During the course of its employment activities, Bedfordshire Hospitals collects, stores and processes personal information about prospective, current and former staff.
The scope of this staff privacy notice includes applicants, employees (incl8uding former employees), other workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience, clinical placements, observerships and honorary contract holders.
We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
What type of personal data do we handle?
In order to carry out our activities and obligations as an employer we handle data in relation to:
- personal demographics (including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, sex, sexual orientation, religion or belief)
- Disability (for any additional support or adjustments to assist you).
- Contact details such as name, address, telephone number and emergency contact(s)
- Employment records (including qualifications, education, employment history, professional membership, references and proof of eligibility to work in the UK)
- Bank and pension details
- Medical information including physical and mental health condition
- Information relating to health and safety at work, and any incidents or accidents
- Trade union membership
- Offences, criminal proceedings, outcomes and sentences
- Employee relations files (such as grievance, disciplinary, performance, sickness/absence)
- Employment Tribunal applications, complaints, accidents and incident details
Our staffs are trained to handle your information correctly and protect your confidentiality and privacy.
We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
Your information will not be processed overseas unless we inform you otherwise.
What are the purposes for processing staff data?
- Staff administration, management and engagement
- Payroll and pensions administration
- Business management and planning
- Accounting and Auditing, including to HMRC
- Accounts and records
- Crime prevention and prosecution of offenders
- Education, learning and development
- Health administration and services
- Local/National databases and data warehouse administration
- Sharing and matching of personal information for national fraud initiative
We have a legal basis to process this as part of your contract of employment or as part of our recruitment processes following data protection and employment legislation.
Sharing your information
We will share your information due to our obligations to comply with legislation or our duty to comply any Court Orders which may be imposed.
Any disclosures of personal data are always made on a case-by-case basis, using the minimal personal data necessary for the specific purpose or circumstances and with the appropriate security controls in place.
Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal 08data to such persons.
Use of Third Party Companies
To enable effective staff administration Luton and Dunstable University Hospital NHSFT may share your information with external companies to process your data on our behalf. This is in order to comply with our obligations as an employer.
Employee Records; Contracts Administration (NHS Business Services Authority)
The information which you provide during the course of your employment; including the recruitment process, will be shared with the NHS Business Services Authority for maintaining your employment records held on the national NHS Electronic Staff Record (ESR) system.
Prevention and Detection of Crime and Fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
In order to comply with statutory requirements, we may be required to supply information about you and/or your employment/relationship with the Trust to central Government Agencies, departments or agents acting on their behalf (e.g. HMRC, DH, Home Office, DWP).
Payroll and Pensions Administration
Information will be shared with University Hospitals Birmingham NHS Foundation Trust (UHB) in pursuit of administering your pay and any associated pensions, under/overpayments.
Details may be transferred from this Trust to other NHS trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS organisation to another. The personal data shared includes: name, address, date of birth, national insurance number and registration details.
The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DH retention period.
We will retain your information in line with the Department of Health Retention Schedule.
Supplementary Privacy Notice – Staff: Coronavirus COVID-19
This privacy notice is to make it easier to understand and provide you with more information about how the Trust may seek to collect and hold information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19).
The Trust may seek to collect and process your personal data in response to the outbreak of Coronavirus, which is above and beyond what would ordinarily be collected from our staff and their dependents, to ensure their safety and well-being.
Such information will be limited to what is proportionate and necessary, considering the latest guidance issued by the Government and health professionals, in order to manage and contain the virus. It will enable us to effectively fulfil our functions to keep people safe, put contingency plans into place to safeguard those who are vulnerable and aid business continuity.
Where the information is to be used to make organisational decisions, steps will be taken to anonymise the data and general statistics/numbers used, wherever possible.
What personal data is being collected?
Personal data is being collected to enable us to identify any staff (or those closely linked to staff/dependents) who are in any of the high-risk categories and would be considered vulnerable, if infected with Coronavirus.
The Trust will also collect information on the results of any testing undertaken within the Trust to identify who currently has the virus and those who may have had the virus (antibody testing).
Data is also being collected to allow us to plan for and manage the services the Trust provides, given changes to where staff may undertake their roles from.
Data collected includes:
- Job Role
- NHS number
- Home Address and Postcode
- Results of Lateral Flow Tests and PCR Test
- Household members’ first and last names
- Your self-isolation status
What is our lawful basis for processing your personal data?
The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful.
These relevant conditions are below:
- Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
- Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Section 8(c) of the Data Protection Act sets out that such a task must be necessary for the performance of a function conferred on a person by an enactment or rule of law. The processing of special categories of personal data, which includes data concerning a person’s health, is prohibited unless specific further conditions can be met.
These further relevant conditions are below:
- Article 9(2)(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
- Article 9(2)(g) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
- Article 9(2)(h) – processing is necessary for purposes of occupational medicine Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England
Am I required to provide my personal data under a statutory or contractual requirement, or am I obliged to provide it?
Whilst the provision of data cannot be mandated, you are strongly advised that it is in the best interests of all to provide this information.
The information will be managed in confidential manner. All information will be held securely and processed on a ‘need to know’ basis by only a limited number of people. If there is a need to disclose outside of this, the minimal amount of personal data will be used.
Who will you share this information with?
We will use the data internally to support our planning and management activities linked to COVID-19, but may also share information in response to Directives by the Secretary of State for Health and Care. This could include Clinical Commissioning Groups (to support wider planning and responses to COVID-19 management), NHS England & NHS Improvement, NHS Digital, the Health and Safety Executive, Your GP and Public Health England.
How long will my personal data be retained?
Your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means we will keep your information for up to 8 years before we dispose of it confidentially. Information that identifies you in relation to this outbreak of Coronavirus will not be used for any other purpose, will be stored securely and processed in the UK. When the information is no longer needed for this purpose, it will be securely deleted.
If you would like to know more about your information rights or how to exercise them, you should contact the Trust’s Data Protection Officer via email at firstname.lastname@example.org.
Further advice and guidance from the Information Commissioner on this issue can be found: https://ico.org.uk/for-organisations/data-protection-and-Coronavirus/