Staff and applicants privacy notice

The Trust collects, stores and processes personal information about our prospective, current and former employees, volunteers and contractors to ensure we comply with our legal, regulatory and industry requirements.

We recognise the need to treat personal and sensitive data in a fair, lawful and transparent manner.

No personal information held by us will be processed unless we have an appropriate legal basis for this processing.

We will never sell or use your staff information for direct marketing purposes.

We collect your personal information in several different ways.

We collect some information directly from you; either over the telephone; through forms you have completed, such as a job application, contract or timesheet.

We may also collect information from external sources such as Professional bodies, previous employers, the Disclosure and Barring (DBS) Service, or government bodies like HM Revenue and Customs (HMRC), the Department of Work and Pensions, or Home Office.

The information we collect about you, will depend of the purpose of collecting the information, but examples of information we may collect are detailed below:

• Your name, date of birth, address, email address and telephone number
• Contact details for your next of kin
• Recruitment information, such as professional registrations, and right to work documents
• Financial information, such as bank account, salary, pension, tax and national insurance details
• Demographic information, such as gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
• Medical information that is relevant to your safety at work or employment. This could include vaccinations, occupational health assessments, and absence information
• Employee relations information, such as disciplinary proceedings, complaints or employment tribunal claims
• Offences (including allegations), criminal proceedings, outcomes or sentences

We use Absolute Asset Management Platform to track the location of Trust devices, which may be assigned to you. By doing so, we would have the ability to track your location to a street level. We only use this functionality when there is reasonable ground to do so, such as a data / cyber security investigation or suspected theft of Trust equipment. We may also use this technology to assist a police investigation when there are grounds to do so. All location tracking requests are approved by Employee Relations and Information Governance.

Processing of employee information is necessary for carrying out our obligations and exercising our rights as a data controller.

We will only process your personal information when the processing can be legally justified under UK laws.

Our legal basis for processing your information will depend on the specific processing, but will usually fall under one of the following basis:

• Legal obligation
• Contract
• Legitimate interests

These include circumstances where the processing is necessary for performance employment contracts, or for compliance with any other legal requirements which apply to us as your employer. This includes, but is not limited to:

• Administration of employment; including payroll and pensions
• Education, training and continued professional development
• Business planning
• Accounting and auditing
• National counter fraud initiatives
• Safeguarding, and investigation purposes
• Quality monitoring (including staff surveys)

By signing a contract of employment with the Trust, you acknowledge that you understand that the Trust will be holding and processing any information about you which you provide to us, or which we may acquire as a result of employment.

Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure.

Your information may be stored in electronic or paper records; or a combination of both. All our records are restricted so that only individuals who have a ‘need to know’ the information can have access. This can be through access control technology or organisational procedure.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

Unless there is a valid reason required or permitted by law, or there are exceptional circumstances (such as a likely risk to the safety of you or others), we will not disclose any information to third parties which can be used to identify you without your consent.

We outsource a limited number of services to external companies, including Occupational Health. These companies operate in the UK (or EEA) and all services are provided under contracts which comply with the UK Data Protection Act and GDPR.

Sometimes we are required to disclose or report certain information which may identify you, for example sending information to HM Revenue and Customs or the Police. When we are required to disclose information about you for these purposes, we will only ever disclose the minimum level of information required for the specific purpose.

The Trust is subject to the Freedom of Information Act 2000 and Environmental Information Regulations 2004 which requires information about the Trust to be published on request. This may include some personally identifiable information. This will usually be restricted to staff of a certain seniority (AfC 8a and above, or Very Senior Managers) and limited to your name and role. Before disclosure, we will check what information is already in the public domain (for example on the Trust website) and discuss the disclosure with the you if required.

The Trust will refuse requests for personal identifiable details beyond those stated above, within the exemption provided and the Data Protection Act 2018 but this may not always be possible. We will endeavour to keep you informed of any requests which may result in disclosure of information about you.

There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you.

The Trust has established processes for dealing with such requests and if you wish to access your information you should contact the Data Access & Disclosure Office who will facilitate and support you through the process. You can request your personal information by writing to out Data Access & Disclosure Office or the following postal address:

Data Access & Disclosure Office
Belmont Court
Torbay Hospital
Torquay
TQ2 7AA

Alternatively, you can telephone 01803 654868 and request an application form.

When you apply for information, we need to carry out a number of checks to ensure we are disclosing your information safely. We may ask for copies of your passport, work ID, driving licence and proof of address to support completing a request.

Some information may be exempt from disclosure under the Data Protection Act, if this is the case, you will be told what exemptions have been applied.

Personnel files are held by your line manager, and you may request to sit down and go through the file at any time with them. If you require copies of your personnel file, please follow the process above.

All records are retained in accordance with the NHS Records Management Code of Practice and our retention schedule.

We do not keep any records for longer than necessary. If you are a Very Senior Manager there may be some additional requirements to hold your records for longer under the Public Records Act 1958. On appointment to your role, we will inform you if this is the case.

When a retention period is met, you record will be appraised and a decision documented as to whether it is appropriate to confidentially destroy the record.

If you have any queries or concerns regarding the information we hold about you, or a question regarding how we look after your information please contact the Information Governance team.

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. Depending on the nature of your complaint, we would recommend contacting your line manager in the first instance.

Alternatively, you can contact the Information Governance team who will help you to identify the most appropriate procedure to follow.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office (ICO):

• Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Website: Information Commissioner’s Office – Make a complaint
• Tel: 0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.