NHS Liverpool CCG - Staff Privacy Notice for employees, other workers, contractors and volunteers

Introduction

NHS Liverpool Clinical Commissioning Group (CCG) collects and processes personal information, or personal data, relating to its employees, other workers, contractors and volunteers to manage the working relationship. This personal information may be held by the CCG on paper or in electronic format.

The CCG is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The purpose of this Privacy Notice is to make you aware of how and why we will collect and use your personal information both during and after your working relationship with the CCG ends.

This Privacy Notice applies to all current and former employees, other workers, contractors and volunteers. It is non-contractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

As an employer, the CCG needs to keep and process information about you for normal employment, workforce and related purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, and protect our legal position in the event of legal proceedings.

Data Protection Principles

Under the GDPR, there are six Data Protection Principles that the CCG must comply with. These provide that the personal information we hold about you must be:

1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form which permits your identification for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.

The CCG is responsible for, and must be able to demonstrate compliance with, these principles. This is called Accountability.

What types of personal information do we collect about you?

Personal information is any information about an individual from which that person can be directly or indirectly identified. It doesn’t include anonymised data, i.e. where all identifying particulars have been removed.

There are also special categories of personal information, which requires a higher level of data protection because it is of a more sensitive nature. The special categories of personal information comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data. However, we do not collect all of these.

The CCG collects, uses and processes a range of personal information about you. This includes your:

• recruitment records, including personal information included in a CV, any application form, cover letter, interview notes, references, copies of proof of right to work in the UK documentation, copies of qualification certificates, copy of driving licence and other background check documentation
• contact details, including your name, address, telephone number and personal e-mail address
• Disclosure and Barring Service (DBS) checks, if applicable
• contract of employment and any amendments to it
• contact and emergency contact details
• next of kin details
• date of birth
• gender
• marital status and dependants
• start and end dates of employment or engagement
• terms and conditions of employment or engagement (including your job title and working hours), as set out in a job offer letter, employment contract, written statement of employment particulars, casual worker agreement, consultancy agreement, pay review and bonus letters, statements of changes to employment or engagement terms and related correspondence
• details of your skills, qualifications, experience and work history, both with previous employers and with the CCG
• professional memberships
• correspondence from or to you, for example letters to you about a pay rise, or at your request, a letter to your mortgage company confirming your salary
• information needed for payroll
• salary, entitlement to benefits and pension information
• National Insurance Number
• bank account details, payroll records, tax code and tax status information
• records relating to your career history, such as training records, appraisals, other performance measures
• current training records
• disciplinary, grievance and capability records, including investigation reports, collated evidence, minutes of hearings and appeal hearings, warning letters, performance improvement plans and related correspondence
• timesheets
• records of holiday, sickness and other absence
• data concerning expenses
• information needed for equal opportunities monitoring
• termination of employment or engagement documentation, including resignation letters, dismissal letters, redundancy letters, minutes of meetings, settlement agreements and related correspondence
• use of our IT systems, including usage of telephones, e-mail and the Internet
• photographs for identification purposes
• information about any criminal convictions and offences

It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes, e.g. if you change your home address, during your working relationship with the CCG so that our records can be updated. The CCG cannot be held responsible for any errors in your personal information in this regard unless you have notified us of the relevant change.

You will, of course, inevitably be referred to in many CCG documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the CCG. You should refer to the CCG Information Governance Policies which are available on the intranet.

The CCG may also collect, use and process the following special categories of your personal information:

• information about your health, including any medical condition, whether you have a disability in respect of which the CCG needs to make reasonable adjustments, sickness absence records (including details of the reasons for sickness absence being taken), GP or occupational health medical reports and related correspondence
• information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
• trade union membership

How do we collect your personal information?

The CCG may collect personal information about employees, other workers, contractors and volunteers in a variety of ways. It is collected during the recruitment process, either directly from you or sometimes from a third party such as an employment agency. We may also collect personal information from other external third parties, such as references from former employers and criminal record checks from the Disclosure and Barring Service (DBS).

We will also collect additional personal information throughout the period of your working relationship with us. This may be collected in the course of your work-related activities. Whilst some of the personal information you provide to us is mandatory and/or is a statutory or contractual requirement, some of it you may be asked to provide to us on a voluntary basis. We will inform you whether you are required to provide certain personal information to us or if you have a choice in this.

Your personal information may be stored in different places, including in your personnel file, on the CCG's HR management system and in other IT systems such as the e-mail system and Payroll Services systems.

What if you fail to provide personal information?

If you do not provide certain data when requested or required, we may be unable in some circumstances to comply with our legal obligations and we will tell you about the implications of that decision. This may mean we may not be able to perform the contract we have entered into with you. You may also be unable to exercise your statutory or contractual rights.

Lawful basis to hold and process your data

We will only use your personal information when the law allows us to. These are known as the legal bases for processing.

Where we process your personal data, we do so under GDPR Article 6 (1) (b) which states:-

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Where we process ‘special categories’ of sensitive information relating to your physical and/or mental health, racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data, genetic data, or sexual orientation, we do so under GDPR Article 9 (2) (h) which states:-

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

Please note that we may process your information without your consent, in compliance with these Articles, where this is required or permitted by law.

