at the time of such collection.

  5. When Husshed collects personal data from another source, it provides notice within a reasonable period, but no later than a month, after the data was obtained by Husshed. If Husshed intends to communicate with the individual, or disclose the data to a third party, then the information is provided no later than that communication or disclosure.

  6. The privacy notice contains the information listed in Annex 1.

  7. Husshed ensures that privacy notices are: concise, intelligible, use clear and plain language, which is suitable for the audience; easily accessible; and provided in writing (which can include electronic means), unless the individual asks for the information to be provided orally.

  8. If the purposes for processing personal data change, Husshed provides a further privacy notice before the new processing takes place – please contact us at if you think that a purpose for which you process personal data is not already covered by the applicable privacy notice.

Lawful justification for processing

  1. Husshed only processes personal data where it can meet one of the grounds for processing in the legislation. These include:

    1. The individual has given consent to the processing;

    2. The processing is necessary to perform a contract with the individual, or to take steps at the request of the individual before entering into a contract;

    3. The processing is necessary for compliance with a legal obligation to which Husshed is subject; or

    4. The processing is necessary for Husshed legitimate interests or those of a third party, unless the interests of the individual override those interests.

  2. The Annexes have guidance on the relevant grounds for each Husshed business area.

  3. Husshed only processes sensitive personal data if it can satisfy one of the additional sensitive data grounds. Suitable grounds for each Husshed business area are listed in the Annexes.


Purpose Limitation


  1. Husshed only processes personal data for purposes which are legitimate and which Husshed has told the individual about, as part of the Transparency principle and in the Record of Processing.

  2. Husshed does not process personal data for any incompatible purpose.


Data Minimisation and Accuracy


  1. Husshed makes sure that personal data is adequate and relevant for the purposes for which it is processed and limited to what is necessary for the purpose of processing. It does not collect more personal data than needed just because it may turn out to be useful later.

  2. It also makes sure that personal data is accurate and, where necessary, kept up to date; and takes all reasonable steps to correct or delete inaccurate personal data.


Storage Limitation


  1. Husshed determines for how long it needs to process personal data for a particular purpose and only keep personal data for this period. At the end of this period, Husshed erases the personal data, or ensures that the data doesn’t allow individuals to be identified. Generally, Husshed maintains the personal data it collects based on the NHS Records Management Code of Practice, whilst keeping in consideration other obligations set out in the HCPC Standards of Proficiency.


Integrity and Confidentiality


  1. Husshed keeps all the personal data it processes secure, and protected against ‘unauthorised or unlawful processing and accidental loss, destruction or damage’. It does this by implementing various security measures such as encryption and data anonymisation; and also implementing the measures which it imposes on its data processors.

  2. Husshed also implements a data breach response programme so that it can log, remediate and report any data breaches as required by law.




  1. Privacy by Design and Default: Husshed can demonstrate its compliance with this Policy and with applicable data protection law. Husshed ensures that privacy issues have been considered from an early stage in implementing services and procedures (privacy by design), and that, by default, only the minimum amount of personal data necessary is being processed (privacy by default). Husshed has drafted a New Project Checklist and guidance to ensure that these requirements are considered at the outset of any new project or initiative.

  2. Data Protection Impact Assessment: In certain cases – high risk processing – Husshed may be required to carry out a data protection impact assessment (DPIA). A DPIA is a check conducted on a specific area of an organisation’s operations to identify and minimise non-compliance risks. The New Project Checklist and guidance also considers DPIAs.

  3. Record of Processing: Husshed keeps a formal record of its processing activities.


Husshed deals promptly with requests from individuals to exercise their data protection rights. If you receive a request from an individual please forward it to

Individuals have the following rights:

  1. Access: to obtain (i) confirmation whether Husshed processes their personal data; (ii) a copy of the personal data (in a commonly-used electronic form, if the request is made electronically); and (iii) provision of supporting explanatory information.

