Staff Data Protection Notice

In order to carry out our activities and obligations as an employer, we handle data in relation to:

• Personal data disclosed and any other information necessary for our business purposes, which is provided in the course of an employee’s application for and during employment with us
• Occupational health clearance information
• Qualification and training information
• Statutory and voluntary registrations
• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Date of birth
• Gender
• Marital status and dependants
• Next of kin and emergency contact information
• National Insurance number
• Bank account details, payroll records and tax status information
• Salary, annual leave, pension and benefits information
• Start date and, if different, the date of your continuous employment
• Leaving date and your reason for leaving
• Location of employment or workplace
• Copy of driving licence
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
• Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
• Compensation history
• Performance information
• Disciplinary and grievance information
• CCTV footage and other information obtained through electronic means such as swipe card records
• Information about your use of our information and communications systems
• Photographs
• Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied

We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
• Trade union membership
• Information about your health, including any medical condition, health and sickness records, including:
  • Details of any absences (other than holidays) from work including time on statutory parental leave and sick leave
  • Where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions purposes.
• Genetic information and biometric data
• Information about criminal convictions and offences

When you are no longer our employee, we may continue to share your information as described in this notice so long as this is fair and lawful.

Your personal data is collected by NHS Lanarkshire and shared with NHS Scotland for the purposes of employee management.  It will be captured and stored on an electronic system and will be used and shared with relevant parties.

We collect personal information about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency. We may sometimes collect additional information from third parties including former employers.

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

Occupational Health clearance information, which may be referred to as the Occupational Health Passport, will be shared by NHS Lanarkshire with Occupational Health professionals in the Board, and may be shared with other Boards where you have been offered employment.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Where we need to perform the contract we have entered into with you
• Where we need to comply with a legal obligation
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your interests (or someone else’s interests)
• Where it is needed in the public interest or for official purposes

We use information about you in order to:

• We need all the categories of information in the set out above in this Notice primarily to allow us to perform our contract with you [*] and to enable us to comply with legal obligations [**]. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties [***], provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below. We have indicated by asterisks the purpose or purposes for which we are processing or will process your personal information, as well as indicating which categories of data are involved.

*Making a decision about your recruitment or appointment

*Determining the terms on which you work for us

*Administering the contract we have entered into with you

*Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs)

*Manage all aspects of your employment with us, including but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes, pensions administration, and other general administrative and human resource related processes

*Conducting performance reviews, managing performance and determining performance requirements

*Making decisions about salary

*Assessing qualifications for a particular job or task, including decisions about promotions

*Gathering evidence for possible grievance or disciplinary hearings

*Making decisions about your continued employment or engagement

*Making arrangements for the termination of our working relationship

*Education, training and development requirements

*Ascertaining your fitness to work

*Managing sickness absence

*Maintain sickness records and Occupational Health Programme

*Monitor your use of our information and communication systems to ensure compliance with our IT policies

**Equal opportunities monitoring

**Complying with health and safety obligations

**Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

**Checking you are legally entitled to work in the UK

**Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties

**Maintain emergency contact details to comply with applicable laws (e.g. health and safety), including judicial or administrative orders regarding individual employees (e.g., child support payments)

**Comply with current legislation e.g. ensure appropriate use of records, which is monitored via Fairwarning

**Comply with any Court Order which may be imposed

***Evaluate applications for employment

***Liaising with the trustees or managers of a pension arrangement operated by the SPPA, your pension provider and any other provider of employee benefits

***Providing the following benefits to you:

• Let’s Connect
• Lease Car
• Childcare Vouchers
• Cycle to Work
• Credit Union

***Business management and planning, including accounting and auditing

***Provide and maintain references

***Share and match personal information for fraud prevention

***Ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

***Conduct data analytics studies to review and better understand employee retention and attrition rates

***Develop workforce and succession plans

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Any disclosures of personal data are always made on case-by-case basis, using the personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a legal requirement or where you have consented to the disclosure of your personal data to your representative.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

“Special categories” of particularly sensitive personal information require appropriate levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations or exercise rights in connection with employment.
3. Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to an occupational pension scheme.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

• We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws
• We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance
• If you apply for an ill-health pension under a pension arrangement operated by the SPPA, we will provide information about your physical or mental health to SPPA in order for them to reach a decision about your entitlement
• We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting
• We will use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.

In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Recruitment and Selection Policy and  the How to deal with Positive Disclosures for Existing Employees Policy & Procedure.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences to assess your suitability for employment or to assess your suitability for continued employment.

We are allowed to use your personal information in this way to carry out our obligations as a public sector employer to ensure we comply with our legal obligations. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your contract employment. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are required by law or regulatory bodies.

Current data protection legislation requires personal data to be processed in line with the following principles:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate relevant and limited to what is necessary
• Accurate and where necessary kept up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those dates are processed
• Processed in a manner that ensures appropriate security of the personal data

NHS Lanarkshire’s legal basis for collecting and using staff personal data and/or special category such as health information, is because it is necessary to do so when staff have an employment contract with the Board or potentially entering into an employment contract. This may be:

• To protect your vital interests or those of another person where you/they are unable to give consent
• Where the data has been made public by you
• For the establishment/exercise/defence of legal claims
• For occupational health and safety reasons or the assessment of your working capacity
• To prevent fraud

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

In order to comply with our obligations as an employer we will need to share appropriate, relevant and proportionate personal information in compliance with the law, with the following:

• Audit Scotland
• Scottish Government
• Regulatory bodies
• Disclosure Scotland
• Other NHS Boards
• Councils
• Routes to Work
• HMRC
• Trade Unions

We may also need to share your personal information to otherwise comply with the law.

We will also share personal data regarding your participation in any pension arrangement, such as the SPPA pension scheme, with the trustees or scheme managers of that pension arrangement in connection with the administration of the arrangement.