Why and how do we use your personal information?

We will use your personal information in one or more of the following circumstances:

• where we need to do so to perform the employment contract, casual worker agreement, consultancy agreement or contract for services we have entered into with you
• where we need to comply with a legal obligation
• where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests

We may also very occasionally use your personal information where we need to protect your vital interests (or someone else’s vital interests).

We will only disclose information about you to third parties if we are legally obliged to do so (e.g. to HMRC and DWP) or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension or health insurance schemes.

As an NHS Organisation, we may sometimes need to process your data to pursue our legitimate business interests, for example to:

• prevent NHS fraud
• report potential crimes
• perform or exercise our obligations or rights under the direct relationship that exists between the CCG and you as its employee, other worker, contractor or volunteer
• pursue our business by employing (and rewarding) employees, other workers, contractors and volunteers
• perform effective internal administration and ensuring the smooth running of the business
• ensure the security and effective operation of our systems and network
• protect our confidential information
• conduct due diligence on employees, other workers, contractors and volunteers

We believe that you have a reasonable expectation, as our employee, other worker, contractor or volunteer, that we will process your personal information for these purposes.

In general terms, we will never process your data where these interests are overridden by your own interests.

The purposes for which we are processing, or will process, your personal information include to:

• enable us to maintain accurate and up-to-date employee, other worker, contractor or volunteer records and contact details (including details of whom to contact in the event of an emergency)
• run recruitment processes and assess your suitability for employment, engagement or promotion
• comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK; carrying out criminal record checks
• maintain an accurate record of your employment or engagement terms
• administer the contract we have entered into with you
• ensure compliance with your statutory and contractual rights
• ensure you are paid correctly and receive the correct benefits and pension entitlements, including liaising with any external benefits or pension providers or insurers
• ensure compliance with income tax requirements, e.g. deducting income tax and National Insurance contributions where applicable
• operate and maintain a record of disciplinary, grievance and capability procedures and action taken
• operate and maintain a record of performance management systems
• record and assess your education, training and development activities and needs
• plan for career development and succession
• manage, plan and organise work
• enable effective workforce management
• operate and maintain a record of annual leave procedures
• operate and maintain a record of sickness absence procedures
• ascertain your fitness to work
• operate and maintain a record of maternity leave, paternity leave, adoption leave, shared parental leave, parental leave and any other type of paid or unpaid leave or time off work
• ensure payment of other statutory or contractual pay entitlements
• meet our obligations under health and safety laws
• make decisions about continued employment or engagement
• operate and maintain a record of dismissal procedures
• provide references on request for current or former employees, other workers, contractors and volunteers
• prevent NHS fraud
• monitor your use of our IT systems to ensure compliance with our IT-related policies
• ensure network and information security and prevent unauthorised access and modifications to systems
• ensure effective HR, personnel management and business administration, including accounting and auditing
• ensure adherence to the CCG rules, policies and procedures
• enable us to establish, exercise or defend possible legal claims

We do not transfer your information outside of the European Economic Area (EEA) or to an international organisation to comply with our legal or contractual requirements. We have in place safeguards including to ensure the security of your data. A copy of the safeguards can be obtained from the HR Department.

In addition, we monitor computer and telephone/mobile telephone use, as detailed in our Information Governance - Confidentiality Code of Conduct, which includes our internet and email acceptable use, available on the intranet.

Why and how do we use your sensitive personal information?

We will only collect and use your sensitive personal information, which includes special categories of personal information when the law allows us to.

Some special categories of personal information, i.e. information about your health or medical conditions and trade union membership, is processed so that we can perform or exercise our obligations or rights under employment law or social security law and in line with our Data Protection Policy. Information about health or medical conditions may also be processed for the purposes of assessing the working capacity of an employee or medical diagnosis, provided this is done under the responsibility of a medical professional subject to the obligation of professional confidentiality, e.g. a doctor, and again in line with our Data Protection Policy.

The purposes for which we are processing, or will process, these special categories of your personal information are to:

• assess your suitability for employment, engagement or promotion
• comply with the duty to make reasonable adjustments for disabled employees and other workers and with other disability discrimination obligations
• ensure compliance with your statutory and contractual rights
• operate and maintain a record of sickness absence procedures
• ascertain your fitness to work
• ensure payment of statutory sick pay (SSP) or contractual sick pay
• monitor equal opportunities
• pay trade union premiums

Where the CCG process other special categories of personal information, i.e. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring and in line with Our Data Protection Policy. Personal information that the CCG uses for these purposes is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is entirely your choice whether to provide such personal information.

We may also occasionally use your special categories of personal information, where it is needed for the establishment, exercise or defence of legal claims.

Change of purpose

We will only use your personal information for the purposes for which we collected it.

If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information, including the lawful basis to process your data. We may also issue a new Privacy Notice to you.