  2. Portability: to request that their personal data is “ported” (i.e. transferred) to a specified third party, or to the individual him or herself, in a machine-readable and structured format (e.g. CSV files). There are exemptions – for example, this only applies to personal data which has been provided by the individual or collected automatically from the individual, which is held in digital format, and which Husshed processes with the individual’s consent or to fulfil a contract with that individual.

  3. Rectification: to request correction of inaccurate personal data.

  4. Objection: to object to: (i) processing for direct marketing purposes; (ii) profiling based on direct marketing; and/or (iii) processing based on Husshed legitimate interests.

  5. Erasure (a.k.a. the “right to be forgotten”): to request that personal data is erased in certain situations, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised a right to object and wishes the data to be erased.

  6. Restriction: to request that personal data is “restricted” (i.e. block/pause) whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.

Individuals also have rights not to be subject to decisions taken solely on the basis of automated processing of personal data of an individual (i.e. no human involvement in the decision) which produce legal effects, or have similarly significant effects, unless taking such decisions is permitted by law. There are limited exceptions to this. Husshed does not use automated individual decision-making technology. All processing activities take place with meaningful human involvement.


  1. Data processors are other organisations which process personal data on behalf of a controller. Husshed may appoint processors to help it process personal data (e.g. a payroll provider, recruiters, other practitioners).

  2. When appointing any data processor to collect, store or use personal data on Husshed behalf, Husshed:

    • Before Engagement: Ensures that the data processor provides satisfactory assurances about their data protection practices.

    • On Engagement: Signs the data processor up to specified data processing terms; and

    • Post Engagement: Confirms on an appropriate periodic basis that the assurances provided before engagement about their data protection practices remain valid.

  3. Where Husshed transfers personal data to data processors or data controllers which are based outside the EEA (which includes data processors accessing the personal data from outside the EEA e.g. in order to provide IT support services), a data transfer mechanism is put in place unless that country has been deemed adequate by the European Commission.



Husshed provides training on this Policy and Husshed other data protection-related policies, procedures and obligations to all employees and contractors when they join Husshed, and then on an annual basis.


Husshed audits compliance with this Policy and other data protection-related policies; and will implement appropriate corrective actions to rectify any non-compliance. If you think that this Policy is not being complied with in any way at Husshed, please bring this to the attention of our Data Protection Officer, Personal Data Guard (PDG) at


PDG is responsible for communicating changes to this Policy and will also provide a brief explanation of the reasons for any notified changes to this Policy.


Husshed will publish this Policy and any other amendments to it.

EFFECTIVE DATE: 14/05/22, latest review 3/10/2022

Contact: You can raise any questions or concerns in relation to this Policy by contacting: You should also contact PDG if you think you need an exception to a rule in this Policy.


Information which must be provided to individuals when collecting their personal data directly from them:

  1. The identity and the contact details of Husshed and of Husshed DPO;

  2. The purposes and the legal basis for the processing;

  3. The legitimate interests of Husshed, where applicable;

  4. The recipients or categories of recipients of the personal data;

  5. Any international data transfers, including the location of any recipients and the methods used to ensure the adequate protection of those transfers (and how to obtain details of those methods);

  6. Data retention periods;

  7. Their rights under data protection rules;

  8. The process available to individuals to withdraw any consent;

  9. Whether the individual is obliged to provide the personal data and the possible consequences of failure to provide such data; and

  10. The existence of automated decision-making, including profiling, and the logic involved.


  1. Information which must be provided to individuals when collecting their personal data another source:

    1. All of the information stated in paragraph 1 of this Annex 1 above;

    2. The categories of personal data obtained from the third party; and

    3. The sources of the personal data – information must be as precise as possible (e.g. identify whether this source is a private or public source; and the type of organisation/industry/sector).




1. Grounds for processing personal data

Husshed HR can collect and process personal data where it is necessary for the following purposes:







2. Transparency

Husshed has prepared privacy notices for applicants and employees.

bottom of page