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether electronic or on paper.

At Director level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.  We also have a Data Protection Officer who is responsible for the Board’s data protection compliance and who liaises with the SIRO and Caldicott Guardian.

All staff are required to undertake regular information governance training and to be familiar with information governance policies and procedures.

Everyone working for the NHS is bound by confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless required or permitted by the law.

Your information will be collected on a national workforce information system. The national system manager is authorised for full access nationally, providing access and accounts for NHS Boards system administrators.

We also collect information in a number of other ways, for example, correspondence, forms, interview records, references, surveys.

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.

We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you.

This section contains a description of your data protection rights within NHS Lanarkshire as an employee.

The right to be informed

 NHS Lanarkshire must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

• This Data Protection Notice
• Contract of Employment
• Staff managing you

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.

You have the right to obtain:

• Confirmation that your personal information is being held or used by us
• Access to your personal information
• Additional information about how we use your personal information

Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.

If you would like to access your personal information, you can do this by contacting your line manager or, if more appropriate, the manager of the relevant service.

Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However if your request is complex we may take longer, by up to two months, to respond.  If this is the case we will tell you and explain the reason for the delay.

Further details around this can be found within the Subject Access Policy.

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex.  However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request.  Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request NHS Lanarkshire does not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is the case we will contact you within one month to explain our reasons for this.

If you are unhappy about how NHS Lanarkshire has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When NHS Lanarkshire is processing your personal information for the purpose of the contract of employment or performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided NHS Lanarkshire can demonstrate compelling legitimate grounds for processing your personal information or for evidence to support legal claims, your right will not be upheld

The right to erasure

The right to erasure is also known as “the right to be forgotten” and in general refers to an individual’s right to request the deletion or removal of personal  information where there is no compelling reason for NHS Lanarkshire to continue using it.

As with other rights, there are particular conditions around this right and it does not provide individuals with an absolute right to be forgotten.

Individuals have the right to have their personal information deleted or removed in the following circumstances:

• When it is no longer necessary for the purpose for which it was collected
• When NHS Lanarkshire no longer have a legal basis for using your personal information, for example if you gave us consent to use your personal information in a specific way, and you withdraw your consent, we would need to stop using your information and erase it unless we had an overriding reason to continue to use it
• When you object to NHS Lanarkshire using your personal information and there is no overriding legitimate interest for us to continue using it
• If we have used your personal information unlawfully
• If there is a legal obligation to erase your personal information, for example by court order

NHS Lanarkshire can refuse to deal with your request for erasure when we use your personal information for the following reasons:

• To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
• For public health purposes in the public interest.
• Archiving purposes in the public interest,
• The exercise or defence of legal claims.

When using personal information our legal basis is usually that its use is necessary for the performance of your contract of employment or a task carried out in the public interest or in the exercise of official authority vested in us under the NHS Scotland Act. This means that in most circumstances we can refuse requests for erasure. However we will advise you of this as soon as possible following receipt of your request.

The right to restrict processing

You have the right to control how we use your personal information in some circumstances. This is known as the right to restriction.  When processing is restricted, NHS Lanarkshire are permitted to store your personal  information, but not further use it until an agreement is reached with you about further processing.  We can retain enough information about you to ensure that your request for restriction is respected in the future.

Examples of ways you can restrict our processing would be:

• If you challenge the accuracy of your personal information, we will stop using it until we check its accuracy
• If you object to processing which is necessary for the performance of our tasks in the public interest or for the purpose of legitimate interests, we will restrict our processing while we consider whether our legitimate grounds override your individual interests, rights and freedoms
• If our use of your personal information is found to be unlawful and you ask for restriction instead of full erasure we will restrict our processing
• If we no longer need your personal information but you need it to establish, exercise or defend a legal claim, we will restrict our processing

If we have shared your personal information with any individuals or organisations, if we restrict our processing, we will tell those individuals or organisations about our restriction if it is possible and not an unreasonable amount of effort.  Whenever we decide to lift a restriction on processing we will tell you.

The right to data portability

The right to data portability allows individuals to obtain and re-use their personal information for their own purposes across different services. It allows them to move, copy or transfer personal information easily from one IT environment to another in a safe and secure way. For example: it enables consumers to take advantage or applications and services which can use their information to find them a better deal.

The right to data portability only applies when the individual has submitted their personal information directly, through electronic means to NHS Lanarkshire. This means that in most circumstances the right to data portability does not apply within NHS Lanarkshire.

Rights related to automated decision making and profiling

You have the right to object to any instances where a decision is made about you solely by automated means without any human involvement, including profiling.

NHS Lanarkshire does not undertake any decision-making about you using wholly automated means.

It is important that the personal information we hold about you is accurate and current.

Please keep us informed if your personal information changes during your working relationship with us.

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.

We may also notify you in other ways from time to time about the processing of your personal information.

The Freedom of Information (Scotland) Act 2002 provides any person with the right to obtain information held by NHS Lanarkshire, subject to a number of exemptions. Personal data is often exempt.

Further information is available:

http://firstport2/staff-support/information-governance-records-management/Documents/Freedom%20of%20Information/FOI%20Protocol%202018.doc

In the first instance, you should discuss your concerns with your line manager.

Contact can also be made with the Data Protection Officer:

• DPE@lanarkshire.scot.nhs.uk

Information Governance Manager, Data Protection Officer
Kirklands
Fallside Road
Bothwell
G71 8BB

Tel:  01698 858079

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

For further information around information rights, you can contact the Information Commissioner’s Office

Email: scotland@ico.org.uk

Information Commissioner’s Office
45 Melville Street
Edinburgh
EH3 7HL

Tel: 0303 123 1115

ICO Website: https://ico.org.uk/