If we process your data for other purposes, we will always obtain your explicit consent to those activities, unless this is not required by law, or the information is required to protect your health in an emergency.

Consent

Where we are processing data based on your consent, you have the right (in certain circumstances) to withdraw that consent at any time. This will not affect the lawfulness of the processing before your consent was withdrawn.

Who has access to your personal information?

Your personal information may be shared internally within the CCG, including with members of the HR department, Corporate Governance Team, payroll staff, your line manager, other managers in the department in which you work and IT staff if access to your personal information is necessary for the performance of their roles.

The CCG may also share your personal information with third-party service providers and their designated agents, such as:

• external HR support
• external organisations for the purposes of conducting pre-employment reference and employment background checks
• payroll provider
• benefits providers and benefits administration, including insurers
• pension scheme provider and pension administration
• occupational health providers
• external IT services
• auditors
• professional advisers, such as lawyers and accountants

Should you wish to know more about these service providers please contact Human Resources. We may also need to share your personal information with a regulator e.g. Care Quality Commission, or to otherwise comply with the law.

We may share your personal information with third parties where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party).

How does the CCG protect your personal information?

The CCG has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal

 information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, other workers, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities.

Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.

The CCG also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

For how long does the CCG keep your personal information?

Your entire staff record will be stored for a period of 6 years following when you leave the organisation.

This includes (but is not limited to) evidence of right to work, security checks and recruitment documentation for the successful candidate including job adverts and application forms.

To reduce the burden of storage and for reasons of confidentiality, a summary will then be prepared and held until the employee’s 75th birthday or 6 years after leaving whichever is the longer and then reviewed.

The summary will contain as a minimum:

• A summary of the employment history with dates
• Pension information including eligibility
• Any work related injury
• Any exposure to asbestos, radiation and other chemicals which may cause illness in later life
• Professional training history and professional qualifications related to the delivery of care
• List of buildings where the member of staff worked and the dates worked in each location.

The CCG will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.

To determine the appropriate retention period for personal data, we follow the Records Management Code of Practice for Health and Social Care 2016, which is a guide to use in managing records, based on current legal requirements and professional best practice.

You can see this at: https://www.gov.uk/government/publications/records-management-code-of-practice-for-health-and-social-care

The CCG will generally hold your personal information for the duration of your employment or engagement. The exceptions are:

• personal information about criminal convictions and offences collected in the course of the recruitment process will be deleted once it has been verified through a DBS criminal record check, unless, in exceptional circumstances, the information has been assessed by the CCG as relevant to the ongoing working relationship
• it will only be recorded whether a DBS criminal record check has yielded a satisfactory or unsatisfactory result, unless, in exceptional circumstances, the information in the criminal record check has been assessed by the CCG as relevant to the ongoing working relationship
• if it has been assessed as relevant to the ongoing working relationship, a DBS criminal record check will nevertheless be deleted after six months or once the conviction is “spent” if earlier (unless information about spent convictions may be retained because the role is an excluded occupation or profession)
• disciplinary, grievance and capability records will only be retained until the expiry of any warning given (but a summary disciplinary, grievance or performance management record will still be maintained for the duration of your employment).

Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.

In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.

Your rights in connection with your personal information

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) as a Data Subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:

1. to be informed

This enables you to be informed how we process your data, by way of this Privacy Notice.

1. of access

This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

1. to rectification

This enables you to have any incomplete or inaccurate information we hold about you corrected.

1. to erasure

This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Please note that under certain circumstances we are legal obliged to maintain a copy of your data for contractual and or statutory reasons.

1. to restrict processing

This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

1. to data portability

This enables you to transfer your electronic personal information to another party, where we can provide a copy of your data in an easily transportable format.

1. to object

This enables you to object where we are processing your personal information for direct marketing purposes.

1. in relation to automated decision making & profiling

This enables you to be told if we process your data using automated software.

Please note that the CCG do not, at present, carry out automatic processing of your data.

If you wish to exercise any of these rights, please contact the HR Department. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact the HR Department. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.

Complaints

You have the right to lodge a complaint with the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 2018 with regard to your personal data.

If you believe that the CCG has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. You can see the ICO contact details at: https://ico.org.uk

Transferring personal information outside the European Economic Area (EEA)

The CCG will not transfer your personal information to countries outside the European Economic Area, except where you ask us to do so e.g. for employment purposes overseas.

Automated decision making

Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention.

We do not carry out any automated decision making (including profiling) and as such no employment decisions will be taken about you based on automated decision making.

Changes to this Privacy Notice

The CCG reserve the right to update or amend this Privacy Notice at any time, including where the CCG intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new Privacy Notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.

Contacts

If you have any questions about this Privacy Notice or how we handle your personal information, please contact the Corporate Governance Team.

For the purposes of the DPA 2018 and GDPR Stephen Hendry, Head of Corporate Services and Governance has been identified as the controller and processor of staff data.

If you have any concerns as to how your data is processed you can contact: the Data Protection Officer at dpo.lccg@miaa.nhs.uk or you can write to the Data Protection Officer c/o Liverpool CCG.