Privacy Notice: Staff
During the course of our employment activities, the Trust collects, stores and processes personal information about our current and former staff. It does this only when the requirements for fair and lawful processing are met. This privacy notice provides a summary of how we uphold this by describing:
- the categories of personal data we collect
- the purposes for which it is processed
- the persons and organisations it might be shared with.
It is important the information we hold about you is accurate and up-to-date. If your personal details change or if they are currently inaccurate then it is important that you let us know by updating your own details via ESR Self-service or by contacting your manager, who can update your personal details via Manager ESR Self-service and the HR Team via the HR Portal for pay/assignment changes only.
To carry out our activities and obligations as an employer, we process the following personal information:
- name (current or previous names)
- date of birth
- National Insurance number
- contact details, including email address, home address and telephone numbers
- education and training
- employment records (including professional registration/membership, references, and proof of eligibility to work in the UK)
- personal demographics (including gender, race, ethnicity, sexual orientation, religion, disability and marital status)
- information relating to health and safety
- health and attendance records
- details relating to occupational health (see Ascenti and Optima privacy notices) including vaccination details
- training and development records
- disciplinary, grievance, performance and harassment/bullying records
- bank account details
- pension details
- driving licence details, including endorsements and accident history
- personal vehicle details when making expense claims or for our volunteer car drivers
- criminal records (including alleged offences), criminal proceedings, outcomes and sentences
- Trade Union membership
- emergency contact details.
The majority of this personal data will be collected directly from you. In limited circumstances, your personal data may be provided by third parties such as former employers, social workers, Local Area Designated Officer(s), the police, medical professionals and official bodies (such as regulators or disclosure and barring bureaus).
Information is processed in a variety of paper and electronic formats and is used to:
- Create and maintain your staff record (processing is necessary under the contract you have with us or because we have asked you to take specific steps before entering into a contract).
- Communicate with you throughout your employment with YAS (processing is necessary under the contract you have with us or because we have asked you to take specific steps before entering into a contract).
- Monitor equal opportunity statistics and help us understand staff demographics (we request your explicit consent to process this data).
- Check criminal records every three years, where relevant for the role, to help make safer working environments (we request your explicit consent to process this data. Processing shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State Law providing for appropriate safeguards for the rights and freedoms of data subjects).
- Maintain attendance records (where necessary for the assessment of the working capacity of the employee).
- Maintain records of mandatory vaccination status (where we have a legal obligation to do so).
The Trust does not carry out automated decision-making using employee data.
We will not routinely disclose any information about you without your permission. However, there are circumstances where the law says we must or can share information about you. Any disclosures of personal data are always made using the minimum personal data necessary for the specific purpose and with the appropriate security controls in place.
There are a number of reasons why we may need to share your information. It can be because of:
- our duty to comply with legislation
- a requirement to comply with a court order. It may also be to fulfil our obligations as an employer, for example:
- meeting health and safety obligations
- security checks
- the provision of employee services, such as occupational health, pay, pensions administration and staff training.
We may obtain and share personal data with a wide variety of bodies, including:
- Her Majesty's Revenue and Customs (HMRC)
- Disclosure and Barring Service
- Home Office
- Child Support Agency
- Central government, government agencies and departments
- Local authorities and other public bodies
- Ombudsman and other regulatory authorities
- Courts and prisons
- Financial institutes such as banks and building societies for approved mortgage references
- Credit reference agencies
- Organisations where employment references are requested
- Utility providers
- Educational training and academic bodies
- Law enforcement agencies
- Emergency services
- Department for Work and Pensions (DWP)
- The Assets Recovery Agency
- Relatives or guardians of an employee where there is a legal duty to do so.
Records are maintained in line with the Trust’s Records Management Policy and retention periods are based on guidance provided in the Records Management Code of Practice for Health and Social Care (NHS Digital). We will store your information as part of your employee file for the duration of your employment plus six years after you have left the Trust.
Health and social care systems continue to face significant pressures under COVID-19. Health and care information is essential to deliver care to individuals, support health and social care services and to protect public health. Information is vital in researching, monitoring, tracking, and managing the ongoing outbreak, and is also used to monitor and nationally report on COVID and Flu vaccination uptake. Please see NHS England’s privacy notice.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is continuing to be used. Using this law, the Secretary of State has required NHS Digital, NHS England and Improvement, Arm’s Length Bodies (such as UK Health Security Agency), local authorities, health organisations and GPs to share confidential patient information to respond to COVID-19.
