Privacy Notice – Employment Records During the course of its employment activities, Provide collects, stores and processes personal information about prospective, current and former staff. This Privacy Notice includes applicants, employees (and former employees), workers (including bank workers), volunteers, trainees and those carrying out work experience. We recognise the need to treat personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
What types of personal data do we handle? In order to carry out our activities and obligations as an employer, we handle data in relation to: Personal demographics (including gender, race, ethnicity, sexual orientation and religion). Contact details such as names, addresses, telephone numbers and emergency contact(s). Employment records (including professional membership, references, proof of eligibility to work in the UK, and security checks). Bank details. Pension details. Medical information including physical health or mental condition (occupational health information). Information relating to health and safety and lone working. Trade union membership. Offences (including alleged offences), criminal proceedings, outcomes and sentences. Employment Tribunal applications, complaints, accidents, and incident details. Disciplinary and grievance investigations. Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes. Your information is not processed overseas.
What is the purpose of processing data? Your information may also be used to help us in the following ways: Staff administration and management (including payroll and performance). Pensions administration. Business management and planning. Accounting and auditing. Accounts and records. Crime prevention and prosecution of offenders. Education. Health administration and services. Information and databank administration. Sharing and matching of personal information for national fraud initiative. Registration for the creation of an NHS Smartcard and an IT user account. Employee benefits administration.
We have a legal basis to process this as part of your contract of employment (either permanent or temporary), or as part of our recruitment processes following data protection and employment legislation. The organisation has the ability and legal right to monitor your access to its IT systems. Monitoring is required because the use of these systems for business purposes and personal use is subject to UK law, as well as regulations, standards, and guidelines issued by the Department of Health and the NHS. Any employee using these facilities illegally or inappropriately could put the organisation in breach of the law, for which the penalties can be severe. For further information please refer to the Internet, Email, Instant Messaging and Social Media Policy (IGPOL88) available on the organisation’s policy portal, MyCompliance.
Sharing your information There are a number of reasons why we share information. This can be due to: Our obligations to comply with legislation Our duty to comply with any court orders which may be imposed. Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.
Holding your information The information which you provide during the course of your employment (including the recruitment process) will be held on the national NHS Electronic Staff Record (ESR) system. Information held on ESR is accessible to authorised individuals only who have a legitimate need to know. Access is restricted to the Provide Human Resources team and Serco. The ESR system integrates with other systems, for example with HM Revenue and Customs, for the purpose of sharing deductions from payroll for Income Tax and National Insurance and tax code updates. ESR Terms and Conditions are available via the URL https://my.esr.nhs.uk link from the ESR logon page. These terms and conditions provide further information on which systems ESR integrates with and why. Access to ESR is restricted through the use of NHS Smartcards. Any information that you provide in hard copy is scanned onto a restricted shared drive accessible by the Human Resources team only.
Retention of your information Provide follows the NHS retention schedules for staff records. Staff records are kept for six years after a staff member leaves the employment of the organisation, or up until their 75th birthday, whichever is sooner.
Use of third party companies To enable effective staff administration, Provide may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer. Provide shares your information with the following third parties: NHS Shared Business services NHS Shared Business services manages the organisation’s payroll service. This means that they receive information about you in order to ensure that you are paid and to manage certain back office functions for the organisation. Any information that is input into your Electronic Staff Record (ESR) can be accessed by NHS Shared Business services in order to manage your employment with the organisation. Aviva Aviva manages the organisation’s group personal pension for staff enrolled on this scheme. We share relevant information to enable them to manage your pension. This includes pension contribution rates and details of beneficiaries.
We may also share your information with other organisations under TUPE regulations, for example if your employment transfers from Provide to another organisation. This will be explained to you should this need arise.
Prevention and detection of crime and fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may share this information with other bodies involved in crime detection and fraud prevention. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
Individuals’ rights Data protection laws give individuals rights in respect of the personal information that we hold about you. This includes a right of access to your personal information.
Capita Employee Solutions Capita underwrites the insured benefits related to the Provide group pension, eg death in service and paying out in case of permanent incapacity caused by a work related injury. We share personal information relating only to members of staff who are in the group personal pension.
You should make a written request to:
NHS Business Services Authority The NHS Business Services Authority manages the NHS pensions service for staff enrolled on this scheme. We share relevant information to enable them to manage your pension. This includes pension contribution rates and details of beneficiaries.
We will then send you full details on how to proceed.
Disclosure and Barring Service (DBS) The DBS undertakes checks when employing certain staff groups as part of safer recruitment. Optima The information we share with Optima is in relation to new starters for occupational health managing employee health concerns. As part of your terms of employment we are required to undertake these checks. Personal Group Personal Group manage our employee benefits programme which provides you with access to exclusive discounts, a staff helpline and other benefits. In order to confirm your eligibility as a Provide Employee we share some limited information with Personal Group which consists of your initials and payroll number only. When you register on the Personal Group portal you will be required to provide further details in order to access the service. All third parties that Provide shares your personal information with maintain high levels of data security. This is ensured through the use of contractual clauses and/ or through Information Sharing Agreements.
Subject Access Request, Human Resources Team, Provide, 900 The Crescent, Colchester Business Park Colchester, Essex CO4 9YQ provide.hr@nhs.net
Under most circumstances, you are entitled to receive a copy of any information we hold about you. However, you should be aware that in some cases your right to see some details of your records may be limited in your own interest or for other reasons which will be explained to you. For further information please refer to the Subject Access Requests from Staff for access to their Personal Data - Policy and Procedures (IGPOL85) available on the organisation’s policy portal – MyCompliance. You can also access the ESR access portal to review and update the personal information held on the system.
Changing your details It is important that the information we hold about you is up-to-date. If any of your information changes (for example if you change your name, address or telephone number) your HR record will need to be updated. You can update this information yourself through the ESR Access Portal, or alternatively by contacting the Human Resources department provide.hr@nhs.net
Further information Should you have any further queries on the uses of your information, please speak to the Human Resources department or our Data Protection Officer, Richard Bradley: Richard.Bradley4@nhs.net Should you wish to lodge a complaint about the use of your information, please contact the Human Resources department. If you are still unhappy with the outcome of your enquiry you can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 01625 545700.
PLD-2237A-1850-02