The Data Protection Act 2018 requires that you, as the employer, update your Employee Privacy Notice to reflect your legal obligations.
This document reflects the types of employee data that employers will typically process and the reasons for processing them. The items in the notice are not exhaustive and the notice will need to be reviewed carefully to ensure that it reflects all the employee information that you will process and the reasons for its processing.
This document does not rely on consent as a lawful basis for processing employee data (except in relation to equal opportunities monitoring where appropriate). Under the General Data Protection Regulations (GDPR), consent is unlikely to be freely given in the employment context and, as such, is not an appropriate legal basis for processing most employee data. In the event that you rely on consent to process employee data, this will need to be separately drafted to meet the requirements under the GDPR.
If in any doubt, seek advice on the level of detail required and how to adapt it to different scenarios. This may vary depending on the circumstances, complexity, and/or level of data that you hold.
Barlow Medical Centre – Employee Privacy Notice
Data controller: Carol Harrison, Assistant Practice Manager
Data protection officer: Office Supervisor. Kerry Black
The organisation gathers and processes personal data relating to its employees to enable us to run the business and manage our relationship with you. We are committed to being open and transparent about how we gather and use that data and to meeting our data protection obligations.
Collecting information
We will collect and use the following types of personal data about you:
- Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments
- Your contact details and date of birth
- The contact details for your emergency contacts
- Your gender
- Your marital status and family details
- Information about your contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement
- Your bank details and information in relation to your tax status including your national insurance number
- Your identification documents including passport and driving licence and information in relation to your immigration status and right to work for us
- Information relating to disciplinary or grievance investigations and proceedings involving you (whether or not you were the main subject of those proceedings)
- Information relating to your performance and behaviour at work
- Training records
- Electronic information in relation to your use of IT systems/swipe cards/telephone systems
- Your images (whether captured on CCTV, by photograph or video)
- Any other category of personal data which we may notify you of from time to time.
The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence, from forms completed by you at the start of or during employment (such as pensions benefit nomination forms), from correspondence with you, or through interviews, meetings or other assessments.
This personal data might be provided to us by you, or someone else (such as a former employer, your doctor or a credit reference agency and information from criminal records checks permitted by law) or it could be created by us.
Your personal data will be stored in a range of different places, including in your personnel file, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).
Processing your personal data
The organisation will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
We will use your personal data for:
- Performing the contract of employment (or services) between us
- Complying with any legal obligations
- Our legitimate interests (or for the legitimate interests of someone else) if it is necessary. However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing.
We will process employee data for the purposes of:
- Recruitment and promotion procedures
- Maintaining accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights
- Operating and recording disciplinary and grievance processes to ensure acceptable conduct within the workplace
- Operating and recording employee performance and related processes to plan for career development, for succession planning and for workforce management purposes
- Operating and recording absence and absence management procedures to allow effective workforce management and to ensure that employees are receiving the pay or other benefits to which they are entitled
- Obtaining occupational health advice to ensure that it complies with duties in relation to individuals with disabilities, meets its obligations under health and safety law and ensures that employees are receiving the pay or other benefits to which they are entitled
- Operating and recording other types of leave (including maternity, paternity, adoption, parental and shared parental leave) to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement and to ensure that employees are receiving the pay or other benefits to which they are entitled
- Ensuring effective general HR and business administration
- Providing references on request for current or former employees
- Responding to and defending legal claims.
Special categories of personal data
Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities)
Automated decision-making
Employment decisions are not based solely on automated decision-making.
Sharing your personal data
Your information may be shared internally, with your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.
Sometimes we might share your personal data with other organisations within our group, or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests, for example to obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service, payroll, the provision of benefits and the provision of occupational health services. Specify any other third parties with whom data is shared and why.
The organisation may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
The organisation will not transfer your data to countries outside the European Economic Area.
Protection of personal data
The organisation has internal policies and controls in place to ensure that your personal data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by its employees in the performance of their duties.
Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions and that they are under a duty of confidentiality and are obliged to implement appropriate technical and practical measures to ensure the security of data.
Retention of data
The organisation will hold your personal data for the duration of your employment and for a period following the end of your employment (as set out in our Data Retention Policy/Schedule).
The exception to this rule is the DBS certificate as the code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months[1].
Your data subject rights
- You have the right to information about what personal data we process, how and on what basis as set out in this document
- You have the right to access your own personal data by way of a subject access request
- You can correct any inaccuracies in your personal data
- You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected
- While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made
- You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop
- You have the right to object if we process your personal data for the purposes of direct marketing
- You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month
- You have the right to be notified of a data security breach concerning your personal data
- With some exceptions, you have the right not to be subjected to automated decision making
- In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later.
If you would like to exercise any of these rights, or withdraw your consent, please contact the practice manager.
Accessing your data
The organisation is legally required to act on requests and provide information free of charge with the exception of requests that are manifestly unfounded, excessive or repetitive.
If the organisation determines this to be the case we may charge a reasonable fee or refuse to act on the request. We will acknowledge your request and provide the information within one month of receiving your request. Please send your request to the practice manager.
COVID-19 and your information
The Information Commissioner recognises the unprecedented challenges the NHS and other health professionals are facing during COVID-19.
The ICO (Information Commissioners Office) also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’
On 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, relating to covid-19 testing and vaccination records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of treating you; and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. A further extension has been put in place until 30th September 2021.
Lodging a complaint
If you are not satisfied with our response or believe we are processing your personal information in a way that is not in accordance with the law, you have the right to lodge a complaint with the supervisory authority in the UK responsible for the implementation and enforcement data protection law: the ICO. You can contact the ICO via the following:
- Website: www.ico.org.uk/concerns/
- Telephone: 0303 123 1113
- Gov.uk: DBS Check Guidance