Staff privacy notice

Why do we collect your information?

During the course of its employment activities, Southport and Ormskirk NHS Hospital Trust collects stores and processes personal information about prospective, current and former staff and volunteers.

We recognise the need to treat staff and volunteers’ personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

This Privacy Notice covers applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

 

What information do we collect and record?

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • Personal demographics including special category information like gender, race, ethnicity, sexual orientation, religion etc.
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s)
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
  • Bank details
  • Pension details
  • Medical information including physical health or mental condition (occupational health information)
  • Information relating to health and safety
  • Trade union membership
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment Tribunal applications, complaints, accidents, and incident details

 

This list is not exhaustive, but is indicative of the types of information recorded.

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

By providing the Trust with your contact details, employees and volunteers are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.

 

Where do we receive information about you from?

Most of the information the Trust collects about you is received directly from you, generally via application forms or where you have notified changes to your personal information either in writing or electronically, when you have made amendments via Employee Self Service.

You can check and ensure that your information is kept up to date by viewing the information we hold on the HR System via your on line access to Employee Self Service.

However, we do receive some information about you from other sources, for example, when we undertake DBS or reference checks as part of the recruitment process; where you may apply for childcare vouchers; or where we receive information from courts, where a County Court Judgement may have been made.

 

Who we share information with?

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with legislation
  • Our duty to comply with any Court Orders which may be imposed

 

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

 

Use of third party companies

Employee Records; Contracts Administration (NHS Shared Business Services)

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Shared Business Services (our outsourced Payroll provider) for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

How long do we keep your information?

All of your information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2016. This is available from – https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

What Rights Do You Have?

The GDPR includes a number of rights that are more extensive than those in the Data Protection Act 1998. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.

The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.

In short, your rights are:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to object
  • Right to restrict processing
  • Right to data portability

 

Right to be informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

 

Right of access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR although there are exceptions to what we are obliged to disclose.

You will be required to provide proof of identification and may be asked to specify exactly what information you require.

If you would like access to your HR records, submit a Subject Access Request (SAR) to the Information Governance team.

 

Right to rectification

Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.

To rectify your information, please contact the Information Governance team.

 

Right to erasure

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

 

Right to object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds.

 

Right to restrict processing

You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

 

Right to data portability

This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Trust. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

 

Is there any automated processing of your information?

Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making. The Trust does not use automated decision making as all decisions have human intervention.

 

Consent and withdrawal of consent

The legal basis to process your personal and sensitive information generally, falls within Articles 6(1)(e) and 9(2)(b) and (h) of the GDPR. Other processing may be appropriate under Articles 6(1)(b), 6(1)(c), 6(1)(d) and 6(1)(f).

Where these do not apply, any other processing will be reliant on your consent under Article 6(1)(a); this will be based on explicit consent under GDPR and as a result, you will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices.

Activities which are optional will be conducted with consent. You will have the option of withdrawing that consent at any time. Any enquiries should be made directly to the contact the Information Governance team.

 

Raising a concern

For general inquiries about how your information is used, please contact the contact the Information Governance team.

If you wish to register a complaint about how your information is processed, you can contact the Information Governance team.

Additionally, individuals have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information. The Information Commissioner’s Office is the UK’s independent body set up to uphold information rights.

You can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or telephone: 01625 545700.

Further information about their work and the legislation they cover is available from www.ico.org.uk or by contacting them on the helpdesk number 0303 123 1113.

 

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the most significant change to data protection law in a generation. As well as increasing the security and accountability of organisations, it increases the rights of individuals on how their information is used.

GDPR does not, however, change the underlying principles of the Data Protection Act.

 

Lawful basis for processing data

All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012; this duty is subject to both the common law duty of confidence and all current Data Protection Legislation.

The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing. As personal data is processed for purposes of the Trusts statutory functions we have considered our lawful basis for processing personal data and have deemed:

HMRC; Health and Safety and other statutory or lawful requirements:

Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Article 6(1)(c) – processing is necessary for compliance with a legal obligation

Administrative purposes including employment personal and sensitive information:

Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (this includes recruiting to all types of roles).

Legitimate interest:

Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the data controller, and for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality.

This is relevant where the Trust may seek to recover debts from individuals.

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.

If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.

Where the Trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:

Safeguarding:

Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, the provisions of the Children’s Acts 1989 and 2004, and the Care Act 2014

Commissioning and planning:

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Research, regulatory and public health functions:

Article 9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Definitions of terms

Data controllerThe organisation which determines the processing of Personal Data. The Data Controller is the legally responsible organisation.
Data processorAn organisation which the Data Controller appoints to provide a service on its behalf. The Data Processor must follow the legal instruction of the Controller.
Data subjectThe individual who personal data is about. The individual must be identifiable from the data.
Data Protection Officer The person appointed by the Data Controller as the single point of contact for data protection enquiries. The Data Protection Officer acts independently and monitors compliance with data protection obligations.
Data processingThe activities which relate to Personal Data. Data Processing includes: Obtaining, recording or holding the information ; organisation, adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment, combination, blocking, erasure or destruction of the information or data.
Information Commissioner’s Office The regulator of information rights in the United Kingdom. The ICO website is - https://ico.org.uk/
Personal dataData which relates to an individual and enables them to be identified.

Translate