Any information processed or shared relating to COVID-19 will be limited to the period of the outbreak unless there is another legal basis to use the data.
The Secretary of State for Health and Social Care issued NHS Digital with a Notice under Regulation 3(4) of the National Health Service (Control of Patient Information Regulations) 2002 (COPI) to require NHS Digital to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes.
This legislation was implemented in March 2020 and has now been extended until 31 March 2022:https://digital.nhs.uk/coronavirus/coronavirus-covid-19-response-information-governance-hub/control-of-patient-information-copi-notice
NHS England’s basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(3) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.
COPI does not provide a blanket lawful basis to processes personal confidential data but provides a gateway for sharing and sets aside the common law duty of confidentiality. However, data protection law (GDPR and the DPA 2018) must still be complied with.
In circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require, and we will ensure any information collected is treated with the appropriate safeguards.
Data may be shared with laboratories which are government run and in the private sector under the guidance of UK Health Security Agency (UKHSA). This data is limited to that which is required to ensure test results can be communicated back to the individual. Normally this will be a phone number, home address and email address linked to a named individual with date of birth and where available NHS number.
Visit the GOV.uk website for the COVID-19 testing privacy information.
Due to the COVID-19 pandemic the Trust has internally managed a Test and Trace function to ensure that this is aligned to the UK Health Security Agency (UKHSA) pre-requisites for contact tracing. The Trust’s Test and Trace Standard Operating Procedure reflects the service provided and managed by the Trust Infection Prevention Control Team. The Trust’s Test and Trace procedure provides contact tracing for all employees, volunteers and students. Positive cases may be identified internally or passed to the Trust via secure email from UKHSA. The Trust needs to accurately record details of confirmed or suspected COVID-19 cases and staff who may have been exposed to COVID-19 through contact with those individuals.
The information recorded is kept to a minimum and will be held and retained in line with the NHS Records Management Code of Practice for Health and Social Care 2021.
*In the event of a declared outbreak by UKHSA this data will be held for an indefinite period and until all investigations are completed.
This includes the following data:
- Report completed by
- Lateral Flow Test Result
- Date of positive Result
- Positive/Index Case Name
- Date of PCR Test
- Date of Symptoms
- Test ID Number
- Index case telephone contact number
- Index case email address
- Index case base location
- Household COVID positives (yes/no) and date of test
The information is hosted within the Trust’s systems. There are defined role-based access controls in place assigned by the COVID-19 Management Team and a process to ensure the closure of system access when required. The system allows records to be altered only by authorised personnel with validations in place to ensure correct information is entered. Access to records is recorded, and fully auditable. A viewed records log can be produced if required.
Under COVID-19 the Trust is mandated to record uptake of Flu/COVID vaccinations. This information is reported at a national level to UK Health Security Agency (UKHSA) and NHS England. To meet these requirements the Trust utilises a system called Covmis to record COVID-19 vaccination status and Flumis to record Flu vaccination status.
Information is held securely on Covmis/Flumis servers. The Trust is the Data Controller and Covmis/Flumis are the Data Processors.
The Covmis/Flumis systems will hold personal-identifiable data which is required to process vaccination uptake relating to COVID-19 and Flu, including the recent booster vaccination programme.
This processing includes:
- NHS number
- Employee number
- Email / Telephone number
- Health information, specific to purpose and provided during the clinical vaccination process.
The Trust has administration access to review the data for attendees at the vaccination clinics; this information is needed for reporting purposes. Internal role-based access controls are in place to ensure access is restricted to those who require this as part of their role and responsibility. This information is then used to update the National Immunisation Vaccination System (NIVS) for healthcare workers.
NHS England has commissioned and implemented a National Immunisation Vaccination Service (NIVS). This is provided by NHS England and NHS Improvement and will be used to record the vaccination details of healthcare workers.
This delivers a centralised data capture tool for clinical teams delivering the seasonal flu immunisation and is an essential component of NHS England’s response to the COVID-19 pandemic. The vaccination event data will feed back to GP systems and the National Immunisations Management System (NIMS).
Information will be recorded within NIVS using minimal information.
- NHS Number
Data will be disseminated to NHS Digital as Data Processors on behalf of NHS England. The National Data Opt Out provision does not apply to this data processing.