What we do with information about you
This privacy notice explains what we do with information in relation to employees who are on a formal contract with the organisation, including substantive staff members, volunteers, bank workers etc.
This privacy notice explains what we do with your personal information. It tells you:
- the information we collect about you
- how we store this information
- how long we retain it
- who we may share it with
- for which legal purpose we may share it
“Personal data” means information relating to a natural (living) person or “data subject”, which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:
- identification number
- social media posts
- location data
- online identifier
Special category of personal data
“Special category of personal data” means information which is thought to be “extra sensitive” such as ethnicity, sexual orientation and religion.
“Data controller” means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.
“Processing” means anything that is done to the personal data we hold.
“Pseudonymisation” is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.
Why we collect information about you
The Trust collects, stores and processes personal information about prospective, current and former staff, members, contractors and volunteers to ensure compliance with legal or industry requirements.
Legal Basis for Processing
As your employer, the Trust needs to keep and process information about you for employment purposes.
The information we hold and process will be used for our management and administrative use only.
We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately:
- during the recruitment process
- while you are working for us
- at the time when your employment ends
- after you have left
- This includes using information to enable us to:
- comply with the employment contract
- comply with any legal requirements
- pursue the legitimate interests of the Trust
- protect our legal position in the event of legal proceedings
If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
The Trust does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.
For further information on this legislation please visit the Government’s UK legislation website.
What personal information we collect about you and how we obtain it
Personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as the Disclosure and Barring Service (DBS) etc.
In order to carry out our activities and obligations as an employer we handle data in relation to:
- personal demographics (including gender, race, ethnicity, sexual orientation, religion, criminal matters)
- contact details such as names, addresses, telephone numbers and emergency contact(s)
- employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
- bank details
- pension details
- occupational health information (medical information including physical or mental health conditions)
- details of any absences (other than holidays) including statutory parental leave and sick leave
- information relating to health and safety
- trade union membership
- Trust governors/membership
- offences (including alleged offences), criminal proceedings, outcomes and sentences
- employment tribunal applications
- incident details
This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.
What we do with your personal information
Your personal information is processed for the purposes of:
- staff administration and management (including payroll and performance)
- pensions administration
- business management and planning
- education, training and development requirements
- health administration and services
- information and databank administration
- maintaining the Trust membership database
- business management and planning, including accounting and auditing
- conducting performance reviews, managing performance and determining performance requirements
- complying with health and safety obligations
- equal opportunities monitoring
What we may do with your personal data
The personal information we collect about you may also be used:
- for crime prevention and prosecution of offenders
- sharing and matching of personal information for national fraud initiatives
- to monitor your use of information and communication systems to ensure compliance with IT policies
- when dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work
- when gathering evidence for possible grievance or disciplinary hearings
Who we share your personal data with and why
We will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system.
Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Personal information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and will only ever use/share the minimum information necessary. However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
There are a number of circumstances where we must or can share information about you to comply with or manage:
- disciplinary/investigation processes, including referrals to professional bodies, e.g. the Nursing and Midwifery Council and the General Medical Council
- legislative and/or statutory requirements
- court orders which may have been imposed on us
- NHS counter-fraud requirements
- requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature
How we maintain your records
Your personal information is held in both paper and electronic formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018 as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain records about you in accordance with retention guidelines
- keep records about you confidential and secure
- provide information in a format that is accessible to you
Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust’s Record Management and Information Lifecycle Policy. Once you are no longer an employee (permanent or bank), worker, contractor or volunteer of the company and are not subject to a formal or applicable laws and regulations.
If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:
- request to access the personal data we hold about you, e.g. personnel records (see “How to access your personal data” below)
- request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards
- request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed
- ask us to restrict the use of your information where appropriate
- in the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, to withdraw your consent for that specific processing at any time
- challenge any decisions made without human intervention (automated decision making)
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Data Protection Officer
If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.
Data Protection Officer
Information Governance Team
Newcastle upon Tyne NE3 3HD
Information Commissioners Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.
Information Commissioner’s Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)