Giltbyte Limited place an extremely high priority on the protection and management of data in accordance with the UK General Data Protection Regulation (UK GDPR).  As a business we are committed to high standards of information security, privacy and transparency.  


This statement sets out what we are doing to ensure compliance with the UK General Data Protection Regulation.


What is the UK GDPR?

The UK GDPR regulates how companies collect and process personal data.  The UK GDPR has a set of guiding principles that companies are required to follow to ensure that only the personal data necessary is legitimately used for the specified purpose, and both the data and the rights of the individual are protected.


You can review details of how GDPR requires protection of personal data on the Information Commissioners website.


What is the EASY System?

The EASY system is used by NHS Organisations to enable them to manage aspects of their business related to manpower planning and the payment of staffs' salaries and/or the reimbursement of business expenses.  Staff may also have access to the system to enable them to complete their timesheets or expense claims.


Who is the Data Controller?

The Data Controller, in the context of the EASY system, is the NHS Organisation who employs the staff whose data is shared with Giltbyte.


Who is the Data Processor?

Giltbyte Limited is the Data Processor.  We are a limited liability company registered in England and Wales, company registration number 02518823. Our registered address is Park Farm Business Park, Norwich Road, Hethersett, Norwich NR9 3DL.


Are there any sub processors?

Giltbyte uses trusted companies as sub processors to assist us in supporting the EASY system and our customers.  These companies have been assessed to be compliant with our Privacy Policy and any other appropriate confidentiality and security measures. 


What data do we collect?


When someone registers as a user of the EASY system, the data controller supplies the information necessary for that person to use the system. This includes personal data such as the person's:

  • name
  • email address
  • home address
  • employee number
  • date of birth
  • national insurance number

Additional information may be received that on its own may not identify an individual, such as where they work or their job title.


Dependent upon the programs licenced to the NHS Organisation sensitive personal data such as an individual's ethnic origin or sickness details may be included.


In accordance with the terms of use prescribed by the data controller, employees may directly provide details of the hours worked, business expenses, driving licence information, vehicles and related documents.


We automatically collect details of users' internet connection.


Why do we collect this information?

We will use the information collected to enable employees and their employer to use the licenced features and functionality of the EASY system.


The information collected will allow us to operate, maintain and support the EASY system.


The data collected will enable NHS Organisations to manage aspects of their business related to manpower planning and the payment of staffs' salaries and/or the reimbursement of business expenses.   As such there is a lawful basis for processing employees' personal data.


What do we do with this information?

The information is securely stored in a database and we will not share the data with any third parties.  The data is not sent outside of the UK.  Nor will we use the information to make any automated decisions that might affect individuals.


Access to the data held in the EASY system is strictly controlled, and only designated system support staff can access the data to provide services which include, but are not limited to, phone and email support; response, diagnosis and resolution services; incident tracking; and responding to customer queries.


We may use cookies or browser storage to temporarily store information on the device used to access the EASY system. This information will be used to secure the login session, remember the application state, and to cache data when the device is without an Internet connection. 


How long is the information kept for?

The information is kept for six years to enable employers to meet their obligations to Her Majesty's Revenue and Customs (HMRC) in accordance with UK regulations.