Privacy Notice - Staff

Privacy Notice Employee Information (including other workers, contractors and volunteers)

Introduction

Belle Vale Medical Practice collects and processes personal information, or personal data, relating to its employees, other workers, contractors and volunteers to manage the working relationship. This personal information may be held by the Belle Vale Medical Practice on paper or in electronic format.

Belle Vale Medical Practice is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The purpose of this Privacy Notice is to make you aware of how and why we will collect and use your personal information both during and after your working relationship with the Belle Vale Medical Practice ends.

This Privacy Notice applies to all current and former employees, other workers, contractors and volunteers. It is non-contractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

Who Are We?

We offer primary care (GP and nurse) services to around 8300 people in the Belle Vale area of Liverpool.

The Practice has a statutory responsibility and public duty to provide health care services, as instructed and guided by the Department of Health and Social Care (a ministerial department of Government within the United Kingdom).

The Practice can be contacted at:

Address:       Hedgefield Road

Tel:               0151 317 8599

Email:           bellevale.healthcentre@nhs.net

Website:       https://www.bellevalehealthcentre.nhs.uk/

The Practice is a Data Controller and, as such, is registered with the Information Commissioner’s Office. Its registration number is Z5630800.

The Practice’s Data Protection Officer (DPO) is:

Head of Information Governance

NHS Informatics Merseyside

Information Governance Team

Hollins Park

Winwick

Warrington

WA2 8WA

DPO.IM@imerseyside.nhs.uk

 

Why does the Practice need your Information?

As an employer, Belle Vale Medical Practice needs to keep and process information about you for normal employment, workforce and related purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the Practice and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract and to comply with any legal requirements.

Looking after your Information

Belle Vale Medical Practice has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, other workers, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities.

Personal information is held in accordance with the requirements of current Data Protection legislation. Anyone who receives information from us is also under a legal duty to keep it confidential and secure in accordance with Data Protection legislation.

Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.

Belle Vale Medical Practice also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

What types of personal information do we collect about you?

Belle Vale Medical Practice collects, uses and processes a range of personal information about you. This includes:

• Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
• Contact details such as names, addresses, telephone numbers and Emergency contact(s)
• Recruitment and employment records (any application form, cover letter, interview notes, references, copies of proof of right to work in the UK documentation, copies of qualification certificates, professional memberships, copy of driving licence and other background check documentation)
• Bank details
• Pension details
• Medical information including physical health or mental condition (occupational health information)
• Information relating to health and safety (including CCTV)
• Trade union membership
• Offences (including alleged offences), criminal proceedings, outcomes and sentences
• Employment tribunal applications, complaints, accidents, and incident details
• Contract of employment and any amendments to it
• Correspondence from or to you, for example letters to you about a pay rise, or at your request, a letter to your mortgage company confirming your salary
• Records relating to your career history, such as training records, appraisals and other performance measures
• Records of holiday, sickness and other absence
• Data concerning expenses e.g. Travel Claims
• Information needed for equal opportunities monitoring
• Use of our IT systems, including usage of telephones, e-mail and the Internet
• Photographs for identification purposes

What is the purpose of processing data?

Belle Vale Medical Practice needs to process staff personal data in order to function effectively as an organisation, examples of these are:

Our obligations to comply with legislation

• Staff administration and management (including payroll and performance)
• Pensions administration
• Business management and planning
• Accounting and auditing
• Accounts and records
• Crime prevention and prosecution of offenders
• Education
• Health administration and services
• Sharing and matching of personal information for national fraud initiative
• Our duty to comply any court orders which may be imposed

Lawful Basis for Processing

We will only use your personal information when the law allows us to. These are known as the legal bases for processing.

Where we process your personal data, we do so under:

• GDPR Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
• GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

 Where we process special categories of sensitive information for employment purposes, we do so under:

• GDPR Article 9(2)(b) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”

Where we process special categories of sensitive information relating to your physical and/or mental health, racial or ethnic origin, etc, we do so under:

• GDPR Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.”

Please note that we may process your information without your consent, in compliance with these Articles, where this is required or permitted by law.

Sharing Your Information

 Belle Vale Medical Practice shares staff information with a range of organisations or individuals for a variety of lawful purposes, this may include:

• Disclosure to Care Quality Commission
• Disclosure to HMRC
• Disclosure to data processors
• Public disclosure under the Freedom of Information Act
• Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure & Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
• Disclosure to employment agencies - e.g. in respect of agency staff
• Disclosure to banks and insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees
• Disclosure to professional registration organisations
• Disclosure to occupational health professionals (subject to explicit consent)
• Disclosure to police or fraud investigators

 

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such parties.

Use of Third-Party Companies

To enable effective staff administration Belle Vale Medical Practice may engage with third party organisations to process your data on our behalf. These organisations are known as data processors and we ensure that they are legally and contractually bound to the Practice. We have in place agreements to ensure these third parties abide by data protection legislation.

How long do we retain your records?

All our records are retained and destroyed in line with the NHS Records Management Code of Practice which set out the appropriate length of time each NHS record is held for. We do not keep your records for longer than necessary.

All records are destroyed confidentiality once their retention period has been met and Belle Vale Medical Practice has made the decision that the records are no longer required.

Transferring Information Overseas

Belle Vale Medical Practice does not routinely transfer information outside the UK, but if there is a need to do so it will be done in a way that ensures the security of the information is to an equivalent standard as that used internally by the Practice when processing your information.

Your Rights

Data Protection laws give you rights in respect of the personal information that we hold about you. These are:

1. To be informed why, where and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it (This only applies in certain circumstances and when certain conditions are met).
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information (This only applies in certain circumstances and when certain conditions are met).
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making).

Please note, under data protection legislation, some exemptions apply which may restrict the above rights. Information on these exemptions can be found on the ICO website.

Automated decision making

Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention.

We do not carry out any automated decision making (including profiling) and as such no employment decisions will be taken about you based on automated decision making.

Changes to this Privacy Notice

Belle Vale Medical Practice reserve the right to update or amend this Privacy Notice at any time, including where Belle Vale Medical Practice intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue a new Privacy Notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways. This Privacy Notice was last updated 29^th January 2024

Right to Complain

If you have any concerns about the way the Practice has handled its data, you can raise your concerns or make a complaint by emailing bellevale.healthcentre@nhs.net.

Alternatively, you can complain to the Information Commissioner’s Office by emailing casework@ico.org.uk or phoning 0303 123 1113.