Fair Processing Notice: Staff

This information is for staff who are employed by Yorkshire Ambulance Service NHS Trust (‘the Trust’). It should be read in conjunction with the Trust’s Privacy Policy available on our website. For the purposes of this Fair Processing Notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

During the course of its activities, the Trust collects, stores and processes personal information about our prospective, current and former staff. It does this only when the requirements for fair and lawful processing are met. This Fair Processing Notice provides a summary of how we uphold this by describing:

  • The categories of personal data we collect
  • The purposes for which it is processed
  • The persons and organisations it might be shared with

This Notice also includes guidance on exercising your rights in respect of the information the Trust holds about you.

What types of personal data do we collect?

In order to carry out our activities and obligations as an employer, we process data in relation to:

  • Contact details such as names, addresses, and telephone numbers, including those of next of kin
  • Emergency contacts
  • Education and training
  • Employment records (including professional membership, references and proof of eligibility to work in the UK)
  • Pay and bank details
  • Pension and National Insurance details
  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion, disability, marital status)
  • Medical information including physical or mental health
  • Information relating to health and safety
  • Trade union membership
  • Criminal records (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment Tribunal applications, complaints, accidents, and incident details
  • Grievances, harassment and bullying complaints and conduct matters

The majority of this personal data will be collected directly from you. In limited circumstances your personal data may be provided by third parties, such as former employers, social workers, the police, medical professionals and official bodies (such as regulators or disclosure and barring bureaus).

For what purposes do we process your data?

In accordance with data protection law (principally the General Data Protection Regulation (GDPR) and the Data Protection Act 2018), the Trust processes your personal data only where we have your express consent or where the processing is otherwise lawfully justified. The latter include circumstances where the processing is necessary for the performance of staff contracts with us or for compliance with any legal obligations that apply to the Trust as your employer. These purposes may include (but are not limited to):

  • Staff administration (including payroll)
  • Pensions administration
  • Business management and planning
  • Audit
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Health administration and services
  • Information and databank administration
  • Financial reasons
  • Sharing and matching of personal information for the National Fraud Initiative (see Fair Processing Notice - National Fraud Initiative)

The Trust does not carry out automated decision-making using employee data.

Why might we need to share your information?

We will not routinely disclose any information about you without your express permission. However, there are circumstances where the law says we must or can share information about you. Any disclosures of personal data are always made using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place.

There are a number of reasons why we may need to share your information. It can be because of:

  • Our duty to comply with legislation
  • A requirement to comply with a Court Order

It may also be in order to fulfil our obligations as an employer, for example:

  • Meeting health and safety obligations
  • Safeguarding of others
  • Security checks
  • The provision of employee services, such as occupational health, pensions administration, and staff training.

With whom might your information be shared?

We may obtain and share personal data with a wide variety of other bodies, including:

  • Her Majesty's Revenue and Customs (HMRC)
  • Disclosure and Barring Service
  • Home Office
  • Child Support Agency
  • Central government, government agencies and departments
  • Local authorities and other public bodies
  • Ombudsman and other regulatory authorities
  • Courts and prisons
  • Financial institutes such as banks and building societies for approved mortgage references
  • Credit reference agencies
  • Utility providers
  • Educational, training and academic bodies
  • Law enforcement agencies
  • Emergency services
  • Auditors
  • Department for Work and Pensions (DWP)
  • The Assets Recovery Agency
  • Relatives or guardians of an employee where there is a legal duty to do so

How long do we retain your information?

We will retain information only for as long as necessary. Records are maintained in line with the Trust’s Records Management Policy and retention periods are based on guidance provided in the Records Management Code of Practice for Health and Social Care (NHS Digital, 2016).

What if the data we hold about you is incorrect?

It is important that the information we hold about you is accurate and up to date. If your personal details change or if they are currently inaccurate then it is important that you let us know by updating your own details via ESR Self-Service or by contacting your manager and the HR team.

Security of your information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all appropriate technical and organisational measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Board level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of information across the Trust and any associated risks and incidents. The SIRO for the Trust is Steve Page, Executive Director of Quality, Governance and Performance Assurance.

All staff are required to undertake annual Information Governance (IG) training and required to be aware of their IG responsibilities and to follow best practice guidelines ensuring the necessary safeguards for, and appropriate use of, person-identifiable and confidential information.

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

The Trust will not transfer your personal data outside the EEA unless there are arrangements in place to ensure an adequate level of protection for the rights and freedoms of data subjects.

Your rights as data subject

Under the Data Protection Act 2018 you have a number of rights including:

  • To access and obtain a copy of the information the Trust holds about you
  • To withdraw consent at any time where that is the legal basis of our processing
  • To object to certain processing of your data

For details on how to exercise these rights please see the Trust’s Privacy Policy available on this website.

Testing for coronavirus: privacy information